Onboard Chromebooks with certificates using Google Workspace and SCEP

In this topic, you will learn how to deploy Portnox™ Cloud certificates via Google Workspace SCEP to manage Chromebook (ChromeOS) devices.

Important:

Before you can deploy Portnox Cloud certificates via Google Workspace and SCEP, you must complete the following steps:

  • Integrate Portnox Cloud and Google Workspace

  • Prepare a physical or virtual Windows server that can access Portnox Cloud SCEP services (has access to the Internet), where you will install the Google connector.

  • Make sure that the Google administrator account that you will use for this configuration has the Shared Device Settings privileges.

Download and install the Google connector

In this section, you will download and install the Google Cloud Certificate Connector software on a Windows server. Google Workspace needs this connector to connect to the Portnox™ Cloud SCEP server.

When a device managed by Google Workspace needs a certificate to connect to a managed network, the Google Cloud creates a SCEP request for that device. The Google Cloud Certificate Connector, running on a Windows server, polls the Google Cloud for any new requests every 30 seconds. If it finds a new request, the connector contacts the SCEP server, gets the certificate, sends it back to Google Cloud, and then Google Cloud propagates the certificate to the managed device.

Do the following steps on the Windows server prepared earlier.

  1. Open the Google Workspace admin console and access the Devices > Networks > SCEP pane by visiting the following URL: admin.google.com/ac/networks/scep.
  2. Click on the DOWNLOAD CONNECTOR link to download the Google connector.

  3. In Step 1 of Google instructions, click on the DOWNLOAD button to download the installer for the connector.

  4. On Windows, run the downloaded file (google-cloud-certificate-connector-setup.exe) to start the Google Cloud Certificate Connector Installer wizard.
    Note: If Microsoft Defender SmartScreen displays an Unknown publisher warning, click on the Run anyway button.
    1. In the Welcome step of the Google Cloud Certificate Connector Installer wizard, click on the Next button.

    2. In the License agreement step of the Google Cloud Certificate Connector Installer wizard, select the I accept the terms of the license agreement radio button and then click on the Next button.

    3. In the Installation type step of the Google Cloud Certificate Connector Installer wizard, select the Anyone who uses this computer radio button and then click on the Next button.

    4. In the Destination folder step of the Google Cloud Certificate Connector Installer wizard, keep the default destination folder and click on the Next button.

    5. In the Program folder step of the Google Cloud Certificate Connector Installer wizard, click on the Next button.

    6. In the Windows services step of the Google Cloud Certificate Connector Installer wizard, enter the credentials of the user to run the service and click on the Next button.

      Note: Make sure that you enter the user name in the computer\user or domain\user format.
    7. In the Start installation step of the Google Cloud Certificate Connector Installer wizard, click on the Next button.

    8. In the Installation completed step of the Google Cloud Certificate Connector Installer wizard, click on the Finish button.

  5. In Step 2 of Google instructions, click on the DOWNLOAD button to download the connector configuration file (config.json).

  6. In Step 3 of Google instructions, click on the GENERATE KEY button to generate and download the connector key (key.json).

  7. Move the downloaded files (config.json and key.json) to the installation folder (C:\Program Files\Google Cloud Certificate Connector\).

  8. Open the Windows Services application, find the Google Cloud Certificate Connector service, right-click on it, and select the Start option from the context menu.

    If the service doesn’t start, check if the user that you selected earlier has privileges to log on as a service (Local Security Policy > Local Policies > User Rights Assignment > Log on as a service).

Google connector logs are visible in the Event Viewer under Windows Logs > Application.

If you need to change the connector configuration, for example, download a new key, place new files in the installation directory and restart the service.

Note: If the Event Viewer shows warnings with the following description: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable time frame, check if your Windows server clock is synchronized with the universal clock.

Turn on the Portnox Cloud SCEP services

In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.

If you have previously turned on the Portnox Cloud SCEP services, skip to the step in which you get the Cloud SCEP URL and password.

Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Enable integration with SCEP services.

    1. Scroll down to the SCEP SERVICES section.
    2. Click on the Edit link.
    3. Activate the Enable integration checkbox.
    4. Click on the Save button.

  4. Click on the  ⧉  icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
  5. Click on the  ⧉  icon next to the Password field to copy the SCEP password, and paste it in a text file for later use.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal and convert it to the Base-64 encoded X.509 format.

You need the root CA certificate so that your managed devices can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate. If the root CA certificate is not distributed to managed devices, some devices may show a security warning each time that the user connects to networks managed by Portnox Cloud.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk. The default name of the file is rootCertificate.cer.

  5. In Windows, double-click on the downloaded file. In the Open File - Security Warning window, click on the Open button.

    The file will be opened in the Windows certificate manager.

