Use the Google Cloud Certificate Connector

You can control user access to your organization’s Wi-Fi networks, internal apps, and internal websites on ChromeOS devices by using a connector to distribute device certificates from your on-premises Certificate Authority (CA). The Google Cloud Certificate Connector is a Windows service that securely distributes certificates and authentication keys from your CA server to users’ devices.

For ChromeOS devices, private keys for certificates are generated on the device. The corresponding public key is stored temporarily on Google servers and deleted after the certificate is installed.

System requirements

Your organization uses Microsoft Active Directory Certificate Service for a Simple Certificate Enrollment Protocol (SCEP) server and the Microsoft Network Device Enrollment Service (NDES) to distribute certificates. Windows Server 2016 and newer are supported.
ChromeOS devices with version 138 or later for the best experience.
A Google Cloud Project (GCP) with a billing account set up.

Before you begin

Setting up certificates deployment with SCEP requires expertise and permissions to manage Microsoft Active Directory Certificate Service for your organization. Make sure that the relevant experts are involved within your organization before moving forward.
If you need the certificate Subject name to use Active Directory usernames, you must sync your Active Directory and Google Directory with Google Cloud Directory Sync (GCDS). If necessary, set up GCDS.
To configure your Windows Network Device Enrollment Service (NDES) server, Google Admin console, and GCP for ChromeOS certificate enrollment, see Configuring Certificate Enrollment for ChromeOS via SCEP.

Step 1: Download the Google Cloud Certificate Connector

Note: If you have already set up the Google Cloud Certificate Connector for mobile devices, skip this step and go straight to Step 3: Configure the Google Cloud Certificate Connector.

Perform the following steps on the CA server or a Windows machine that can reach the server. If your organization has several servers, you can use the same certificate connector agent on all of them.

To download and install the installation file, follow these steps:

Note: You download the Google Cloud Certificate Connector and its components only once, when you first set up certificates for your organization. Your certificates and certificate profiles can share a single certificate connector.

Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
Go to Menu and then Devices > Networks.
Requires having the Shared device settings administrator privilege.
Click Certificatesand thenCertificate Authority connectionsand thenDownload Connector.
Click Download.
Run the certificate connector installer as an administrator.

Important: By default, the installer registers the service to use the LocalService account for sign-in. When the service is registered, the software is marked as installed. Then, the installer attempts to start the service. If this is the first time installing the connector, the service won't start because of missing required configuration files. To get these configuration files, follow the remaining instructions in this article.

Step 2: Download the Pub/Sub Service Account key

From your Google Cloud Project (GCP), go to Service Accounts.
Click the service account created for the Google Cloud Certificate Connector.
Go to Keys.
Click Add Key > Create a new Key > JSON > Create.
Move the downloaded JSON file to the connector installation directory.

Step 3: Configure the Google Cloud Certificate Connector

(Optional) Run the config tool (C:\Program Files\Google Cloud Certificate Connector\Config Tool.exe) as an administrator to re-register the service with a different account name other than the default LocalService account.
In the Google Cloud Certificate Connector folder created during installation (C:\Program Files\Google Cloud Certificate Connector), create a new file adapter_config.json and populate it with the desired configuration. For a complete list of configuration parameters, go to Google Cloud Certificate Connector—Configuration parameters.
Note: To support backwards compatibility, the connector works with the legacy configuration file config.json. It automatically looks for the legacy configuration file if the adapter_config.json file is not present.
Launch the Google Cloud Certificate Connector service:
1. Open Windows Services.
2. Select Google Cloud Certificate Connector.
3. Click Start. Ensure that the status changes to Running. The service automatically restarts if the machine reboots.

If you download a new service account key or edit the configuration file, restart the service for the changes to take effect.

How certificate authentication through Google Cloud Certificate Connector works

The Google Cloud Certificate Connector is a Windows service that establishes an exclusive connection between your CA server and Google. The certificate connector is configured and secured by a configuration file and a key file, both of which are managed by your organization.

You assign certificates to devices and users with certificate profiles. To assign the profile, you choose an organizational unit and add the profile to that organizational unit. The profile includes the Certificate Authority that issues certificates. When a ChromeOS device is enrolled, configured policy is sent to the device and the device installs the certificate on the device prior to user login if deploying a device certificate or after login if deploying a user certificate. If the device is already enrolled or the user profile already exists, the certificate is installed once the device or user receives updated policy from the Admin console.

Google Cloud Certificate Connector—Configuration parameters

Definitions

Open all | Close all

The following are definitions of the configuration objects accepted by the Google Cloud Certificate Connector.

