This page describes how to enable certificate-based access (CBA) with your enterprise certificates.
An important requirement of the zero trust access model is to only allow access to authorized devices. BeyondCorp Enterprise CBA uses certificates and their private keys stored in a secure keystore on the device to determine whether the device is authorized. To enable this feature, complete the following procedures.
Before you begin
Ensure that you have created CBA access levels for your Google Cloud project. If you need to create access levels, see Create access levels for certificate-based access.
Ensure that you enforce CBA on your Google Cloud resources using one of the following methods:
Enforce certificate-based access with VPC Service Controls: Configure rules around data.
Enforce certificate-based access with user groups: Configure rules around users.
When you enforce CBA on your Google Cloud resources, accessing your Google Cloud resources requires an authorized user to also present a valid device certificate.
Upload the trust anchors
To allow BeyondCorp Enterprise to collect and validate the enterprise certificate of a device, you must upload the trust anchors that are used to issue the device certificate. The trust anchors are the self-signed root CA certificate and the relevant intermediate and subordinate certificates. To upload the trust anchors, complete the following steps:
In the Google Admin console, go to Devices > Networks > Certificates, and then select the organizational unit for which to upload the trust anchors. Ensure that the organizational unit you select contains the users to which you want to grant access.
Select Add Certificate, and then enter a name for your root certificate.
Click Upload to upload the certificate.
Select Enable the Endpoint Verification, and then click Add.
The certificate to be uploaded should be the CA certificate, which is the issuer of the client certificates installed on your corporate devices. If your company does not yet have a CA certificate and the corresponding client certificates, you can create them through the Google Cloud Certificate Authority Service. The steps to install client certificates into native keystores is different for each operating system and is outside of the scope of this document.
Configure users' Chrome browser to use your enterprise certificate
Follow the instructions at Set Up Endpoint Verification to install the Endpoint Verification extension for Chrome for all users in your organization. This extension is used to sync certificate metadata to Google Cloud's backend.
After you set up the browser extension, configure the AutoSelectCertificateForURLs Chrome policy to
allow Endpoint Verification to search for the device certificate and collect it through Chrome.
Ensure that the users' Chrome browser is managed by Chrome Browser Cloud Management:
In the Admin console, add the
AutoSelectCertificateForUrlspolicy:Go to Devices > Chrome > Settings > User & Browser Settings > Client certificates.
Select the appropriate organizational unit.
Add a policy.
The following example adds the
AutoSelectCertificateForUrlspolicy:{"pattern":"https://[*.]clients6.google.com","filter":{"ISSUER":{"CN":<CERT_ISSUER>}}} {"pattern":"https://console-secure.cloud.google.com","filter":{"ISSUER":{"CN":<CERT_ISSUER>}}} {"pattern":"https://storage.mtls.cloud.google.com","filter":{"ISSUER":{"CN":<CERT_ISSUER>}}}In the example,
CERT_ISSUERis the common name of your CA certificate.
After this configuration, users can access protected Google Cloud resources
with the Chrome browser at console-secure.cloud.google.com.
Verify policy configuration (optional)
In the Chrome browser, enter
chrome://policy.Verify that
AutoSelectCertificateForUrlsis listed under Chrome Policies.Verify that the value for Applies to is Machine. On the Chrome operating system, the value for Applies to is Current User.
Ensure that the Status for the policy does not have a Conflict. If the status does have a conflict, see Understand Chrome policy management for information.
Configure command-line tools to use your enterprise certificate
If users in your organization need to access Google Cloud resources from the command line, they must complete the following procedures to enable CBA with your enterprise certificate in their command-line tools.
The following command-line tools are supported:
Google Cloud CLI
Terraform CLI (gcloud CLI is still needed to install and configure helper components.)
Because the device certificates are stored in native keystores, the Google Cloud CLI is bundled with an open source component called Enterprise Certificate Proxy (ECP) to interact with key management APIs.
