Manage root certificate configurations

For administrators, signed up for Chrome Enterprise Core, who manage Chrome policies from the Google Admin console.

As an admin, you can use the Google Admin console to add and manage your organization’s private root certificates in the Chrome Root Store. The Chrome Root Store contains the set of certificates that Chrome browser trusts by default. This helps you to ensure seamless and secure access to internal sites for your users.

Before you begin

Add a configuration

You must be a super admin to add new configurations. For details about the super admin role, see Pre-built administrator roles

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Connectors.
  3. (Optional) If you’re configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Connectors.
  4. At the top, click + New provider configuration.
  5. In the Set up a provider panel that opens on the right, find Chrome Root Store.
  6. Click Set up.
  7. Enter the configuration name.
  8. Click Add certificate. Enter configuration details:
    1. Name—Enter a name for the certificate.
    2. File—Click Upload and select the PEM file you want to add.
    3. Type—Specify the type of certificate:
      • Root—The certificate should be trusted.
      • Hint—The certificate can be used during path building but is not inherently trusted unless it chains to a known root.
      • Distrust—The certificate should not be trusted.
    4. Constraints—To constrain a certificate's validity to a set of IP blocks or domains, enter DNS names or IP blocks in CIDR notation. One entry per line.
  9. Click Add certificate.
  10. Click Add configuration.

After you add a new configuration, it's listed under Chrome Root Store on the Connectors page. You can see the configurations that you added and the number of organizational units where it’s connected.

Configurations are added for your entire organization. You can use them, as needed, in any organizational unit.

  1. From the Admin console Home page, go to Chrome browserand thenConnectors.
  2. Select a child organizational unit.
  3. For Certificate connectors, under Chrome Root Store, select the configuration that you want to use.
  4. Click Save.

Manage configurations

View or edit a configuration

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Connectors.
  3. For the configuration that you want to change, click Details.
  4. To edit configuration details:
    1. In the Provider configuration section, click Edit.
    2. Update the configuration name.
    3. Click Save configuration.
  5. To view configuration details, under Certificates, details for all certificates are listed. 10 certificates are listed per page.

Add a certificate to an existing configuration

Note: 50 is the maximum number of certificates allowed.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Connectors.
  3. On the left, make sure that All browsers & devices is selected.
  4. Find the configuration that you want to add a certificate to.
  5. Click Details.
  6. Under Provider configuration, click Edit.
  7. Click Add certificate and enter details.
  8. Click Add certificate.
  9. Click Save configuration.

Remove configurations

Remove all root certificate configurations

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Connectors.
  3. Find the root certificate that you want to remove all configurations for.
  4. On the far right, click and thenDelete all configurations.
  5. Click Delete to confirm.

Remove a specific configuration

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Connectors.
  3. Find the root certificate configuration you want to remove.
  4. On the far right, click and thenDelete.
  5. Click Delete to confirm.

Verify the root certificate configuration

  1. On a managed device, browse to chrome://certificate-manager.
  2. On the Local certificates page, you can view admin-installed custom local certificates.

Related topics

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Main menu
7655262280120120089
true
Search Help Center
true
true
true
true
true
410864
false
false
false
false