Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Configure Google SCEP Certificate Automatic Enrollment Profiles

Certificates are far superior to credentials and mitigate many vulnerabilities associated with pre-shared keys. They enhance the user experience by facilitating network access and removing password-related friction induced by password reset and complexity policies. Certificates also grant identity context by associating identities with devices, allowing administrators to decode SSL encryption and monitor device behavior.

One of the most significant challenges enterprises experience when configuring certificate-based authentication (CBA) is the smooth issuance of these certificates, especially when there are many devices to account for. To streamline this process, we at SecureW2 have developed a mechanism allowing Chromebooks to automatically enroll for certificates without requiring end-user intervention, leveraging JSON to achieve SCEP-like capability.

But before discussing the technical procedure involved in the process, we want the reader’s users to have a general understanding of the SCEP certificate lifecycle as it affects the Google Cloud Certificate Connector.

What is SCEP?

SCEP (Simple Certificate Enrollment Protocol) is a protocol that enables devices to quickly enroll for a certificate by communicating with a PKI through a URL and a shared secret. MDM software generally uses SCEP for devices by transmitting a payload, including the SCEP URL and shared secret, to managed devices. This can save an admin a significant amount of time compared to manually enrolling managed devices for certificates.

Essentially, SCEP instructs devices on how to connect with the PKI  using a Gateway API URL. SecureW2 customers may simply build their own SCEP Gateway API URL using our software. They may then add this URL to their MDM so that it can send a payload to devices that need to enroll for client certificates.

SCEP Shared Secret

A Shared Secret is a passcode that is case-sensitive and is shared between the SCEP server and the Certificate Authority (CA). This shared secret links the CA to the relevant server for certificate signing. The device submits the shared secret to our Managed PKI via SecureW2’s solution, and then the certificate enrolling occurs on the device.

SCEP Certificate Request

After you’ve configured the SCEP gateway and communicated the Shared Secret between the SCEP server and the CA, you can generate and distribute a configuration profile that will allow managed devices to auto-enroll for certificates. The device will send a certificate enrollment request to the CA via the SCEP gateway. After authentication, a signed certificate will be installed onto the device.

SCEP Signing Certificate

Most MDMs need you to upload a SCEP signing certificate that covers the entire certificate chain and is signed by the CA issuing certificates (signing certificate, Intermediate CA, Root CA). With In SecureW2, you just pick the CA issuing certificates, and a PKCS12 file will be created for you to upload into your MDM.

How does Google Cloud Certificate Connector work for Certificate Authentication?

The Google Cloud Certificate Connector is a Windows service that creates a secure link between your SCEP server and Google cloud. You can manually set up and secure the certificate connector by utilizing a configuration file and a key file, both specific to your organization.

SCEP Profiles are used to assign device certificates to both devices and users depending on the use case. You can easily assign a profile by choosing an organizational entity and adding a profile to that entity.

The Certificate Authority, which issues device certifications, is included in the profile. When a user enrolls their mobile or Chrome OS device for management, Google endpoint management retrieves the user’s SCEP profile and installs the certificate on the particular device. A device certificate is installed on Chrome OS devices before the user signs in, whereas a user certificate is installed after the user signs in. If the device is already registered, the certificate is installed during a routine sync cycle.

When a user tries to join your network, they are asked for the certificate. The certificate is automatically picked for Android devices, and the user taps Connect. On iOS devices, the user must manually pick the certificate before connecting. The device connects to your organization’s network using a key that Google has negotiated through the certificate connector. Google momentarily saves the key during security communications but deletes it after the device is deployed (or after 24 hours).

  1. Navigate to the Admin console,
  2. Navigate to Menu> Devices>Networks.
  3. Go to Secure SCEP and click on Download Connector.
  4. Navigate to the Google Cloud Certificate Connector section, and click Download.
  5. Click Download in the Download connector configuration file section. The config.json file downloads.
  6. Navigate to the Get a service account key section, and click Generate key. The key.json file downloads.
  7. Run the certificate connector installer.
  • Click Next in the Installation Wizard.
  • Click Next after accepting the terms of the license agreement.
  • Select the required account and click Next.
  • Choose the installation location. It is recommended to use the default mode.
  • Click Next.
  • Install the service by entering service account credentials.
  • Click Next. The service installs.
  • Click Finish.

