Onboard Chromebooks with certificates using Google Workspace and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates via Google Workspace SCEP to manage Chromebook (ChromeOS) devices.

Important:

Before you can deploy Portnox Cloud certificates via Google Workspace and SCEP, you must complete the following steps:

  • Integrate Portnox Cloud and Google Workspace

  • Prepare a physical or virtual Windows server that can access Portnox Cloud SCEP services (has access to the Internet), where you will install the Google connector.

  • Make sure that the Google administrator account that you will use for this configuration has the Shared Device Settings privileges.

Download and install the Google connector

In this section, you will download and install the Google Cloud Certificate Connector software on a Windows server. Google Workspace needs this connector to connect to the Portnox™ Cloud SCEP server.

When a device managed by Google Workspace needs a certificate to connect to a managed network, the Google Cloud creates a SCEP request for that device. The Google Cloud Certificate Connector, running on a Windows server, polls the Google Cloud for any new requests every 30 seconds. If it finds a new request, the connector contacts the SCEP server, gets the certificate, sends it back to Google Cloud, and then Google Cloud propagates the certificate to the managed device.

Do the following steps on the Windows server prepared earlier.

  1. Open the Google Workspace admin console and access the Devices > Networks > SCEP pane by visiting the following URL: admin.google.com/ac/networks/scep.
  2. Click on the DOWNLOAD CONNECTOR link to download the Google connector. Then, follow the installation steps to complete installation.

  3. In Step 2 of Google instructions, click on the DOWNLOAD button to download the connector configuration file (config.json).

  4. In Step 3 of Google instructions, click on the GENERATE KEY button to generate and download the connector key (key.json).

  5. Move the downloaded files (config.json and key.json) to the installation folder as indicated by Google during the installation.

  6. Open the Windows Services application, find the Google Cloud Certificate Connector service, right-click on it, and select the Start option from the context menu.

    If the service doesn’t start, check if the user that you selected earlier has privileges to log on as a service (Local Security Policy > Local Policies > User Rights Assignment > Log on as a service).

Google connector logs are visible in the Event Viewer under Windows Logs > Application.

If you need to change the connector configuration, for example, download a new key, place new files in the installation directory and restart the service.

Note:
If the Event Viewer shows warnings with the following description: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable time frame, check if your Windows server clock is synchronized with the universal clock.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the step in which you get the Cloud SCEP URL and password.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > SCEP Services option.

  3. Enable integration with SCEP services.

    1. Click on the Edit link.
    2. Activate the Enable integration checkbox.
    3. Click on the Save button.
  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal and convert it to the Base-64 encoded X.509 format.

You need the root CA certificate so that your managed devices can verify the validity of Cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk. The default name of the file is rootCertificate.cer.

  5. In Windows, double-click on the downloaded file. In the Open File - Security Warning window, click on the Open button.

    The file will be opened in the Windows certificate manager.

  6. In the Certificate window, click on the Details tab and then click on the Copy to File button.

  7. In the Certificate Export Wizard, export the certificate in base-64 encoded format.

    1. In the first step of the wizard, click on the Next button.
    2. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.
    3. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as rootCertificate.cer, replacing the file downloaded earlier.

    4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.

Download the tenant CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal and convert it to the Base-64 encoded X.509 format.

You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.

Note:
You must convert the downloaded certificate to the Base-64 encoded X.509 format because the certificate that you download is in the binary X.509 format, and Google Workspace only accepts Base-64 encoded certificates.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.

  3. In the Trusted Root Certificates section, click on the Download PFX link, then save the downloaded file.

    The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Vorlon - Portnox CLEAR.pfx.

  4. Copy the value of the Issued to field in this section to a text file. You will need it when you create a Wi-Fi profile in Google Workspace.
  5. In Windows, right-click on the downloaded file and select Open from the context menu.

    The file will be opened in the Windows certificate manager.

  6. In the certificate manager window, open the Certificates section in the left-hand pane and then double-click on Your_tenant_name - Portnox CLEAR in the right-hand side pane.

