Self-signed CA (SHA-256) won't be loaded on chrome://certificate-manager from Admin Console |
|||||||
Issue descriptionVersion of Google Chrome (Wrench-> About Google Chrome):57.0.2987.123 - Issue description Customer created a self-signed cert using SHA256 algorithm and uploaded it on Admin Console > Device management > Network > Certificate with checked HTTPS CA. They confirmed chrome://policy loaded it as a user policy, but it doesn't appear in chrome://certificate-manager > Authorities tab. - Troubleshoot already taken [Cert] Confirmed the format is PEM and LF. Confirmed the cert is valid from Feb 2017 to Feb 2018. Confirmed the Signature Algorithm is "sha256WithRSAEncryption" Confirmed the issuer and subject is the same. (Self-signed) Confirmed the "X509v3 Basic Constraints" field is "CA:TRUE" [Admin Console] Confirmed the cert has been uploaded on the OU which the affected user blongs to. Confirmed "Restricted to:Chromebooks, Mobile devices". Confirmed "Use this certificate as an HTTPS certificate authority." is checked. [Chrome device] chrome://policy > OpenNetworkConfiguration loaded the cert successfully. The cert is not applied to chrome://certificate-manager. - Expected Behavior Chrome device load the self-singed CA which is distributed from Admin Console as intended. - Actual Behavior Chrome device doesn't load the self-signed CA, even though chrome://policy loaded it. - Logs/Screenshots Cert file (.pem): https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4NmtFOWtQWElSeW8/view?usp=sharing Decoded cert file (.pem) https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4SmU1QzhjcngwWTg/view?usp=sharing chrome://policy https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4bW9FMnVkSnF6a28/view?usp=sharing Screenshot of Admin Console > Device mgmt > Network > Certificates https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4MU9rUWhDVUJoRlU/view?usp=sharing
,
Mar 30 2017
Repro step is 1. Download the cert: https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4NmtFOWtQWElSeW8/view?usp=sharing 2. Open Admin Console, navigate to Device mgmt > Network > Certificates 3. Select the root OU (so that it will apply to every users) 4. Click "Add Certificate", and then upload the cert. 5. Check "Use this certificate as an HTTPS certificate authority." 6. Click "Save" 7. Enroll a Chrome device to the domain. 8. Login as a domain user. 9. Access to 'chrome://certificate-manager', and select 'Authority' tab. 10. The cert won't appear in the Authority section.
,
Mar 30 2017
dskaram: Could you route this appropriately? I don't think us Internals>Network>Certificate folks know anything about this feature / interaction.
,
Apr 5 2017
Looks like we are having this issue to, v58 beta. Trying to find a device on an earlier version to verify
,
Apr 5 2017
,
Apr 18 2017
+maxkirsch@ can we route this appropriately?
,
Apr 18 2017
atwilson@ do you know who could help debug this?
,
Apr 19 2017
One question - can they directly import the certificate into the user session without using policy and have it show up in chrome://certificates? That will at least confirm that the cert is well-formed.
,
Apr 19 2017
Note to self: Displaying policy-pushed certs in certificate manager was introduced in bug 235838 .
,
Apr 19 2017
soushi@, have you actually managed to reproduce this? (Ctrl+F search for WebFilter on the chrome://certificate-manager page gives no results when this policy is active and an affiliated user logged in?)
,
Apr 25 2017
Tested on m57 (stable) and m58 (beta) using peppy, and m57 (stable) using samus device. I confirmed the policy has been successfully loaded and shown in the authority tab (both of manual import/auto-import from policy is okay). I actually was looking for 'WebFilter' as the organization name, but as this certificate's OU name is 'organization' (I thought it is 'WebFilter'), so I'm not sure that WebFilter was loaded at the 1st point. Sorry about that. It won't happens again. I marked as 'WontFix' as I believe the issue has gone. Thank you for the investigation.
,
Apr 25 2017
Yes, the same thing tricked me once too, there are so many certs in there that it's difficult to spot new entries if you're not looking for exactly that string. That's why I switched to Ctrl+F :-) Thanks for re-testing. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by soushi@chromium.org
, Mar 30 2017