The installation is complete now.

  1. Push the key files and configuration  (config.json and key.json) into the Google Cloud Certificate Connector folder, typically: C:\Program Files\Google Cloud Certificate Connector.
  2. You can launch the Google Cloud Certificate Connector service by using the following commands:
  • Start Windows Services.
  • Select Google Cloud Certificate Connector.
  • Click Start. Make sure that the status becomes Running.

When the machine reboots, the service should now restart automatically. If you later subsequently download a new service account key, you must restart the service to use it.

SCEP Enrollment Procedure

SCEP enrollment entails verifying a CA and submitting a Certificate Signing Request (CSR) via your MDM interface. It is critical for SCEP to obtain a copy of the CA certificate in order to transmit the CSR and client enrollment in particular correctly. You may verify that the certificate was signed by the CA by checking the SCEP server.

  • Navigate to the Admin console,
  • Navigate to Menu> Devices>Networks.
  • Check whether you have the Shared device settings administrator privilege. It is compulsory.
  • Click Create SCEP Profile.
  • Leave the top organizational unit chosen to apply the setting to everyone. Choose a child organizational unit instead. Because of a known problem, we recommend that you configure the SCEP profile for each organizational unit to which you wish the profile to apply.
  • Click Add Secure SCEP Profile.
  • You must input the profile’s setup parameters. If your CA provides a template, match the profile’s details to the template.
  • Save the file. If you configured a child organizational unit, you might be able to Inherit or Override the settings of a parent organizational unit.
  • Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit’s settings.

When you add a profile, it is listed with its name and the platforms on which it is enabled. The profile is enabled for platforms with blue icons and deactivated for platforms with gray icons in the Platform column. To modify a profile, select the row and then click Edit. The SCEP profile is immediately delivered to organizational unit users.

Configure the Google Cloud Certificate Connector’s Keystore

If your certificate is issued by a trusted CA or your SCEP server URL starts with HTTP, skip this step.

If your certificate isn’t issued by a trusted CA, such as a self-signed certificate, you need to import the certificate to the Google Cloud Certificate Connector Keystore. Otherwise, the device certificate can’t be provisioned, and the device can’t connect.

  1. Sign in to your CA.
  2. If a Java JRE isn’t already installed, install one so that you can use keytool.exe.
  3. Open a command prompt.

Export your CA certificate and convert it to a PEM file by running the following commands:

certutil ‑ca.cert C:\root.cer

  1. certutil ‑encode cacert.cer cacert.pem
  2. Import the CA certificate to the Keystore. From the subdirectory of the Google Cloud Certificate Connector folder created during installation, typically C:\Program Files\Google Cloud Certificate Connector, run the following command:
    java-home-dir\bin\keytool.exe ‑import ‑keystore rt\lib\security\cacerts ‑trustcacerts ‑file cert-export-dir\cacert.pem ‑storepass changeit
    Replace java-home-dir with the path to the JRE in the Google Cloud Certificate Connector folder and cert-export-dir with the path to the certificate you exported in step 4.

Setting up the SecureW2 Management Portal

First, contact SecureW2 Support to create an Identity Provider (IDP) in the SecureW2 Management Portal for Google Verified Access. Then, log in to the SecureW2 Management Portal and perform the following steps:

  • Navigate to Device Onboarding > Getting Started. On the Network Profile Generator page, enter values for the given fields to generate a network profile.
    • NOTE: You will be creating an SSID name, even though it will not be used.
    • From the Profile Type drop-down list, select the network profile type.
    • In the SSID text box, type a name for the SSID.
    • From the Security Type drop-down list, select WPA2-Enterprise.
    • From the EAP Method drop-down list, select the authentication framework.
    • From the Policy drop-down list, select DEFAULT.
    • From the Wireless Vendor drop-down list, select a wireless provider.
    • From the Radius Vendor drop-down list, select a RADIUS vendor.
  • Click Create. Your network profile is generated.
  • On the Network Profiles page, click the Edit link for the newly created network profile. The Network Profiles page is displayed.
  • Scroll down to the Networks Settings section and click the Edit link for the newly created network profile.
  • In the TLS Enrollment section, from the Enrollment Type drop-down list, select Cloud.
  • From the Generate Certificate For drop-down list, select:
    • System – If you are enrolling systems for certificates.
    • User – If you are enrolling individual users for certificates.
  • Click Update.
  • On the Network Profile page, click the Advanced tab.
  • Scroll down to the Workflows section and uncheck the following options.
    • Wireless Configuration
    • Wireless Connect
  • Click Update and then click the Republish link on the Network Profile page.
  • In the Re-publish Network Profile pop-up, type the name of the network profile and click
    OK.
  • Go to Policy Management > Authentication and click the Edit link of the authentication policy.
  • Map the IDP that SecureW2 Support created in the Profile policy.
  • Go to Policy Management > User Roles and click Add Role.
  • Type a name and description in the respective fields, and click Save.
  • Click the Conditions tab, and ensure that the user role policy is mapped to the IDP.
  • Go to Policy Management > User Roles and select DEFAULT DEVICE ROLE POLICY.

Configure Google Admin Console for Device Certificate Enrollment

The Google Admin Console allows admins to manage all their Google Workspace services in a central location. Here you will configure access for device certificate enrollment. Once configured, Chromebooks with verified access tokens will be able to enroll for certificates with no interaction from the end user.

Granting Permission for the SecureW2 Service Account for Google Chrome Verified Access

The SecureW2 service account is used to validate the verified access token (sent by the Chromebooks during enrollment) against Google to confirm if the identity matches the token; based on the results, it proceeds to the next step in enrollment.

  • To provide access to the service account for device certificate enrollment, navigate to Device Management -> Chrome -> Management -> Device Settings -> Enrollment & Access -> Verified Access.
  • For the Verified access field, from the drop-down list, select Enable for content protection.
  • For the Verified mode field, from the drop-down list, select Require verified mode boot for verified access.
  • For the Services with full access field, type the following email: securew2-verified-access@sw2joinnow.iam.gserviceaccount.com.
  • To provide access to the service account for user certificate enrollment, go to Devices > Chrome > Settings > Device > USER & BROWSER SETTINGS > User verification.
  • For the Verified Mode field, from the drop-down list, select Require verified mode boot for Verified Access.
  • For the Service accounts field, type the following email: securew2-verified-access@sw2joinnow.iam.gserviceaccount.com

Create JSON Certificate Enrollment Config

In the next section below, you will need to upload a JSON configuration file to the Google Admin Console. Please reach out to SecureW2 support during this stage, and they will provide you with the JSON file required.

Sample File:

{

“EnrollmentURL”: {

“Value”: “https://pki-services.securew2.com/enroll/<WORKFLOW_ID>”

},

“DeviceCertificate”: {

“Value”: true

},

“RenewWindowDays”: {

“Value”: 30

},

“MetaConfigInfo”: {

“Value”: {

“organizationId”: “<ORG_ID>”,

“profileId”: “<PROFILE_UUID> “

}

}

}

Configuring the JoinNow MultiOS Extension from the Google Admin Console

The SecureW2 JoinNow MultiOS extension must be installed on the Chromebooks so they can enroll for certificates. Here, we will configure the Google Admin Console to install the extension to the Chromebooks.

  • In the Google Admin console, navigate to the JoinNow MultiOS extension by clicking Chrome management -> User & browser settings -> Apps and Extensions.
  • On the left pane, select the organizational unit (OU) and go to USERS & BROWSERS.
  • Click the + option, and in the Add Chrome app or extension by ID pop-up, type the extension ID.
    • NOTE: You can reach out to SecureW2 support for the Certificate Auto-Enrollment Extension ID
  • Click Save.

Enforce SecureW2 Certificate Auto-Enrollment Extension

With the JoinNow MultiOS extension configured on Chromebooks, the device settings can be configured to allow a seamless enrollment process.

