[Webinar]: See how SecureW2 + Okta continuously verify certificate trust and enforce policies in real time.
Register Now
Home Knowledge Base Documentation Google Chromebook Enrollment via SCEP using Google CloudConnector

Google Chromebook Enrollment via SCEP using Google CloudConnector

Introduction

This Guide describes the steps to integrate Google MDM services with SecureW2’s Cloud Connector to allow Chromebooks to enroll for digital certificates using Simple Certificate Enrollment Protocol (SCEP).

Google uses a cloud certificate connector to establish a secure link between your SCEP server and Google Cloud. You can manually set up and secure the certificate connector by utilizing a configuration file and a key file, both specific to your organization.

Prerequisites

The following are the prerequisites to enrolling Chromebooks using SCEP:

  1. An active subscription to JoinNow Management portal.
  2. Google Cloud Certificate Connector Windows application
  3. Shared device settings administrator privilege with Google Console.

Configure SecureW2

This section describes the following procedures carried out in the JoinNow MultiOS Management Portal:

  • Generating the required network profiles
  • Creating a SecureW2 Intermediate CA
  • Creating a Google Certificate Template
  • Creating an API Gateway
  • Creating Policy Engine Workflows, Enrollment, and Network policies

Creating an Intermediate CA for Google SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Google SCEP based enrollment for Chromebooks. To create a new intermediate CA:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair. 
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save. The new intermediate CA is generated.

 

Creating a Certificate Template for Google SCEP

To create a Google Certificate Template:

  1. Navigate to Dynamic PKI > Certificate Authorities
  2. Click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/auth/displayName:/device/identity:/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:

    a. In the Other Name field, enter ${/auth/upn:/device/identity:/csr/san/othername}

    b. In the RFC822 field, enter ${/auth/email:/device/identity:/csr/san/rfc822name}
    c. In the DNS field, enter ${/device/computerIdentity:/device/buildModel:/csr/san/dnsname}

     

  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.

  10. Click Save.

 

Generating a SCEP URL and Secret

To generate the SCEP URL and secret: 

  1. From your JoinNow MultiOS Management Portal, go to Integrations Hub > Device Management Platforms.
  2. Click Add.
  3. Under the Basic section, in the Name field, enter the name of the API token.
  4. In the Description field, enter a suitable description for the API token.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select Google SCEP.
  7. From the Certificate Authority drop-down list, select the Intermediate CA created in Creating an Intermediate CA for Google SCEP Gateway Integration. If you do not select a CA, by default, the organization CA is chosen.
  8. Click Save. A .csv file containing the API Secret and URL is downloaded. In addition, the Enrollment URL is displayed on the page.

 

Configuring a Policy Workflow

To configure a Policy Workflow:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the role policy in the Name field.
  4. In the Display Description field, enter a suitable description for the role policy.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed. Select the Conditions tab.
  7. From the Core Provider drop-down list, select the API token  you created earlier (see the Generating a SCEP URL and Secret section).
  8. Click Update.

 

Creating Enrollment Policy

To add an Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter the name of the enrollment policy.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Policy Workflow  section).
  9. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY.

  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for Google SCEP Gateway Integration section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating a Google Certificate Template section).
  13. In the other settings, retain the default values.

  14. Click Update.

 Configuring Network Policy

To configure network policy:

  1. Go to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. Select Match All or Match Any based on your requirements to set authentication criteria.
  8. Click Add rule.
  9. Expand Identity and click Select adjacent to the Role option.
  10. Click Save.
  11. The Role option appears under the Conditions tab.
  12. From the Role Equals drop-down list, select the role policy you created earlier (see the Configuring a Policy Workflow section).
  13. Select the Settings tab.

  14. Click Add Attribute.
       a. From the Attribute drop-down list, select an option.
       b. From the Dictionary drop-down list, select Radius:IETF or Custom.

  15. Click Save

Configuring Google Cloud Certificate Connector

  1. Log in to the Google Admin console.
  2. Navigate to Devices> Networks > Secure SCEP.
  3. Click on Download Connector.
  4. Click Download in the Install Google Cloud certificate connector section. The .exe file downloads.
  5. Run the downloaded connector file (google-cloud-certificate-connector-setup.exe). The Google Cloud Certificate Connector Installer wizard will open.

    Note:     If the Microsoft Defender Dialog-box displays an Unknown publisher warning, click on the Run Anyway button.
  6. In the Welcome screen of the Cloud Certificate Connector wizard, click on the Next button.


  7. In the License agreement screen, select the I accept the terms of the license agreement radio button and click the Next button.

  8. In the Installation type screen, click the Anyone who uses this computer radio button and then click the Next button.

  9. In the Destination folder screen, retain the default destination folder under “C” drive and click Next.

  10. Click the Next button in the Program Folder screen.

  11. In the Windows services screen, enter the user credentials (username and password) to run the service. Click Next.

    NOTE: Enter the username in the computer\user or domain\user format.
  12. In the Start installation screen, click Next.
  13. Once the Installation is finished, the Installation Completed screen is displayed. Click Finish
  14. Click DOWNLOAD in the Step 2: Download the connector configuration file section. The “config.json” file downloads.
  15. Navigate to the Get a Service Account key section, and click on the Generate key. The “key.json” file downloads.

