The enterprise.platformKeys permission provides an API for extensions to generate keys and install certificates for these keys in a hardware-backed keystore.
This is an enterprise-only and ChromeOS-only permission. It only works for extensions force-installed by enterprise policy on a managed ChromeOS device.
What it does
- A more powerful and complex version of the
platformKeysAPI, intended for corporate environments. - Allows an extension to manage client certificates used for authenticating the user and the device on corporate networks (e.g., VPNs, Wi-Fi, internal websites).
- The private keys associated with these certificates are hardware-backed (e.g., stored in a TPM - Trusted Platform Module), meaning they cannot be exported.
When to use it
This is used to implement client certificate enrollment and management for a fleet of managed devices.
Examples:
- An extension that communicates with a corporate Certificate Authority to request and install a unique client certificate on each device.
- An extension that manages the lifecycle of authentication certificates, renewing them before they expire.
Manifest Declaration
{
"name": "My Enterprise Certificate Manager",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"enterprise.platformKeys"
]
}Security & Privacy
Why is it not risky for you?
This is a special permission that only works on computers managed by a company or school IT department. It is designed for corporate environments and will have no effect on your personal computer.
If you see an extension asking for this permission for your personal use, it's likely a mistake or a poorly designed extension, but it does not pose a direct security threat to you because the permission will not function outside of a managed enterprise setting. On a work computer, this permission is used by your IT department to manage device and network settings for administrative and security purposes.
API Usage Example
The API is complex. This is a conceptual example of generating a key and requesting a certificate.
// background.js
async function provisionCertificate() {
if (!chrome.enterprise || !chrome.enterprise.platformKeys) {
console.log('This API is only available on managed ChromeOS devices.');
return;
}
try {
// 1. Pick a token. Most enterprise flows use the device-wide
// 'system' token; user-scoped keys use the 'user' token.
const tokens = await chrome.enterprise.platformKeys.getTokens();
const token = tokens.find(t => t.id === 'user') ?? tokens[0];
// 2. Generate a hardware-backed RSA key pair on that token.
// The returned object is a SubtleCrypto key pair; the private
// key is non-extractable.
const keyPair = await token.subtleCrypto.generateKey(
{ name: 'RSASSA-PKCS1-v1_5', modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1]),
hash: { name: 'SHA-256' } },
false,
['sign']
);
// 3. Build a CSR with the public key (use a CSR library of choice)
// and send it to your corporate CA.
const csr = await createCsr(keyPair); // your code
const response = await fetch('https://ca.example.com/sign', {
method: 'POST',
body: csr
});
const certificateChain = await response.arrayBuffer();
// 4. Import the signed certificate. The cert is bound to the
// private key on the token by matching public-key fingerprint.
await chrome.enterprise.platformKeys.importCertificate({
tokenId: token.id,
certificate: certificateChain
});
console.log('Certificate provisioned successfully.');
} catch (error) {
console.error('Certificate provisioning failed:', error);
}
}Extensions with the enterprise.platformKeys permission
Here are some popular browser extensions that use the "enterprise.platformKeys" permission. To explore more, try our Advanced search.
Chrome extensions with "enterprise.platformKeys" permission
8M 3.31 
(78)
600K 1.60 (15)
300K 4.43 (396)
300K 1.26 (23)
100K 1.28 (18)
60K 0.00 (0)
30K 3.06 (174)
20K 3.72 (58)
20K 3.30 (20)
20K 2.00 (4)
Firefox add-ons with "enterprise.platformKeys" permission
Edge