New configuration

The adapter_config.json file is expected to contain a single configuration of this object and it's the outmost object in the JSON file. It has the following possible keys and their corresponding values:

Key	Optional/Required	Value type
legacy_configuration	Optional ifadapter_configuration is given	Legacy configuration If given, the connector will use the legacy protocol for the requests associated with the Pub/Sub subscription ID that is included in this configuration. The available features are limited to those provided in this configuration. A given subscription ID must appear in either the adapter or legacy configuration, but not both.
adapter_configuration	Optional iflegacy_configuration is given	Adapter configuration If given, the connector will use the new protocol for requests associated with the Pub/Sub subscription IDs that are included in this configuration and also configure the connector itself with the attributes given in this configuration.
profile_configurations	Optional	[]Profile configuration
ca_configurations	Required if adapter_configuration or profile_configurations are given	[]CA configuration

Legacy configuration

This describes the previous configuration supported by the connector. This configuration type is still supported to have backwards compatibility for current users.

The current connector understands this configuration and processes the requests coming from the given subscription_id—contained within the legacy_configuration—using the legacy protocol without the Certificate Provisioning API.

The connector expects to find a key file—key.json—to authenticate the service account for Pub/Sub communication, which is unchanged behavior.

Key	Optional/Required	Value type
request_subscription	Required	string This is the name of the subscription ID the connector listens to for requests.
response_topic	Required	string This is the name of the topic which the connector sends the issued certificates to.
max_scep_queries_per_second	Optional	float The connector uses this parameter to control the pace it sends its traffic to the CA server. If this value is not found the default value of 2 will be used.

Key

Optional/Required

Value type

request_subscription

Required

string

This is the name of the subscription ID the connector listens to for requests.

response_topic

Required

string

This is the name of the topic which the connector sends the issued certificates to.

max_scep_queries_per_second

Optional

float

The connector uses this parameter to control the pace it sends its traffic to the CA server. If this value is not found the default value of 2 will be used.

Adapter configuration

The parameters of this configuration are attributes of the connector itself. It can have the following fields:

Key	Optional/Required	Value type
instance_id	Optional	string The unique identifier that the connector uses so it can be identified with this ID. It should be unique across all connectors in the same project. If not present, the connector generates a random GUID to be identified with.
request_subscriptions	Required	[]string The fully qualified subscription names that the connector listens to. The subscriptions must be in the format projects/<projectid>/subscriptions/<id>. All subscriptions in this list must be from the same project.
key_filename	Required	string The file name of the key file that the connector uses to authenticate. The key file is expected to be in the same directory as the connector executable file. The connector uses this key file to authenticate Google services used by the new flow—listening to subscriptions given in the request_subscription_ids attribute and invoking the CertificateProvisioningAPI.
proxy_mode	Optional	string This attribute describes the proxy mode that the connector uses to route its traffic. Possible modes currently are: system: Uses what is configured on the system level. The connector in this mode looks for proxy settings in the following order: The IE settings configured for the user—the user here is the Service Account the connector service is configured to log on as. Machine level settings (winhttp) settings User level registries (ProxyServer, and so on) under `HKU\<user- id>\Software\Microsoft\ Windows\CurrentVersion\ Internet Settings\` direct: The connector will connect directly disregarding any proxy settings. fixed_servers: If given, the connector uses the static values found in proxy_server and proxy_bypass_list for all requests. If proxy_mode is not given, system is used as the default.
proxy_server	Required iffixed_servers is used as the proxy_mode; ignored otherwise.	string
proxy_bypass_list	Optional	string It's used in case fixed_servers is used as the proxy_mode. An empty bypass list will be used if omitted.
log_level	Optional	string This describes the level of logs that the connector should output. Possible values are: debug, info, warn, error. The connector outputs any event at the given level and higher. If omitted, info is used as the default.
max_number_of_ongoing_requests	Optional	int The connector can process a limited number of requests simultaneously, defaulting to 100. When this limit is reached, no new requests are accepted until a spot is freed by completing an enrollment or timing out. Unresponsive client devices or CAs block enrollments, occupying spots until resolved. Higher limits increase memory usage.

Profile configuration

Required only when using a generic profile in the Google Admin console—a profile that uses a generic CA connection. The following configuration outlines the attributes of the certificate to be issued.

