Planning your return to office strategy? See how Chrome OS can help.

Use the Google Cloud Certificate Connector

You can control user access to your organization’s Wi-Fi networks, internal apps, and internal websites on ChromeOS devices by using a connector to distribute device certificates from your on-premises Certificate Authority (CA). The Google Cloud Certificate Connector is a Windows service that securely distributes certificates and authentication keys from your Simple Certificate Enrollment Protocol (SCEP) server to users’ devices.

For ChromeOS devices, private keys for certificates are generated on the device. The corresponding public key is stored temporarily on Google servers and deleted after the certificate is installed.

System requirements

  • Your organization uses Microsoft Active Directory Certificate Service for an SCEP server and the Microsoft Network Device Enrollment Service (NDES) to distribute certificates. Windows Server 2016 and newer are supported.
  • ChromeOS devices with version 89 or later for the best experience.

Before you begin

  • Setting up certificates deployment with SCEP requires expertise and permissions to manage Microsoft Active Directory Certificate Service for your organization. Make sure that the relevant experts are involved within your organization before moving forward.
  • If you need the certificate Subject name to use Active Directory usernames, you must sync your Active Directory and Google Directory with Google Cloud Directory Sync (GCDS). If necessary, set up GCDS.
  • If you haven’t already uploaded a CA Certificate in the Google Admin console, add a certificate.

Step 1: Download the Google Cloud Certificate Connector

Note: If you have already set up the Google Cloud Certificate Connector for mobile devices, skip this step and go straight to Step 2: Add a SCEP profile.

Perform the following steps on the SCEP server or a Windows computer with an account that can sign in as a service on the SCEP server. Have the account credentials available.

If your organization has several servers, you can use the same certificate connector agent on all of them. Download and install the installation file, configuration file, and key file on one computer as described in the following steps. Then, copy those three files to the other computer and follow the setup instructions on that computer.

Note: You download the Google Cloud Certificate Connector and its components only once, when you first set up certificates for your organization. Your certificates and SCEP profiles can share a single certificate connector.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu ""and then"" Devicesand thenNetworks.
  3. Click Secure SCEPand thenDownload Connector.
  4. In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.
  5. In the Download the connector configuration file section, click Download. The config.json file downloads.

  6. In the Get a service account key section, click Generate key. The key.json file downloads.
  7. Run the certificate connector installer.
    • In the installation wizard, click Next.
    • Accept the terms of the license agreement and click Next.
    • Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the SCEP server.
    • Select the installation location. We recommend using the default. Click Next.
    • Enter your service account credentials and click Next. The service installs.
    • Click Finish to complete the installation.
  8. Move the configuration and key files (config.json and key.json) into the Google Cloud Certificate Connector folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
  9. Launch the Google Cloud Certificate Connector service:
    • Open Windows Services.
    • Select Google Cloud Certificate Connector in the list of services.
    • Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.

Step 2: Add a SCEP profile

The SCEP profile defines the certificate that lets users access your Wi-Fi network. You assign the profile to specific users by adding it to an organizational unit. You can set up several SCEP profiles to manage access by organizational unit and by device type.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu ""and then"" Devicesand thenNetworks.
  3. Click Create SCEP Profile.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Click Add Secure SCEP Profile.
  6. Enter the configuration details for the profile. If your CA issues a particular template, match the details of the profile to the template.
    • SCEP profile name—A descriptive name for the profile. The name is shown in the list of profiles and in the profile selector in the Wi-Fi network configuration.
    • Subject name format—Choose how you want to identify the certificate owner. If you select Fully Distinguished Name, the certificate Common Name is the user's username.
    • Subject alternative name—Provide an SAN. Default is None. Create multiple SANs, as needed. See Supported variables for SAN.
    • Signing algorithm—The hash function used to encrypt the authorization key. Only SHA256 with RSA is available.
    • Key usage—Options for how to use the key, key encipherment and signing. You can select more than one.
    • Key size (bits)—The size of the RSA key.
      Note: ChromeOS devices only support hardware backed 2048.The key is generated on the Chrome OS device using the TPM instead of on the server for additional security.
    • Security—Attestation requirements. Select Strict to require a verified access check, supported only by managed ChromeOS devices. Select Relaxed for ChromeOS Flex and unmanaged ChromeOS devices.
    • SCEP server URL—The URL of the SCEP server.
    • Certificate validity period (years)—How long the device certificate is valid. Enter as a number.
    • Renew within days—How long before the device certificate expires to try to renew the certificate.
    • Extended key usage—How the key can be used. You can choose more than one value.
    • Challenge type—To require Google to provide a specified challenge phrase when it requests a certificate from the SCEP server, select Static and enter the phrase. If you select None, the server doesn’t require this check.
    • Template name—The name of the template used by your NDES server.
    • Certificate Authority—The name of a certificate you uploaded to use as the Certificate Authority.
    • Network type this profile applies to​—The type of networks that use the SCEP profile.
    • Platforms this profile applies to—The device platforms that use the SCEP profile.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add a profile, it's listed with its name and the platforms its enabled on. In the Platform column, the profile is enabled for platforms with blue icons and disabled for platforms with grey icons. To edit a profile, point to the row and click Edit"". Make sure to select Chromebook (user) or Chromebook (device) depending on the type of certificate you want to deploy.

The SCEP profile is automatically distributed to users in the organizational unit.

How certificate authentication through Google Cloud Certificate Connector works

The Google Cloud Certificate Connector is a Windows service that establishes an exclusive connection between your SCEP server and Google. The certificate connector is configured and secured by a configuration file and a key file, both dedicated to your organization only.

You assign certificates to devices and users with SCEP Profiles. To assign the profile, you choose an organizational unit and add the profile to that organizational unit. The profile includes the Certificate Authority that issues certificates. When a ChromeOS device is enrolled, configured policy is sent to the device and the device installs the certificate on the device prior to user login if deploying a device certificate or after login if deploying a user certificate. If the device is already enrolled or the user profile already exists, the certificate is installed once the device or user receives updated policy from the Admin console.

Known issues and Limitations

  • SCEP profiles currently don’t support dynamic challenges.
  • Certificates can’t be revoked after they’re installed on a device.
  • The SCEP Profile must be configured with the CA Certificate that issues the client certificate. If a certificate chain, such as CA certificate - intermediate CA certificate - identity certificate is used, then the SCEP Profile must be configured with the intermediate CA certificate.
  • Certificates can only be deployed for users signed into an enrolled managed device. Users and devices need to belong to the same domain.

Supported variables for SAN

Instead of using the requester’s properties, you can define subject alternative names based on user and device attributes. To use custom certificate signing request (CSR0, you should also configure the certificate template on the CA to expect and generate a certificate with the subject values defined in the request itself. At minimum, you need to provide a value for the subject's CommonName.

You can use the following placeholders. All values are optional.

  • ${DEVICE_DIRECTORY_ID}—Device’s directory ID
  • ${USER_EMAIL}—Signed-in user’s email address
  • ${USER_EMAIL_DOMAIN}—Signed-in user’s domain name
  • ${DEVICE_SERIAL_NUMBER}—Device's serial number
  • ${DEVICE_ASSET_ID}—Asset ID assigned to device by administrator
  • ${DEVICE_ANNOTATED_LOCATION}—Location assigned to device by administrator
  • ${USER_EMAIL_NAME}—First part (part before @) of signed-in user’s email address

If a placeholder value isn’t available, it’s replaced with an empty string.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center