ChromeOS
This document describes deploying a device and/or user certificates for ChromeOS devices. The deployment of the SCEPman Root Certificate is mandatory.
Last updated
Was this helpful?
This document describes deploying a device and/or user certificates for ChromeOS devices. The deployment of the SCEPman Root Certificate is mandatory.
Last updated
Was this helpful?
As a first step, you must deploy SCEPman's root certificate. Therefore, follow these steps:
Download the root CA certificate from your SCEPman website by clicking on the Get CA Certificate link.
Now upload your SCEPmen root CA to your Google Workplace. In your Google Admin console (admin.google.com) navigate to Menu > Devices > Networks > Certificates > ADD CERTIFICATE
Be aware that the Google Admin console only accepts certificates in PEM format. You will need to convert SCEPman root CA (which is downloaded in DER by default) using openssl or by importing it in Windows and exporting it again in Base-64 format.
The SCEP profile defines the certificate that lets users access your WiFi. Assign the profile to specific users by adding it to an organisational unit. Set up multiple SCEP profiles to manage access by device type. The following configuration example
In your Google Admin console (admin.google.com) navigate to Menu > Devices > Network
Click Create SCEP Profile.
Click Add Secure SCEP Profile.
Enter the configuration details for the profile.
Device platforms
Chromebook (device)
Chromebook (user)
SCEP profile name
Provide a name for your SCEP profile.
Subject name format
Fully distinguished name
Fully distinguished name
Common name: ${DEVICE_SERIAL_NUMBER}
Common name: ${USER_EMAIL}
Company name: Your company name.
Company name: Your company name.
Organisation unit: Your organizational unit. This is optional.
Organisation unit: Your organizational unit. This is optional.
Locality: Your organisation unit's location. This is optional.
Locality: Your organisation unit's location. This is optional.
State: Your organisation unit's state. This is optional.
State: Your organisation unit's state. This is optional.
Country / region: Your organisation unit's country. This is optional.
Country / region: Your organisation unit's country. This is optional.
Subject alternative name
Default: None This can be set to Custom when the SAN shall be used, e.g. as outer identity when authenticating to a WiFi using EAP-TLS.
Custom
User Principal: ${USER_EMAIL_NAME}
Signing algorithm
SHA256withRSA
Key usage
Key encipherment, Signing
Key size (bits)
3072
Security
Strict (only supported by managed devices)
SCEP server attributes
Certificate validity period (years): 1
Renew within days: 42
Extended key usage: Client authentication
Challenge type: Static
Network type this profile applies to: Wi-Fi
The SCEP profile is automatically distributed to users in the organisational unit.
To check for this certificate, in your Chromebook navigate to chrome://certificate.manager > Your certificates.
SCEP server URL:
Challenge: Provide the challenge value you have configured when integration.
Certificate Authority: Reference here the certificate profile containing your .