  6. In the Certificate window, click on the Details tab and then click on the Copy to File button.

  7. In the Certificate Export Wizard, export the certificate in base-64 encoded format.

    1. In the first step of the wizard, click on the Next button.
    2. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.
    3. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as rootCertificate.cer, replacing the file downloaded earlier.

    4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.

Download the tenant CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal and convert it to the Base-64 encoded X.509 format.

You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Scroll down to the TRUSTED ROOT CERTIFICATES section and click on the Download link, then save the downloaded file.

    The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Portnox - Portnox CLEAR.pfx.

  4. Copy the value of the Issued to field in this section to a text file. You will need it when you create a Wi-Fi profile in Google Workspace.
  5. In Windows, right-click on the downloaded file and select Open from the context menu.

    The file will be opened in the Windows certificate manager.

  6. In the certificate manager window, open the Certificates section in the left-hand pane and then double-click on Portnox - Portnox CLEAR in the right-hand side pane.

  7. In the Certificate window, click on the Details tab and then click on the Copy to File button.

  8. In the Certificate Export Wizard, export the certificate in base-64 encoded format.

    1. In the first step of the wizard, click on the Next button.
    2. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.
    3. In the third step of the wizard, select a file to save the exported tenant CA certificate, and click on the Next button.

      For example, save the file as tenantCertificate.cer.

    4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.

Create a profile for the root CA certificate

In this section, you will create a profile in Google Workspace for the downloaded Portnox™ Cloud root CA certificate.

  1. Open the Google Workspace admin console and access the Devices > Networks > Certificates pane by visiting the following URL: admin.google.com/ac/networks/certificates.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD CERTIFICATE link.

    The Add certificate pane opens.

  4. In the Add certificate pane, enter the name for the profile and then click on the UPLOAD button. Then, select the root CA certificate downloaded and converted earlier.

    In this example, we used the name Portnox Cloud root CA, but you can use any name you like.

    You will see basic information about the root CA certificate.

  5. In the Certificate Authority section of the Add certificate pane, select Chromebook and optionally all other managed device platforms that you will use this certificate with, and then click on the Add button.

Result: You created a profile for the Portnox Cloud root CA certificate.

Create a profile for the tenant CA certificate

In this section, you will create a profile in Google Workspace for the downloaded Portnox™ Cloud tenant CA certificate.

  1. Open the Google Workspace admin console and access the Devices > Networks > Certificates pane by visiting the following URL: admin.google.com/ac/networks/certificates.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD CERTIFICATE link.

    The Add certificate pane opens.

  4. In the Add certificate pane, enter the name for the profile and then click on the UPLOAD button. Then, select the tenant CA certificate downloaded and converted earlier.

    In this example, we used the name Portnox Cloud tenant CA, but you can use any name you like.

    You will see basic information about the tenant CA certificate.

  5. In the Certificate Authority section of the Add certificate pane, select Chromebook and optionally all other managed device platforms that you will use this certificate with, and then click on the Add button.

Result: You created a profile for the Portnox Cloud tenant CA certificate.

Create a secure SCEP profile

In this section, you will create a secure SCEP profile in Google Workspace. The secure SCEP profile lets devices managed by Google Workspace contact the Portnox™ Cloud SCEP server via the connector.

  1. Open the Google Workspace admin console and access the Devices > Networks > SCEP pane by visiting the following URL: admin.google.com/ac/networks/scep.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
    Note: Google suggests to create SCEP profiles for each organizational unit due to a known bug with SCEP profile inheritance.
  3. Click on the ADD SECURE SCEP PROFILE link to create a secure SCEP profile.

    The Add Secure SCEP pane opens.

    Note: Adjust the values proposed below to your requirements and your environment, if needed.
  4. In the Device platforms section of the Add Secure SCEP pane, select the platform that this profile is to be used for.

    Important: When managing Chromebooks using Google Workspace, you can only use either device certificates or user certificates for your Chromebooks, but not the two together.

    In this example, we selected the option to request user certificates for Chromebooks.

  5. In the SCEP profile name section, enter the SCEP profile name for this secure SCEP profile.

    In this example, we used the name Portnox Cloud SCEP User, but you can use any name you like.

  6. In the Subject name format section, select the Fully Distinguished Name option.
    1. In the Common name field, enter a variable to set subject common names for generated certificates.

      In this example, we used the ${USER_EMAIL} variable.

      You can use the following variables:

      • ${DEVICE_DIRECTORY_ID}: The device’s directory ID
      • ${USER_EMAIL}: The signed-in user’s email address
      • ${USER_EMAIL_DOMAIN}: The signed-in user’s domain name
      • ${DEVICE_SERIAL_NUMBER}: The device’s serial number
      • ${DEVICE_ASSET_ID}: The asset ID assigned to device by the administrator
      • ${DEVICE_ANNOTATED_LOCATION}: The location assigned to device by the administrator
      • ${USER_EMAIL_NAME}: The first part (part before @) of the signed-in user’s email address
    2. Optionally, in other fields, enter text information relevant to your organization.
  7. In the Subject alternative name section, select the Custom option. Then, click on the  +  icon to add SANs.