If you're using a Windows system, you must have the Visual Studio C++ runtime library installed.
The following operating systems and their respective native keystores are supported:
macOS with Keychain
Microsoft Windows with CryptoAPI
Linux with PKCS #11
ECP must be configured with the necessary metadata information to locate the certificate in the keystores.
Install and configure ECP with the Google Cloud CLI
Install the Google Cloud CLI and enable CBA. Install with the
bundled pythonoption enabled.For macOS and Linux, run the
install.shscript after downloading it:$ ./google-cloud-sdk/install.shInstall the ECP helper component with the Google Cloud CLI:
gcloud components install enterprise-certificate-proxyInitialize ECP certificate configuration with the Google Cloud CLI:
Linux
$ gcloud auth enterprise-certificate-config create linux
--label=<CERT_LABEL> --module=<PKCS11_MODULE_PATH> --slot=<SLOT_ID>
Example:
$ gcloud auth enterprise-certificate-config create linux
--label="Google Endpoint Verification" --module=/usr/lib/x86_64-linux-gnu/pkcs11/libcredentialkit_pkcs11.so.0 --slot=0x1234567
macOS
$ gcloud auth enterprise-certificate-config create macos
--issuer=<CERT_ISSUER>
Example:
$ gcloud auth enterprise-certificate-config create macos
--issuer="Google Endpoint Verification"
Windows
$ gcloud auth enterprise-certificate-config create windows
--issuer=<CERT_ISSUER> --provider=<PROVIDER> --store=<STORE>
Example:
$ gcloud auth enterprise-certificate-config create windows
--issuer="Google Endpoint Verification" --provider=current_user --store=MY
The ECP configuration can also be manually configured. It is stored as a JSON file at the following location on the user's device:
Linux and macOS:
~/.config/gcloud/certificate_config.jsonWindows:
%APPDATA%\gcloud\certificate_config.json
See the ECP documentation on GitHub for additional examples of the configuration and schema.
Linux
{
"cert_configs": {
"pkcs11": {
"label": "<CERT_LABEL>",
"slot": "<SLOT_ID>",
"module": "<PKCS11_MODULE_PATH>"
}
},
"libs": {
"ecp": "/usr/lib/google-cloud-sdk/bin/ecp",
"ecp_client": "/usr/lib/google-cloud-sdk/platform/enterprise_cert/libecp.so",
"tls_offload": "/usr/lib/google-cloud-sdk/platform/enterprise_cert/libtls_offload.so"
}
}
macOS
{
"cert_configs": {
"macos_keychain": {
"issuer": "<CERT_ISSUER>"
}
},
"libs": {
"ecp": "<YOUR_GCLOUD_INSTALL_PATH>/google-cloud-sdk/bin/ecp",
"ecp_client": "<YOUR_GCLOUD_INSTALL_PATH>/google-cloud-sdk/platform/enterprise_cert/libecp.dylib",
"tls_offload": "<YOUR_GCLOUD_INSTALL_PATH>/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dylib"
}
}
Windows
{
"cert_configs": {
"windows_store": {
"store": "MY",
"provider": "current_user",
"issuer": "<CERT_ISSUER>"
}
},
"libs": {
"ecp": "C:/Users/<USERNAME>/AppData/Local/Google/Cloud SDK/google-cloud-sdk/bin/ecp.exe",
"ecp_client": "C:/Users/<USERNAME>/AppData/Local/Google/Cloud SDK/google-cloud-sdk/platform/enterprise_cert/libecp.dll",
"tls_offload": "C:/Users/<USERNAME>/AppData/Local/Google/Cloud SDK/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dll"
}
}
After this configuration, users can access protected Google Cloud resources using command-line tools by enabling the CBA flag.
To enable CBA for Google Cloud CLI, set the context_aware/use_client_certificate
property to true.
To enable CBA for all other command-line tools, including Terraform, set the
environment variable GOOGLE_API_USE_CLIENT_CERTIFICATE to true.