General Info

• If you are doing this for deep scanning you need to exempt the Google log-in sites from deep scanning by using FQDN address entries 
• The addresses are found here in their SSL inspection Howto page: https://support.google.com/chrome/a/answer/6334001?hl=en&ref_topic=3504941
• WARNING: You can push certs to a subdomain but they WILL NOT trust. Each user would have to trust them. That is not feasible. You cant push and trust certs to student.domain.com for instance. You can do this for domain.com though as long as the users/devices are in the root domain.

Howto

1. Sign in to the Google Admin console.
2. Click Device management.
3. On the left, click Network.
4. Click Certificates.
5. (Optional) On the left, choose the organizational unit where you want to add the certificate.
   Note: The top-level organization is selected by default to give all users (including those in suborganizations) access to any added certificates.
6. Click Add Certificate.
7. Choose the certificate file to upload and click Open.
   Note: DER-encoded certificates are not supported. Chrome devices only accept PEM format.
8. (Optional) If the certificate will be used as a root CA for an SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, check the Use this certificate as an HTTPS certificate authority box.
9. Click Save and then Done to confirm.
10. You will need a way for chrome devices to get the cert/sync the new policy. Dont enable deep scanning until the cert is pushed (or disable deep scanning until the policy is pushed).