    In this example, we created one SAN: User Principal with the ${USER_EMAIL} variable string.

    You can use the same variables to create SANs as you can use to create subject names.

  8. In the Key usage section, select the Key encipherment option.
  9. In the SCEP server attributes section:
    1. In the SCEP server URL field, copy and paste the SCEP URL that you saved in the previous task in this series.

    2. In the Extended key usage field, select the Client authentication option.
    3. In the Challenge type field, select the Static option and then copy and paste the SCEP password that you saved in the previous task in this series.

    4. In the Certificate Authority field, select the tenant CA certificate profile that you created in the earlier task.

      Note: Do not select the root CA certificate here. The root CA certificate is used in the Wi-Fi profile to confirm the identity of the cloud RADIUS servers.
    5. In the Network type this profile applies to field, activate the Wi-Fi checkbox.
  10. For other fields, leave the default values or adjust values to your requirements and your environment, if needed.
  11. Click on the Save button to save your secure SCEP profile.

Result: You created a trusted SCEP profile.

Note: If you are trying to add a trusted SCEP profile but no profiles appear in the list, check if your Google Workspace has an active Chrome Enterprise Upgrade subscription. Trusted SCEP profiles are available only with the Chrome Enterprise Upgrade.

Create a Wi-Fi profile

In this section, you will create a Wi-Fi profile in Google Workspace for Chromebooks managed by Portnox™ Cloud.

  1. Open the Google Workspace admin console and access the Devices > Networks > Wi-Fi pane by visiting the following URL: admin.google.com/ac/networks/wifi.
  2. In the Organizational units section, select a specific organizational unit if you want this profile to apply only to the selected organizational unit. Otherwise, leave the default top organizational unit selected.
  3. Click on the ADD WI-FI link.

    The Add Wi-Fi pane opens.

  4. In the Platform access section of the Add Wi-Fi pane, select the platform that this profile is to be used for.

    Important: When managing Chromebooks using Google Workspace, you can only use either device certificates or user certificates for your Chromebooks, but not the two together. In the Wi-Fi profile, you can select both options, but you can only select one trusted SCEP profile later, and the trusted SCEP profile decides whether the device requests user or device certificates when connecting to the network.

    In this example, we selected the option to request user certificates for Chromebooks.

  5. In the Details section, enter a friendly name for the Wi-Fi profile in the Name field and enter the network SSID in the SSID field.

    Note: The value of the Name field is used only in Google Workspace for organizational purposes. Users see the network SSID in their Chromebooks network configuration.
  6. In the Security settings section, in the Security Type field, select the WPA/WPA2 Enterprise (802.1X) option and in the Extensible Authentication Protocol field that appears, select the EAP-TLS option.

  7. In the Server Certificate Authority field, select the root CA profile you created in the earlier task..

    Note: This root certificate is used to validate the RADIUS server. Do not select the tenant CA certificate here. The tenant CA certificate is used in SCEP profiles to verify the validity of SCEP certificates.
  8. In the Username field, enter the username for administering the network.

    You can use any username you like. This field is required by Google Workspace but it is not used in practice.

  9. In the SCEP profile field, select the trusted SCEP profile you created in the earlier task.

  10. In the Issuer pattern section, in the Common name field, paste the issuer name that you copied from Portnox Cloud in the earlier task.

  11. For other fields, leave the default values or adjust values to your requirements and your environment, if needed, then click on the SAVE button to save the Wi-Fi profile.

Result: You created a Wi-Fi profile for the network managed by Portnox Cloud.

Test your configuration on a managed Chromebook

In this section, you will test the configuration you created in Google Workspace by connecting a Chromebook to the network managed by Portnox™ Cloud.

  1. Turn on your Chromebook and log in using your managed Google account.
  2. Click on the  ⌔  icon in the notification area to open the Status Tray.

  3. Click on the  ▼  icon next to the current network name in the Status Tray to show the list of available Wi-Fi networks.

  4. Click on the name of the network managed by Portnox Cloud to connect to it.

    The symbol on the right side of the network SSID confirms that this network is managed by the organization.

Important: The first time you connect to the network may take a long time – approximately a minute. This is because Google Workspace needs to wait for the Google connector to poll the cloud and check for new SCEP requests, and the Google connector does that every 30 seconds. After the Google connector polls the cloud and finds the new request, it must connect to the Portnox Cloud SCEP server, receive a reply, and then send that reply to the Google cloud during the next poll in 30 seconds. Then, the Google Cloud must send the certificate to your Chromebook, and you can connect to the network.