The certificateProvider permission allows an extension to expose certificates to the platform, which can then be used for TLS authentication. This API is ChromeOS-only — chrome.certificateProvider is undefined on Windows, macOS, and Linux even when the permission is declared.
What it does
- Lets an extension act as a source for client certificates.
- When a website or network service requests a client certificate for authentication, the browser can ask the extension to provide one.
- The extension can then, for example, communicate with a smart card or other hardware token to retrieve the necessary certificate.
When to use it
Use this permission in enterprise or high-security environments, particularly on ChromeOS, where you need to integrate with hardware-based authentication systems.
Examples:
- An extension that allows users to authenticate to corporate websites using a smart card.
- An extension that provides certificates stored in a secure hardware module.
Manifest Declaration
{
"name": "My Certificate Provider",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"certificateProvider"
],
"background": {
"service_worker": "background.js"
}
}Security & Privacy
Why is it risky?
This is a highly technical and powerful permission, usually only seen in corporate or high-security environments. It allows an extension to manage digital certificates, which are like digital ID cards used to prove your identity to secure websites and networks.
For a regular home user, it is extremely rare to encounter an extension asking for this. If you are not using your computer for work that specifically requires this, you should be very suspicious. A malicious extension with this permission could potentially impersonate you on secure networks.
API Usage Example
The API is event-driven. The extension registers listeners for certificate requests and responds with the appropriate certificates.
// background.js (ChromeOS only)
// Chrome periodically asks for the current list of certificates this
// extension provides. Respond by calling setCertificates with all
// certs the extension currently has available.
chrome.certificateProvider.onCertificatesUpdateRequested.addListener(
async (request) => {
// In a real extension, fetch certs from your hardware/token.
const clientCertificates = [
// {
// certificateChain: [ /* ArrayBuffer of DER-encoded X.509 */ ],
// supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA256']
// }
];
await chrome.certificateProvider.setCertificates({
certificatesRequestId: request.certificatesRequestId,
clientCertificates
});
}
);
// Chrome asks the extension to produce a signature for a given digest
// using the private key associated with one of the certs above.
chrome.certificateProvider.onSignatureRequested.addListener(
async (request) => {
// Hand request.input + request.algorithm + request.certificate to
// your hardware/key store, then report the signature back.
const signature = await performSigning(
request.input,
request.algorithm,
request.certificate
);
await chrome.certificateProvider.reportSignature({
signRequestId: request.signRequestId,
signature
});
}
);Extensions with the certificateProvider permission
Here are some popular browser extensions that use the "certificateProvider" permission. To explore more, try our Advanced search.
Chrome extensions with "certificateProvider" permission
60K 2.23 
(48)
10K 2.80 (30)
1,000 0.00 (0)
511 1.00 (1)
269 0.00 (0)
253 0.00 (0)
115 0.00 (0)
9 5.00 (1)
Firefox add-ons with "certificateProvider" permission
Edge