Key	Optional/Required	Value type
profile_config_id	Required	string The unique identifier of the configuration. The connector uses this configuration for certificate profiles with matching certificate provisioning profile config reference identifier.
subject_name	Required if subject_alt_names is not given	struct The fully distinguished name of the subject. It has the following attributes—at least one attribute needs to be provided: common_name: string, optional organization: string, optional organizational_unit: []string, optional locality: string, optional state: string, optional country: string, optional
subject_alt_names	Required if subject_name is not given.	[]subject_alt_name This is an object made of two required keys. The first key type can be one of ("USER_PRINCIPLE", "RFC822", "DNS", "URI"). The second key is name and should hold the equivalent string value of the chosen type. The connector uses this parameter to control the pace it sends its traffic to the CA server. If this value is not found, the default value of 2 is used. Note: subject_name and subject_alt_names values can be a placeholder that will be replaced with a value based on user and device attributes, if available. The placeholder can be any of the following : `${USER_EMAIL}`—Full user email. `${USER_EMAIL_NAME}`—First part of the email before the "@". `${USER_ID}`—Same as ${USER_EMAIL_NAME}. `${USER_EMAIL_DOMAIN}`—Second part of the email after the "@". `${USER_DOMAIN}`—Same as ${USER_EMAIL_DOMAIN}. `${DEVICE_SERIAL_NUMBER}`—Device serial number. `${DEVICE_DIRECTORY_ID}`—Device directory ID, same as the Admin console's Directory API ID in the ChromeOS > Devices tab.
key_usages	At least one key usage is required.	[]string Each usage specifies a single key usage. Possible values are "KEY_ENCIPHERMENT" and "SIGNING".
extended_key_usages	Optional	[]string Each usage specifies a single key usage. Possible values are "CLIENT_AUTH" and "SERVER_AUTH"
template_name	Optional	string The template name to be requested from the CA. The name given here must match a template name—not display name—in the CA.
signature_algorithm	Required	string The signature algorithm that the client device, holding the private key, will be asked to sign the Certificate Signing Request (CSR) with. The value given here should be compatible with the key type selected in the Admin console. Currently, only one signature algorithm is offered per key type. Possible values are "RSA_SHA256", "ECDSA_SHA256"

CA configuration

This configuration describes the parameters that will be used in the communication with the CA.

Key	Optional/Required	Value type
type	Required	string The CA connection type. Only SCEP is supported at the moment.
ca_connection_config_id	Required	string The unique identifier of the configuration. The connector chooses to use this configuration for CA communication when it receives a certificate provisioning process with a matching certificate authority connection configuration identifier.
ca_endpoint_url	Required	string The URL of the CA server which the connector reaches for to request a certificate.
max_scep_queries_per_second	Optional	float The connector uses this parameter to control the pace it sends its traffic to the CA server. If this value is not found the default value of 2 is used.
challenge_filename	Optional	string This specifies the file with the static challenge for certificate requests from the CA. The connector's service account needs read permissions for this file. Only one of challenge_filename or dynamic_challenge can be configured per CA.
dynamic_challenge	Optional	Dynamic challenge configuration Only one of challenge_filename or dynamic_challenge can be set in a single CA configuration.

Dynamic challenge configuration

This configuration describes the parameters to be used when fetching and extracting a dynamic challenge from an external endpoint.

Key	Optional/Required	Value type
challenge_endpoint_url	Required	string The URL of the endpoint that the connector uses to request a challenge.
number_of_challenge_fetchers	Optional	int The number of fetchers working simultaneously to fetch challenges from the challenge endpoint. This number should always be lower than the number of challenges the endpoint can give out before running out of challenges. The default value is 2.
retry_interval_minutes	Optional	float The number of minutes each challenge fetcher waits before retrying to fetch a new challenge after a failed attempt. The value cannot be below 0.016 ~= 1 second. The default value is 1 minute.
challenge_validity_minutes	Optional	int The number of minutes a challenge is valid for. The default value is 60.
challenge_page_parser	Optional	Challenge parser configuration If not given, default values will be used. The default values are based on the MS AD/CS admin page behavior.
kerberos	Optional	Kerberos configuration If not given, the connector expects no authentication requirement when accessing the challenge endpoint.

Challenge parser configuration

This configuration describes the options to use when parsing and extracting the challenge from the page returned by the challenge endpoint.

Key	Optional/Required	Value type
convert_html_to_utf8	Optional	boolean The flag that indicates whether the HTML retrieved from the challenge endpoint should be converted to UTF-8. The default value is true.
is_challenge_space_wrapped	Optional	boolean The flag that indicates whether the password is wrapped in spaces. The default value is true.
challenge_xpath	Optional	string The XPath expression that points to the challenge in the HTML page returned by the challenge endpoint. The default value is "//*[@id="locPageFont"]/p[4]/b".
out_of_challenges_xpath	Optional	string The XPath to an element that, if found, indicates that the challenge server has run out of enrollment passwords. This element should only appear on that specific error page. The default value is "//*[@id="locPageFont"]/ul/li[3]".

