WARNING: You can push certs to a subdomain but they WILL NOT trust. Each user would have to trust them. That is not feasible. You cant push and trust certs to student.domain.com for instance. You can do this for domain.com though as long as the users/devices are in the root domain.
(Optional) On the left, choose the organizational unit where you want to add the certificate. Note:The top-level organization is selected by default to give all users (including those in suborganizations) access to any added certificates.
ClickAdd Certificate.
Choose the certificate file to upload and clickOpen. Note:DER-encoded certificates are not supported. Chrome devices only accept PEM format.
(Optional) If the certificate will be used as a root CA for an SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, check theUse this certificate as an HTTPS certificate authoritybox.
ClickSaveand thenDoneto confirm.
You will need a way for chrome devices to get the cert/sync the new policy. Dont enable deep scanning until the cert is pushed (or disable deep scanning until the policy is pushed).
Verify the certificate is pushed
Before you begin
Users need to sign in with an account in the domain that the device is enrolled in. For example, if the device is enrolled in the school.edu domain, the user needs to sign in with an account that uses the domain, such as user@school.edu.
If you have secondary G Suite domain that is managed under a primary domain and the user account is in the secondary domain, you need to enroll the device in the secondary domain. The device’s enrollment domain and signed-in user’s domain must match for the pushed certificate to work.
Verify SSL inspection is working
If Deep scanning is enabled
Sign in to a Chrome device with a user account in the domain where the certificate was applied.
Go to a site where SSL inspection is applied by your web filter.
Verify the building icon is in the address bar. Click it to see details about permissions and the connection.
To simply look at the cert in settings
In the addressbar type chrome://settings/certificates
Click on the Authorities tab
You should see the certificate in the list with a building icon next to it (which means the cert is pushed via google console