Set up certificates for managed mobile and Chrome OS devices Set up certificates for managed mobile and Chrome OS devices

Set up certificates for managed mobile and Chrome OS devices

Rae Hopkins Rae Hopkins



Mobile devices: Supported editions for this feature: Enterprise; Education Standard and Plus; Cloud Identity Premium. Compare your edition

Chrome OS devices: Chrome Enterprise required for device-based certificates.


You can control user access to your organization’s Wi-Fi networks, internal apps, and internal websites on mobile and Chrome OS devices by distributing certificates from your on-premises Certificate Authority (CA). The Google Cloud Certificate Connector is a Windows service that securely distributes certificates and authentication keys from your Simple Certificate Enrollment Protocol (SCEP) server to users’ mobile and Chrome OS devices. Learn more

For Chrome OS devices, you can set up user-based or device-based certificates. A user certificate is added to a device for a specific user and accessible by that specific user. A device certificate is assigned based on the device and accessible by any user signed in to the device. For details, see Manage client certificates on Chrome devices.

If you want to control Wi-Fi network access for both mobile and Chrome OS devices, you’ll need to set up separate SCEP profiles and Wi-Fi networks because mobile devices and Chrome OS devices support different RSA key types.

Notes on key storage:

  • For mobile devices, private keys for the certificates are generated on Google servers. The keys are purged from Google servers after the certificate is installed on the device or 24 hours, whichever comes first.
  • For Chrome OS devices, private keys for the certificates are generated on the Chrome device. The corresponding public key is stored temporarily on Google servers and purged after the certificate is installed.

System requirements

  • Your organization uses Microsoft Active Directory Certificate Service for an SCEP server and the Microsoft Network Device Enrollment Service (NDES) to distribute certificates.
  • Mobile devices: iOS and Android devices under advanced mobile management. Learn more about device requirements.
  • Chrome OS devices:
    • Device certificates: Chrome OS version 89 or later and managed with Chrome Enterprise
    • User certificates: Chrome OS version 86 or later. Note: For versions earlier than 87, users must restart the device or wait a couple hours for the user certificate to get deployed.

Before you begin

  • If you need the certificate Subject name to use Active Directory usernames, you must sync your Active Directory and Google Directory with Google Cloud Directory Sync (GCDS). If necessary, set up GCDS.
  • If you haven’t already uploaded a CA certificate in the Google Admin console, add a certificate.
  • Review the known issues to avoid unexpected behavior.

Known issues

  • Certificates can’t be revoked after they’re installed on a device.
  • SCEP profiles don’t support dynamic challenges.
  • SCEP profile inheritance between organizational units can break down in some cases. For example, if you set a SCEP profile for an organizational unit and change a child organizational unit’s SCEP profile, none of the parent organizational unit’s SCEP profiles can be inherited by the child organizational unit again.
  • For mobile devices, SCEP profiles can’t be applied to VPN or Ethernet configurations, only Wi-Fi.
  • For Chrome OS devices, SCEP profiles can’t be directly applied to VPN or Ethernet configurations. To indirectly apply a SCEP profile to VPN or ethernet configurations, use issuer or subject patterns to auto-select which certificate to use.
  • For Chrome OS device users, certificates can only be deployed for users signed into a managed device. The user and device must belong to the same domain.

Step 1: Download the Google Cloud Certificate Connector

Perform the following steps on the SCEP server or a Windows computer with an account that can sign in as a service on the SCEP server. Have the account credentials available.

If your organization has several servers, you can use the same certificate connector agent on all of them. Download and install the installation file, configuration file, and key file on one computer as described in the following steps. Then, copy those three files to the other computer and follow the setup instructions on that computer.

Note: You download the Google Cloud Certificate Connector and its components only once, when you first set up certificates for your organization. Your certificates and SCEP profiles can share a single certificate connector.

  1. In your Google Admin console (at
  2. Go to Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Secure SCEPand thenDownload Connector.
  4. In the Google Cloud Certificate Connector section, click Download. The download creates a folder on your desktop that contains the certificate connector. We recommend you download the other connector configuration files to this folder.
  5. In the Download the connector configuration file section, click Download. The config.json file downloads.
  6. In the Get a service account key section, click Generate key. The key.json file downloads.
  7. Run the certificate connector installer.
    1. In the installation wizard, click Next.
    2. Accept the terms of the license agreement and click Next.
    3. Choose the account that the service is installed for and click Next. The account must have privileges to sign in as a service on the SCEP server.
    4. Select the installation location. We recommend using the default. Click Next.
    5. Enter your service account credentials and click Next. The service installs.
    6. Click Finish to complete the installation.
  8. Move the configuration and key files (config.json and key.json) into the Google Cloud Certificate Connector folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
  9. Launch the Google Cloud Certificate Connector service:
    1. Open Windows Services.
    2. Select Google Cloud Certificate Connector in the list of services.
    3. Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.


Step 2: Add a SCEP profile

The SCEP profile defines the certificate that lets users access your Wi-Fi network. You assign the profile to specific users by adding it to an organizational unit. You can set up several SCEP profiles to manage access by organizational unit and by device type.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. In your Google Admin console (at
  2. Go to Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Create SCEP Profile.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unitNote: We recommend that you set the SCEP profile for each organizational unit you want the profile to apply to because of a known issue.
  5. Click Add Secure SCEP Profile.
  6. Enter the configuration details for the profile. If your CA issues a particular template, match the details of the profile to the template.
    • SCEP profile name—A descriptive name for the profile. The name is shown in the list of profiles and in the profile selector in the Wi-Fi network configuration.
    • Subject name format—Choose how you want to identify the certificate owner. If you select Fully Distinguished Name, the certificate Common Name is the user's username.
    • Subject alternative name—Provide an SAN. Default is None.

