Google Workspace

Learn how to set up and configure certificate enrollment via SCEP for ChromeOS (Chromebook) using Chrome Enterprise and SCEPman.

Workflow of issuing SCEP Certificates

Chromebook generates a hardware-backed private key.
Google generates a CSR with the SCEP profile.
Connector forwards the CSR to SCEPman.
SCEPman signs the CSR and sends the signed CRS back to the connector which forwards it to PubSub.
PubSub sends the signed CRS to device management for temporary storage.
Device management sends the signed CRS to the Chromebook where it is merged with the harware-backed private key. The signed CSR is deleted from temporary storage.

Prerequisites

Google Workspace

This guide assumes that you already provisioned Chromebook computer(s) running ChromeOS version 89 or later managed with Chrome Enterprise.

Google Cloud Certificate Connector (GCCC)

Prerequisites

The GCCC requires a Windows Server appliance or VM running Windows Server 2016 or later.
The Windows Server instance must have the following network access:
- Outbound: HTTP (80) and HTTPS (443).

Installation of the GCCC

In your Google Admin console (at admin.google.com) > Go to Menu > Devices > Network
Click Secure SCEP > Download Connector.
In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.
In the Download the connector configuration file section, click Download. The config.json file downloads.
In the Get a service account key section, click Generate key. The key.json file downloads.
Run the certificate connector installer.
1. In the installation wizard, click Next.
2. Accept the terms of the license agreement and click Next.
3. Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the Windows server.
4. Select the installation location. We recommend using the default. Click Next.
5. Enter your service account credentials and click Next. The service installs.
6. Click Finish to complete the installation.
Move the configuration and key files (config.json and key.json) into the GCCC folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
Launch the Google Cloud Certificate Connector service:
1. Open Windows Services.
2. Select Google Cloud Certificate Connector in the list of services.
3. Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.

SCEPman

Enable Google Workspace Integration by adding the following environment variables on SCEPman app service:

You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service without the "-cm" in its name

Setting

Description

Value

Enable 3rd-party validation

true to enable, false to disable

generate a 32 character password

Days certificates issued via Google Workspace are valid

365

Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master

true to enable, false to disable

Google, Google Workspace, ChromeOS and related marks and logos are trademarks of Google LLC.

Last updated 1 month ago

Was this helpful?

Workflow of issuing SCEP Certificates

Chromebook generates a hardware-backed private key.

Google generates a CSR with the SCEP profile.

Connector forwards the CSR to SCEPman.

SCEPman signs the CSR and sends the signed CRS back to the connector which forwards it to PubSub.

PubSub sends the signed CRS to device management for temporary storage.

Device management sends the signed CRS to the Chromebook where it is merged with the harware-backed private key. The signed CSR is deleted from temporary storage.

Prerequisites

Google Workspace

This guide assumes that you already provisioned Chromebook computer(s) running ChromeOS version 89 or later managed with Chrome Enterprise.

Google Cloud Certificate Connector (GCCC)

Prerequisites

The GCCC requires a Windows Server appliance or VM running Windows Server 2016 or later.

The Windows Server instance must have the following network access:

Outbound: HTTP (80) and HTTPS (443).

Installation of the GCCC

In your Google Admin console (at admin.google.com) > Go to Menu > Devices > Network

Click Secure SCEP > Download Connector.

In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.

In the Download the connector configuration file section, click Download. The config.json file downloads.

In the Get a service account key section, click Generate key. The key.json file downloads.

Run the certificate connector installer.

In the installation wizard, click Next.
Accept the terms of the license agreement and click Next.
Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the Windows server.
Select the installation location. We recommend using the default. Click Next.
Enter your service account credentials and click Next. The service installs.
Click Finish to complete the installation.

Move the configuration and key files (config.json and key.json) into the GCCC folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.

Launch the Google Cloud Certificate Connector service:

Open Windows Services.
Select Google Cloud Certificate Connector in the list of services.
Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.

SCEPman

Enable Google Workspace Integration by adding the following environment variables on SCEPman app service:

You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service without the "-cm" in its name

Setting

Description

Value

Enable 3rd-party validation

true to enable, false to disable

Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password Recommendation: Store this secret in .

generate a 32 character password

(optional)

Days certificates issued via Google Workspace are valid

365

(optional)

Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master

true to enable, false to disable

For more information and references please visit or download the original PDF guide .

Google, Google Workspace, ChromeOS and related marks and logos are trademarks of Google LLC.