  7. In the Certificate window, click on the Details tab and then click on the Copy to File button.

  8. In the Certificate Export Wizard, export the certificate in base-64 encoded format.

    1. In the first step of the wizard, click on the Next button.
    2. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.
    3. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as tenantCertificate.cer.

    4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.

Create a profile for the root CA certificate

In this section, you will create a profile in Google Workspace for the downloaded Portnox™ Cloud root CA certificate.

  1. Open the Google Workspace admin console and access the Devices > Networks > Certificates pane by visiting the following URL: admin.google.com/ac/networks/certificates.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD CERTIFICATE link.

    The Add certificate pane opens.

  4. In the Add certificate pane, enter the name for the profile and then click on the UPLOAD button. Then, select the root CA certificate downloaded and converted earlier.

    In this example, we used the name Portnox Cloud root CA, but you can use any name you like.

    You will see basic information about the root CA certificate.

  5. In the Certificate Authority section of the Add certificate pane, select Chromebook and optionally all other managed device platforms that you will use this certificate with, and then click on the Add button.

Result: You created a profile for the Portnox Cloud root CA certificate.

Create a profile for the tenant CA certificate

In this section, you will create a profile in Google Workspace for the downloaded Portnox™ Cloud tenant CA certificate.

  1. Open the Google Workspace admin console and access the Devices > Networks > Certificates pane by visiting the following URL: admin.google.com/ac/networks/certificates.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD CERTIFICATE link.

    The Add certificate pane opens.

  4. In the Add certificate pane, enter the name for the profile and then click on the UPLOAD button. Then, select the tenant CA certificate downloaded and converted earlier.

    In this example, we used the name Portnox Cloud tenant CA, but you can use any name you like.

    You will see basic information about the tenant CA certificate.

  5. In the Certificate Authority section of the Add certificate pane, select Chromebook and optionally all other managed device platforms that you will use this certificate with, and then click on the Add button.

Result: You created a profile for the Portnox Cloud tenant CA certificate.

Create a secure SCEP profile

In this section, you will create a secure SCEP profile in Google Workspace. The secure SCEP profile lets devices managed by Google Workspace contact the Portnox™ Cloud SCEP server via the connector.

  1. Open the Google Workspace admin console and access the Devices > Networks > SCEP pane by visiting the following URL: admin.google.com/ac/networks/scep.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
    Note:
    Google suggests to create SCEP profiles for each organizational unit due to a known bug with SCEP profile inheritance.
  3. Click on the ADD SECURE SCEP PROFILE link to create a secure SCEP profile.

    The Add Secure SCEP pane opens.

    Note:
    Adjust the values proposed below to your requirements and your environment, if needed.
  4. In the Device platforms section of the Add Secure SCEP pane, activate the Chromebook (user) checkbox.

    Important:
    When managing Chromebooks using Google Workspace, you can only use user certificates for your Chromebooks with Portnox Cloud. This is because Google Workspace does not create device-based accounts in its authentication repository, so there is no way for Portnox Cloud to know your list of devices and to be able to authenticate based on any device identifiers. This also means you cannot use SCEP-based authentication in the managed guest mode, which is not associated with any Google user.
  5. In the SCEP profile name section, enter the SCEP profile name for this secure SCEP profile.

    In this example, we used the name Portnox Cloud SCEP User, but you can use any name you like.

  6. In the Subject name format section, select the Fully Distinguished Name option.
    1. In the Common name field, enter ${USER_EMAIL} as a variable to set subject common names for generated certificates.

    2. Optionally, in other fields, enter text information relevant to your organization.
  7. In the Subject alternative name section, select the Custom option. Then, click on the  +  icon to add SANs and add a User Principal entry with the ${USER_EMAIL} variable string.