    NOTE: Place the key files and configuration  (config.json and key.json) into the Google Cloud Certificate Connector folder, typically: C:\Program Files\Google Cloud Certificate Connector.

  16. Launch the Windows Services application. Right-click the Google Cloud Certificate Connector service and select the Start option.

 Trusted Certificate Profiles

Trusted certificate profiles can be created in Google workspace console and uploaded with SecureW2 Intermediate and RADIUS Server certificate to create a chain of trust. To create certificate profiles and upload CA certificates:

Exporting the SecureW2 Intermediate CA

To export the SecureW2 Intermediate CAs from the JoinNow MultiOS Management Portal, follow the given steps.

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Go to PKI > Certificate Authorities.
  3. In the Certificate Authorities section, click the Download link for the Intermediate CA created earlier (see the Creating an Intermediate CA for Google SCEP Gateway Integration section). This certificate is imported when you set up the trusted certificate profile described in the following section.

Exporting the Trusted RADIUS Server Root CA Certificate

This section lists the steps to export the RADIUS server Root CA certificate from the JoinNow MultiOS Management Portal.

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Device Onboarding > Profiles.
  3. Click the Edit link of the network profile configured earlier.
  4. In the Certificates section, click Add/Remove Certificate.
  5. Check the checkbox next to DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031) as shown in the following screen.

     

  6. Click Update.
  7. The CA appears in the Certificates section. Click Download.

Uploading Intermediate CA and RADIUS Server CA in Google Console

  1. Navigate to the Certificates section in the Google Admin console.
  2. Click ADD CERTIFICATE.
  3. In the Name field, enter a name for the certificate authority.
  4. Click Upload. Choose the Intermediate CA certificate downloaded earlier and click Open.
  5. Select the Enabled for Chromebook option.
  6. Click ADD.

    Follow the above steps in this section to upload the RADIUS server certificate downloaded in 5.3 Exporting the Trusted RADIUS Server Root CA Certificate.

 

Configuring SCEP Profile in Google Console

  1. Log in to the Google Admin console.
  2. Navigate to Devices > Networks.


    NOTE:     Leave the top organizational unit chosen to apply the setting to everyone. Choose a child organizational unit instead. Due to a known problem, we recommend that you configure the SCEP profile for each organizational unit to which you wish the profile to apply.

  3. Click Create SCEP Profile after selecting the organization.
  4. Click Add Secure SCEP Profile.

  5. In the Device Platforms section, select Chromebook (Device).

  6. In the Subject name format section, click on Fully distinguished name radio button.
  7. In the Common name field, enter ${DEVICE_SERIAL_NUMBER}
  8. In the Subject alternative name field, choose Custom. 
  9. From the Subject alternative name type drop-down, select RFC822. In the adjacent field, enter ${DEVICE_SERIAL_NUMBER}.
  10. In the Key usage field, select Key Encipherment.
  11. In the Key size (bits), select 2048.
  12. In the Security section, select Strict.
  13. In the SCEP server URL field, copy paste the URL from the .csv file created in Generate a SCEP URL and Secret section.
  14. In the Extended key usage field, select Client authentication.
  15. In the Challenge type, select Static. In the field for challenge, copy and paste the API Secret from the .csv file.

  16. In the Template name field, enter a name for the SCEP template. 
  17. From the Certificate Authority drop-down, select the certificate authority created for this SCEP organization.
  18. Click Save.

 

Configure 802.1X Wi-Fi for Certificate-Based Authentication on Chromebook

The last thing we need to do is configure the network settings that will be pushed to our Chromebooks so that they will authenticate to our SSID using SecureW2 for certificate-based Wi-Fi authentication.

  1. Navigate to Devices > Networks > Wi-Fi > Add Wi-Fi
  2. Under Platform access, select Enabled for Chromebooks (by device) option.

  3. In the Name field, enter a name for your Wifi.
  4. In the SSID field, enter a name for your broadcasting SSID.
  5. Enable the Automatically connect option.
  6. From the Security type drop-down, select WPA/WPA2-Enterprise (802.1X).
  7. Set the Extensible Authentication Protocol to EAP-TLS. Select Maximum TLS Version as 1.2.
  8. In the Username field, enter ${CERT_SAN_EMAIL} or ${CERT_SAN_UPN}.
  9. From the Server Certificate Authority drop-down, select the RADIUS Server Certificate’s Issuer CA chain you uploaded earlier.

  10. From the SCEP profile drop-down, select the SCEP profile created in the earlier step.
  11. Under the DNS settings section, select Automatic name servers.
  12. Click Save.

    Chromebooks for your organization can now be enrolled via the SCEP protocol. You can check successful device enrollment in Google console under Devices > Chrome > Devices.

    Admins can also check for successful certificate enrollment under Data and Monitoring > General Events. A Certificate Issued message would be displayed for the chrome device enrolled.
More Google Explainers