Kerberos configuration

This describes the connector's configuration for Kerberos-based communication with the challenge endpoint.

Key	Optional/Required	Value type
config_filename	Required	string The file name of the Kerberos configuration file.
keytab_filename	Required	string The file name of the keytab file.
realm	Required	string The realm name the connector will use. This should match a realm entry in the Kerberos configuration file.
username	Required	string The name of the Windows Service Account (SA) that the connector will use for Kerberos authentication. This must match the SA from which the keytab file is generated.
server_spn	Required	string The Service Principal Name (SPN) of the challenge endpoint for which the connector will request a service ticket. If an empty string is given (""), the connector will deduce the SPN from the challenge endpoint URL.
enable_fast	Optional	string The flag that indicates whether the client should use the Flexible Authentication Secure Tunneling (FAST) algorithm. This option needs to be enabled on the server machine first. The default value is false.

Examples

Open all | Close all

The following are some examples of the configurations objects accepted by the Google Cloud Certificate Connector.

Example 1: New and legacy configuration with Dynamic SCEP

{

  "adapter_configuration": {

   "request_subscriptions": [

    "projects/project-2/subscriptions/request-subscription-C02keao",

    "projects/project-2/subscriptions/request-subscription-A2Oqeo"

   ],

   "key_filename": "adapter_key.json",

   "instance_id": "adapter_202932"

  },

  "profile_configurations": [

   {

    "profile_config_id": "profile_1",

    "subject_name": {

     "common_name": "Example_Cert_prov",

     "organization": "Company Example",

     "organizational_unit": ["My org"]

    },

    "subject_alt_names": [

     {

      "type": "RFC822",

      "name": "${USER_EMAIL}"

     {

    ],

    "key_usages": ["SIGNING","KEY_ENCIPHERMENT"],

    "template_name": "SCEPTemplate"

   },

   {

    "profile_config_id": "profile_2",

    "subject_name": {

     "common_name": "Example_Cert_common_2",

     "organization": "Company Example2",

     "organizational_unit": ["My second org"]

    },

    "subject_alt_names": [

     {

      "type": "RFC822",

      "name": "${USER_EMAIL}"

     }

    ],

    "key_usages": ["SIGNING","KEY_ENCIPHERMENT"],

    "template_name": "clientSCEPCert"

   }

  ],

  "ca_configurations": [

  {

   "type": "SCEP",

   "ca_connection_config_id": "NDES_CA_CONFIG_1",

   "ca_endpoint_url": "http://cert-test-ad-new/certsrv/mscep/",

   "challenge_filename": "challenge-file.txt"

  },

  {

   "type": "SCEP",

   "ca_connection_config_id": "dynamic_ca_config",

   "ca_endpoint_url": "https://dynamic-ca.example.org/certsrv/mscep/",

   "dynamic_challenge": {

    "challenge_endpoint_url": "http://dynamic-ca.example.org/certsrv/mscep_admin",

    "number_of_challenge_fetchers": 2,

    "challenge_validity_minutes": 30,

    "kerberos": {

     "config_filename": "kerberos.conf",

     "keytab_filename": "scepsvc.keytab",

     "realm": "EXAMPLE.ORG",

     "username": "scepsvc",

     "server_spn": ""

    }

   }

   }

  ],

  "legacy_configuration": {

   "response_topic": "projects/mdm-certificate/topics/response-C02gxaaci",

   "query_per_second": "30",

   "request_subscription":

 "projects/mdm-certificate/subscriptions/request-subscription-C02gxaaci"

  }

 }

Example 2: New configuration, without profiles (non-generic setup):

{

  "adapter_configuration": {

   "request_subscriptions": [

    "projects/project-2/subscriptions/request-subscription-C02keao"

   ],

   "key_filename": "adapter_key.json",

   "instance_id": "adapter_202932"

  },

  "ca_configurations": [

   {

    "type": "SCEP",

    "ca_connection_config_id": "NDES_CA_CONFIG_1",

    "ca_endpoint_url": "http://cert-test-ad-new/certsrv/mscep/"

   }

  ]

  }

Example 3: Legacy configuration only

{

  "legacy_configuration": { {

   "response_topic": "projects/mdm-certificate/topics/response-C02gxaaci",

   "query_per_second": "30",

   "request_subscription":

 "projects/mdm-certificate/subscriptions/request-subscription-C02gxaaci"

  }

 }

Known issues and limitations

Certificates can’t be revoked after they’re installed on a device.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?