  1. Go to Devices > Chrome > Apps & extensions.
  2. Select the OU and go to USERS & BROWSERS > SecureW2 Certificate Auto-Enrollment Extension and select Force install.
  3. In MANAGED GUEST SESSIONS, select SecureW2 Certificate Auto-Enrollment Extension, go to the Certificate management section, and enable Allow enterprise challenge.
  4. In the Policy for extensions section, upload the JSON file shared by the support team.
  5. Click Save.

Trusted Certificate Profile for RADIUS Server CA

You should configure the Trusted Certificate Profile with the certificate of your RADIUS server certificate’s issuing authority. This will make the devices trust your RADIUS server by validating the RADIUS server certificate. You can achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority (CA) certificates that issued the RADIUS server certificate. When you assign this profile, the Chromebooks receive the trusted certificates.

NOTE: For other RADIUS vendors, other than the SecureW2 RADIUS server, ensure that you have the Root or Intermediate CA that issues the RADIUS server certificates.

Export Trusted Root and Intermediate CA Certificates

This section lists the steps to export the RADIUS Server Root CA from the SecureW2 Management Portal. To export the SecureW2 RADIUS Server Certificate:

  • Click Network Profiles.
  • On the Network Profile you configured earlier, click the Edit
  • In the Certificates section, click Add/Remove Certificate.
  • Check the checkbox next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031) as shown in the following screen.
  • Click Update.
  • The CA appears in the Certificates
  • Click Download.

Configuring the RADIUS Server Certificate’s Issuer CA Chain from Google Admin Console

WPA2-Enterprise requires installing and configuring the trusted RADIUS Server Certificate’s Issuer CA chain to allow the device to connect to the Wi-Fi network securely. This is also handled by the Google Admin Console. The uploaded CA can later be selected as the trusted CA in the configured Wi-Fi Network.

  • Login to the Google Admin Console.
  • Click on Device > Networks.
  • Click on Certificates.
  • Click Add Certificate to upload your RADIUS Server Certificate’s Issuer CA chain.
  • Click on Save.

Configure 802.1X Wi-Fi for Certificate-Based Authentication on Chromebook

The last thing we need to do is configure the network settings that will be pushed to our Chromebooks so that they will authenticate to our SSID using SecureW2 for certificate-based Wi-Fi authentication.

  • Go to the Google Admin Console
  • Click Device Management -> Network -> Wi-Fi -> Add Wi-Fi
  • Configure the Name and SSID of your Wi-Fi Network
  • Select the option to Connect Automatically.
  • Set the Security type to WPA/WPA2-Enterprise (802.1X)
  • Set the Extensible Authentication Protocol to EAP-TLS
  • For the Username field, type (${CERT_SAN_EMAIL} or ${CERT_SAN_UPN})
  • Under Server Certificate Authority, select a RADIUS Server Certificate’s Issuer CA chain you uploaded earlier
  • Under Client Enrollment URL, use: chrome-extension: (extension ID will be provided by the SecureW2 support team)
  • Under Issuer Pattern, enter the matching variables of the CA that will be using the Client Certificate (NOT the RADIUS Server Issuing CA)
    • NOTE: Currently, setting the Organization Name is tested.
  • Under Apply Network, select By Device or By User, depending on the use case
  • Click Add -> Save.

Note: When moving the Chromebooks to the specific “OU” for enrollment of certificates, make sure the user also belongs to that specific “OU”.

Superior Google Chromebook SCEP Certificate Auto-Enrollment

With the last save, your network is now certificate-ready. The company may then complete any network configurations that will be delivered to the managed Chromebooks and begin the registration process. Managed Chromebooks will be enrolled for X.509 digital certificates, and all devices will be appropriately set up for secure 802.1X network access.

Support for uniquely identifying and reporting Chromebook devices has been introduced to SecureW2’s Management Portal. You can also auto-enroll for certificates and utilize powerful identification and device monitoring features for each network connection using a sophisticated Chrome Extension with Google-approved communications.

Are you ready to begin onboarding your own managed Chromebooks? We believe in constantly upgrading ourselves to keep our ever-expanding customer base ahead of the curve. If you’re keen to expand your cybersecurity horizons, here’s our pricing to learn more.

Learn about this author

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

Configure Google SCEP Certificate Automatic Enrollment Profiles

March 20, 2024 Vivek