ChromeOS
This document describes deploying a device and/or user certificates for ChromeOS devices. The deployment of the SCEPman Root Certificate is mandatory.
Root Certificate
As a first step, you must deploy SCEPman's root certificate. Therefore, follow these steps:
Download the root CA certificate from your SCEPman website by clicking on the Get CA Certificate link.
Now upload your SCEPmen root CA to your Google Workplace. In your Google Admin console (admin.google.com) navigate to Menu > Devices > Networks > Certificates > ADD CERTIFICATE
Add a SCEP Profile
The SCEP profile defines the certificate that lets users access your WiFi. Assign the profile to specific users by adding it to an organisational unit. Set up multiple SCEP profiles to manage access by device type. The following configuration example
In your Google Admin console (admin.google.com) navigate to Menu > Devices > Network
Click Create SCEP Profile.
Click Add Secure SCEP Profile.
Enter the configuration details for the profile.
| Attribute | Value (Device) | Value (User) |
|---|---|---|
Device platforms | Chromebook (device) | Chromebook (user) |
| Attribute | |
|---|---|
SCEP profile name | Provide a name for your SCEP profile. |
| Attribute | Value (Device) | Value (User) |
|---|---|---|
Subject name format | Fully distinguished name | Fully distinguished name |
Common name: ${DEVICE_SERIAL_NUMBER} | Common name: ${USER_EMAIL} | |
Company name: Your company name. | Company name: Your company name. | |
Organisation unit: Your organizational unit. This is optional. | Organisation unit: Your organizational unit. This is optional. | |
Locality: Your organisation unit's location. This is optional. | Locality: Your organisation unit's location. This is optional. | |
State: Your organisation unit's state. This is optional. | State: Your organisation unit's state. This is optional. | |
Country / region: Your organisation unit's country. This is optional. | Country / region: Your organisation unit's country. This is optional. | |
Subject alternative name | Default: None This can be set to Custom when the SAN shall be used, e.g. as outer identity when authenticating to a WiFi using EAP-TLS. | Custom User Principal: ${USER_EMAIL_NAME} |
| Attribute | Value |
|---|---|
Signing algorithm | SHA256withRSA |
Key usage | Key encipherment, Signing |
Key size (bits) | 3072 |
Security | Strict (only supported by managed devices) |
| Attribute | Value |
|---|---|
SCEP server attributes | SCEP server URL: http://scepman.yourdomain.net/static |
Certificate validity period (years): 1 | |
Renew within days: 42 | |
Extended key usage: Client authentication | |
Challenge type: Static | |
Challenge: Provide the challenge value you have configured when enabling the SCEPman Google Workspace integration. | |
Certificate Authority: Reference here the certificate profile containing your SCEPman Root CA. | |
Network type this profile applies to: Wi-Fi |
The SCEP profile is automatically distributed to users in the organisational unit.
To check for this certificate, in your Chromebook navigate to chrome://certificate.manager > Your certificates.
Last updated