      For Chrome OS devices, you can define subject alternative names based on user and device attributes. To use a custom certificate signing request (CSR), configure the certificate template on the CA to expect and generate a certificate with the subject values defined in the request itself. At minimum, you need to provide a value for the subject's CommonName.

      You can use the following placeholders. All values are optional.

      • ${DEVICE_DIRECTORY_ID}—Device’s directory ID
      • ${USER_EMAIL}—Signed-in user’s email address
      • ${USER_EMAIL_DOMAIN}—Signed-in user’s domain name
      • ${DEVICE_SERIAL_NUMBER}—Device's serial number
      • ${DEVICE_ASSET_ID}—Asset ID assigned to device by administrator
      • ${DEVICE_ANNOTATED_LOCATION}—Location assigned to device by administrator
      • ${USER_EMAIL_NAME}—First part (part before @) of the signed-in user’s email address

      If a placeholder value isn’t available, it’s replaced with an empty string.

    • Signing algorithm—The hash function used to encrypt the authorization key. Only SHA256 with RSA is available.
    • Key usage—Options for how to use the key, key encipherment and signing. You can select more than one.
    • Key size (bits)—The size of the RSA key. For Chrome OS devices, select 2048.
    • SCEP server URL—The URL of the SCEP server.
    • Certificate validity period (years)—How long the device certificate is valid. Enter as a number.
    • Renew within days—How long before the device certificate expires to try to renew the certificate.
    • Extended key usage—How the key can be used. You can choose more than one value.
    • Challenge type—To require Google to provide a specified challenge phrase when it requests a certificate from the SCEP server, select Static and enter the phrase. If you select None, the server doesn’t require this check.
    • Template name—The name of the template used by your NDES server.
    • Certificate Authority—The name of a certificate you uploaded to use as the Certificate Authority.
    • Network type this profile applies to​—The type of networks that use the SCEP profile.
    • Platforms this profile applies to—The device platforms that use the SCEP profile. For Chrome OS devices, make sure to check Chromebook (user)Chromebook (device), or both, depending on the type of certificate you want to deploy.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add a profile, it's listed with its name and the platforms its enabled on. In the Platform column, the profile is enabled for platforms with blue icons and disabled for platforms with grey icons. To edit a profile, point to the row and click Edit"".

The SCEP profile is automatically distributed to users in the organizational unit.


Step 3: Configure the Google Cloud Certificate Connector's keystore

If your certificate is issued by a trusted CA or your SCEP server URL starts with HTTP, skip this step.

If your certificate isn’t issued by a trusted CA, such as a self-signed certificate, you need to import the certificate to the Google Cloud Certificate Connector keystore. Otherwise, the device certificate can’t be provisioned and the device can’t connect.

  1. Sign in to your CA.
  2. If a Java JRE isn’t already installed, install one so that you can use keytool.exe.
  3. Open a command prompt.
  4. Export your CA certificate and convert it to a PEM file by running the following commands:
    certutil ‑ca.cert C:\root.cer
    certutil ‑encode cacert.cer cacert.pem
  5. Import the CA certificate to the keystore. From the subdirectory of the Google Cloud Certificate Connector folder created during installation, typically C:\Program Files\Google Cloud Certificate Connector, run the following command:

    java-home-dir\bin\keytool.exe ‑import ‑keystore rt\lib\security\cacerts ‑trustcacerts ‑file cert-export-dir\cacert.pem ‑storepass changeit

    Replace java-home-dir with the path to the JRE in the Google Cloud Certificate Connector folder and cert-export-dir with the path to the certificate you exported in step 4.

Step 4: Configure Wi-Fi networks to require the SCEP profile (Optional)

After users’ mobile or Chrome OS devices receive certificates from the SCEP server, you can configure Wi-Fi networks to require certificate authentication.

To control Wi-Fi network access for both mobile and Chrome OS devices, set up separate Wi-Fi networks for each. For example, set up one Wi-Fi network for mobile devices and assign a SCEP profile for mobile devices to it, and set up another Wi-Fi network for Chrome OS devices and assign a SCEP profile for Chrome OS devices.

To select the certificate and apply the SCEP profile to a Wi-Fi network:

  1. Add a Wi-Fi configuration or edit an existing configuration.
  2. In the Platform access section, check the box for Android or iOS, or both.
  3. In the Details section, set the following:
    1. For Security settings, select WPA/WPA2 Enterprise (802.1 X) or Dynamic WEP (802.1 X).
    2. For the Extensible Authentication Protocol, select EAP-TLS or EAP-TTLS.
    3. For SCEP profile, select the SCEP profile you want to apply to this network.
  4. Click Save.

Now the first time that users try to connect to the Wi-Fi network, their device must provide the certificate.

  • For Android and Chrome OS devices, the certificate corresponding to their SCEP profile and the network are automatically filled in, and the user clicks Connect.
  • For iOS devices, the user must choose the certificate to use and then click Connect.