New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 775043 link

Starred by 5 users
Status: Archived
Owner:
dskaram@chromium.org
Last visit > 30 days ago
Closed: Jan 2018
Cc:
alu...@chromium.org
jbspillane@google.com
msnoxell@chromium.org
pmarko@chromium.org
mikewilusz@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

Certificate Auto-Enrollment/Renewal for System/Device-Wide Certificates

Project Member Reported by c...@chromium.org, Oct 16 2017 
Description:
Auto-enrollment/renewal is a certificate enrollment method in that allows clients to seamlessly* enroll for certificates and to perform other handy functions including deleting revoked certificates and downloading root certificates from Active Directory.   It is best practice to enable auto-enrollment on the Domain parent level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists. Auto-enrollment is triggered when a user logs on, when a machine is powered on, or every 8 hours when Group Policy is refreshed. It should also be possible to manually trigger a fetch policy update by chrome://policy >> Reload Policy.

Use case:
Intent to use system/device-wide certificates in the login process (see:  https://bugs.chromium.org/p/chromium/issues/detail?id=723849), the certificate HAS to be a system wide certificate as the user certificate store is not available until the user logs in.  Deploying individual user system-wide certificates would give other users the ability to use their certificate - that is not secure.  The proposed plan IS to white-glove the Enterprise enrollment at the OEM to have the system enterprise enrolled and then the plan was to assign a system-wide certificate from a service account.  This certificate would be good for nothing other than wi-fi at the login screen (before they have an account) and the login/certificate flow process.  That service account certificate would have no other permissions in back end systems.

Motivation:
Meeting the enterprise requirements of current customers who leverage this exact feature on MSFT's ADCS (see here:  https://blogs.technet.microsoft.com/meamcs/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates).

Existing workarounds:
Security requirements force system-wide certs to expire after 12-months.  The only method to renew certificates requires physically accessing the device with a service account to provision and onboard a system-wide cert.  Ideally this service account could be entered into the Google Admin Console whereby a policy allows provides certificate autoenrollment/renewal.

Comment 1 by pmarko@chromium.org, Oct 18 2017 

I think there's another workaround:
Doing something like this "when a user logs on" (in this case, it would be "when an affiliated user logs on") could be done with a force-installed extension in affiliated user sessions.

That wouldn't solve for "when the machine is powered on" though.

Comment 2 by msnoxell@chromium.org, Dec 12 2017

Cc: msnoxell@chromium.org

Comment 3 by dskaram@chromium.org, Jan 16 2018

Status: Archived (was: Untriaged)
Tracking in https://b.corp.google.com/issues/72028557.

Sign in to add a comment