How to manage user access to certificates?

The default values from Google allow users to edit trust settings for all CA certificates, remove user-imported certificates, and import certificates. 

If a user removes CA certificates from their device there is a possibility it could affect the functionality of our services. It is recommended that you do not allow users to edit certificates installed on their devices.


To do this:

  • Log into your Google Workspace as a Super Admin User (
  • Navigate to Devices > Chrome > Settings > Users & Browsers
  • Select your root directory (If you wish to limit the scope of this best practice, select the container which contains the proper users)
  • Scroll down to Security 
    • Locate the settings:
      • User management of installed CA certificates
      • User management of installed client certificates
  • Select 'Disallow users from managing certificates' for both fields:

Full navigation path, applied on root directory, with settings highlighted:



Close up of specific settings:


Was this article helpful?
112 out of 178 found this helpful
Have more questions?
Submit a request



Article is closed for comments.

Articles in this section

See more