# ChromeOS ## Root Certificate As a first step, you must deploy SCEPman's root certificate. Therefore, follow these steps: 1. Download the root CA certificate from your SCEPman website by clicking on the **Get CA Certificate** link.

2. Now upload your SCEPmen root CA to your Google Workplace. In your Google **Admin console** (admin.google.com) navigate to **Menu** > **Devices** > **Networks** > **Certificates** > **ADD CERTIFICATE** {% hint style="warning" %} Be aware that the Google Admin console only accepts certificates in PEM format. You will need to convert SCEPman root CA (which is downloaded in DER by default) using *openssl* or by importing it in Windows and exporting it again in Base-64 format. {% endhint %}

## Add a SCEP Profile The SCEP profile defines the certificate that lets users access your WiFi. Assign the profile to specific users by adding it to an organisational unit. Set up multiple SCEP profiles to manage access by device type. The following configuration example 1. In your Google **Admin console** (admin.google.com) navigate to **Menu** > **Devices** > **Network** 2. Click **Create SCEP Profile**. 3. Click **Add Secure SCEP Profile**. 4. Enter the configuration details for the profile. | Attribute | Value (Device) | Value (User) | | -------------------- | ------------------- | ----------------- | | **Device platforms** | Chromebook (device) | Chromebook (user) |

| Attribute | | | --------------------- | ------------------------------------- | | **SCEP profile name** | Provide a name for your SCEP profile. |

Attribute	Value (Device)	Value (User)
Subject name format	Fully distinguished name	Fully distinguished name
	Common name: ${DEVICE_SERIAL_NUMBER}	Common name: ${USER_EMAIL}
	Company name: Your company name.	Company name: Your company name.
	Organisation unit: Your organizational unit. This is optional.	Organisation unit: Your organizational unit. This is optional.
	Locality: Your organisation unit's location. This is optional.	Locality: Your organisation unit's location. This is optional.
	State: Your organisation unit's state. This is optional.	State: Your organisation unit's state. This is optional.
	Country / region: Your organisation unit's country. This is optional.	Country / region: Your organisation unit's country. This is optional.
Subject alternative name	Default: None This can be set to Custom when the SAN shall be used, e.g. as outer identity when authenticating to a WiFi using EAP-TLS.	Custom User Principal: ${USER_EMAIL_NAME}

| Attribute | Value | | --------------------- | ------------------------------------------ | | **Signing algorithm** | SHA256withRSA | | **Key usage** | Key encipherment, Signing | | **Key size (bits)** | 3072 | | **Security** | Strict (only supported by managed devices) |

Attribute	Value
SCEP server attributes	SCEP server URL: http://scepman.yourdomain.net/static
	Certificate validity period (years): 1
	Renew within days: 42
	Extended key usage: Client authentication
	Challenge type: Static
	Challenge: Provide the challenge value you have configured when enabling the SCEPman Google Workspace integration.
	Certificate Authority: Reference here the certificate profile containing your SCEPman Root CA.
	Network type this profile applies to: Wi-Fi

5. The SCEP profile is automatically distributed to users in the organisational unit. 6. To check for this certificate, in your Chromebook navigate to **chrome://certificate.manager** > **Your certificates.**