    Note:
    By default, Portnox Cloud checks for user identity information in the SAN UPN field. To understand how Portnox Cloud matches the identity in the certificates with the authentication repository, read the following section: Certificate identity information.
  8. In the Key usage section, select the Key encipherment option.
  9. In the SCEP server attributes section:
    1. In the SCEP server URL field, copy and paste the SCEP URL that you saved in the previous task in this series.

    2. In the Extended key usage field, select the Client authentication option.
    3. In the Challenge type field, select the Static option and then copy and paste the SCEP password that you saved in the previous task in this series.

    4. In the Certificate Authority field, select the tenant CA certificate profile that you created in the earlier task.

      Note:
      Do not select the root CA certificate here. The root CA certificate is used in the Wi-Fi profile to confirm the identity of the Cloud RADIUS servers.
    5. In the Network type this profile applies to field, activate the Wi-Fi checkbox.
  10. For other fields, leave the default values or adjust values to your requirements and your environment, if needed.
  11. Click on the Save button to save your secure SCEP profile.

Result: You created a trusted SCEP profile.

Note:
If you are trying to add a trusted SCEP profile but no profiles appear in the list, check if your Google Workspace has an active Chrome Enterprise Upgrade subscription. Trusted SCEP profiles are available only with the Chrome Enterprise Upgrade.

Create a Wi-Fi profile

In this section, you will create a Wi-Fi profile in Google Workspace for Chromebooks managed by Portnox™ Cloud.

  1. Open the Google Workspace admin console and access the Devices > Networks > Wi-Fi pane by visiting the following URL: admin.google.com/ac/networks/wifi.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD WI-FI link.

    The Add Wi-Fi pane opens.

  4. In the Platform access section of the Add Wi-Fi pane, activate the Enabled checkbox in the Chromebooks (by user) section.

  5. In the Details section, enter a friendly name for the Wi-Fi profile in the Name field and enter the network SSID in the SSID field.

    Note:
    The value of the Name field is used only in Google Workspace for organizational purposes. Users see the network SSID in their Chromebooks network configuration.
  6. In the Security settings section, in the Security Type field, select the WPA/WPA2 Enterprise (802.1X) option and in the Extensible Authentication Protocol field that appears, select the EAP-TLS option.

  7. In the Server Certificate Authority field, select the root CA profile you created in the earlier task..

    Note:
    This root certificate is used to validate the RADIUS server. Do not select the tenant CA certificate here. The tenant CA certificate is used in SCEP profiles to verify the validity of SCEP certificates.
  8. In the Username field, enter the username for administering the network.

    You can use any username you like. This field is required by Google Workspace but it is not used in practice.

  9. In the SCEP profile field, select the trusted SCEP profile you created in the earlier task.

  10. In the Issuer pattern section, in the Common name field, paste the issuer name that you copied from Portnox Cloud in the earlier task.

  11. For other fields, leave the default values or adjust values to your requirements and your environment, if needed, then click on the SAVE button to save the Wi-Fi profile.

Result: You created a Wi-Fi profile for the network managed by Portnox Cloud.

Test your configuration on a managed Chromebook

In this section, you will test the configuration you created in Google Workspace by connecting a Chromebook to the network managed by Portnox™ Cloud.

  1. Turn on your Chromebook and log in using your managed Google account.
  2. Click on the  ⌔  icon in the notification area to open the Status Tray.

  3. Click on the  ▼  icon next to the current network name in the Status Tray to show the list of available Wi-Fi networks.

  4. Click on the name of the network managed by Portnox Cloud to connect to it.

    The symbol on the right side of the network SSID confirms that this network is managed by the organization.

Important:
The first time you connect to the network may take a long time – approximately a minute. This is because Google Workspace needs to wait for the Google connector to poll the cloud and check for new SCEP requests, and the Google connector does that every 30 seconds. After the Google connector polls the cloud and finds the new request, it must connect to the Portnox Cloud SCEP server, receive a reply, and then send that reply to the Google cloud during the next poll in 30 seconds. Then, the Google Cloud must send the certificate to your Chromebook, and you can connect to the network.