Google Workspace
This document serves as a step-by-step guide on how to set up and configure certificate enrollment for ChromeOS using Chrome Enterprise and SCEPman.
Last updated
This document serves as a step-by-step guide on how to set up and configure certificate enrollment for ChromeOS using Chrome Enterprise and SCEPman.
Last updated
This feature requires version 1.6 or above.
Chromebook generates a hardware-backed private key.
Google generates a CSR with the SCEP profile.
Connector forwards the CSR to SCEPman.
SCEPman signs the CSR and sends the signed CRS back to the connector which forwards it to PubSub.
PubSub sends the signed CRS to device management for temporary storage.
Device management sends the signed CRS to the Chromebook where it is merged with the harware-backed private key. The signed CSR is deleted from temporary storage.
This guide assumes that you already provisioned Chromebook computer(s) running ChromeOS version 89 or later managed with Chrome Enterprise.
The GCCC requires a Windows Server appliance or VM running Windows Server 2016 or later.
The Windows Server instance must have the following network access:
Outbound: HTTP (80) and HTTPS (443).
In your Google Admin console (at admin.google.com) > Go to Menu > Devices > Network
Click Secure SCEP > Download Connector.
In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.
In the Download the connector configuration file section, click Download. The config.json file downloads.
In the Get a service account key section, click Generate key. The key.json file downloads.
Run the certificate connector installer.
In the installation wizard, click Next.
Accept the terms of the license agreement and click Next.
Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the Windows server.
Select the installation location. We recommend using the default. Click Next.
Enter your service account credentials and click Next. The service installs.
Click Finish to complete the installation.
Move the configuration and key files (config.json and key.json) into the GCCC folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
Launch the Google Cloud Certificate Connector service:
Open Windows Services.
Select Google Cloud Certificate Connector in the list of services.
Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.
If you download a new service account key later, restart the service to apply it.
Enable Google Workspace Integration by adding the following environment variables on SCEPman app service:
You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service without the "-cm" in its name
| Setting | Description | Value |
|---|---|---|
Enable 3rd-party validation | true to enable, false to disable | |
Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password Recommendation: Store this secret in Azure KeyVault. | generate a 32 character password | |
Days certificates issued via Google Workspace are valid | 365 | |
Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master | true to enable, false to disable |
For more information and references please visit Google Workspace Admin Help or download the original PDF guide Configuring Certificate Enrollment for ChromeOS via SCEP.
Google, Google Workspace, ChromeOS and related marks and logos are trademarks of Google LLC.
