Set up certificates for managed mobile and ChromeOS devices

Mobile devices: Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition

ChromeOS devices: Chrome Enterprise is required for device-based certificates.

You can control user access to your organization’s Wi-Fi and Ethernet networks, Virtual Private Networks (VPNs), and internal apps and websites on mobile and ChromeOS devices by distributing certificates from your on-premises Certificate Authority (CA). The Google Cloud Certificate Connector is a Windows service that securely distributes certificates and authentication keys from your Simple Certificate Enrollment Protocol (SCEP) server to users’ mobile and ChromeOS devices. For details, go to How certificate authentication through Google Cloud Certificate Connector works on this page.

For ChromeOS devices, you can set up user-based or device-based certificates. A user certificate is added to a device for a specific user and is accessible by that specific user. A device certificate is assigned based on the device and is accessible by any user signed in to the device. For details, go to Manage client certificates on Chrome devices.

If you want to control Wi-Fi network access for both mobile and ChromeOS devices, you’ll need to set up separate SCEP profiles and Wi-Fi networks because mobile devices and ChromeOS devices support different RSA key types.

Notes on key storage:

  • For mobile devices, private keys for the certificates are generated on Google servers. The keys are purged from Google servers after the certificate is installed on the device or 24 hours, whichever comes first.
  • For ChromeOS devices, private keys for the certificates are generated on the ChromeOS device. The corresponding public key is stored temporarily on Google servers and purged after the certificate is installed.

System requirements

  • Microsoft Active Directory Certificate Service for a SCEP server, and the Microsoft Network Device Enrollment Service (NDES) to distribute certificates.
  • Mobile devices: iOS and Android devices under advanced mobile management. Learn more about device requirements.
  • ChromeOS devices:
    • Device certificates: ChromeOS version 89 or later and managed with Chrome Enterprise
    • User certificates: ChromeOS version 86 or later.
      Note: For versions earlier than 87, users must restart the device or wait a couple hours for the user certificate to get deployed.

Before you begin

  • If you need the certificate Subject name to use Active Directory usernames, you must sync your Active Directory and Google Directory with Google Cloud Directory Sync (GCDS). If necessary, set up GCDS.
  • If you haven’t already uploaded a CA certificate in the Google Admin console, add a certificate.
  • Review known issues to avoid unexpected behavior.

Known issues

  • Certificates can’t be revoked after they’re installed on a device.
  • SCEP profiles don’t support dynamic challenges.
  • SCEP profile inheritance between organizational units can break down in some cases. For example, if you set a SCEP profile for an organizational unit and change a child organizational unit’s SCEP profile, none of the parent organizational unit’s SCEP profiles can be inherited by the child organizational unit again.
  • For mobile devices, SCEP profiles can’t be applied to VPN or Ethernet configurations, only Wi-Fi.
  • For ChromeOS devices, SCEP profiles can’t be directly applied to VPN or Ethernet configurations. To indirectly apply a SCEP profile to VPN or Ethernet configurations, use issuer or subject patterns to auto-select which certificate to use.
  • For ChromeOS device users, certificates can only be deployed for users signed in to a managed device. The user and device must belong to the same domain.

Step 1: Download the Google Cloud Certificate Connector

Perform the following steps on the SCEP server or a Windows computer with an account that can sign in as a service on the SCEP server. Have the account credentials available.

If your organization has several servers, you can use the same certificate connector agent on all of them. Download and install the installation file, configuration file, and key file on one computer as described in the following steps. Then, copy those three files to the other computer and follow the setup instructions on that computer.

Note: You download the Google Cloud Certificate Connector and its components only once, when you first set up certificates for your organization. Your certificates and SCEP profiles can share a single certificate connector.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Secure SCEPand thenDownload Connector.
  4. In the Install Google Cloud certificate connector section, click Download.
  5. On the Google Cloud Certificate Connector page, click Download to download the connector_installer.exe file.
  6. Close the Thanks for downloading Google Cloud Certificate Connector! page.
  7. In the Admin console, in the Download the connector configuration file section, click Download to download the config.json file.
  8. In the Get a service account key section, click Generate key to download the key.json file.
  9. Run connector_installer.exe as an administrator.
    Note: The installer registers the connector service with default credentials (LocalService). Later, you can change the service to run as a different service account. To do so, go to the installation directory for the connector and run configtool.exe to open the ConfigTool.
  10. Move the configuration and key files (config.json and key.json) into the Google Cloud Certificate Connector folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.
  11. Open the Google Cloud Certificate Connector service:
    1. Open Windows Services.
    2. Select Google Cloud Certificate Connector in the list of services.
    3. Click Start to start the service. Ensure that the status changes to Running. The service automatically restarts if the computer reboots.

If you download a new service account key later, restart the service to apply it.

Step 2: Add a SCEP profile

The SCEP profile defines the certificate that lets users access your Wi-Fi or Ethernet network or VPN. You assign the profile to specific users by adding it to an organizational unit. You can set up several SCEP profiles to manage access by organizational unit and device type. We recommend that you set a separate SCEP profile for each organizational unit that you want the profile to apply to.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. For Secure SCEP, click Create Secure SCEP Profile. If you already created a SCEP profile, click Secure SCEPand thenAdd Secure SCEP Profile.
  5. Enter the configuration details for the profile. If your CA issues a particular template, match the details of the profile to the template.
    • Platforms this profile applies to—The device platforms that use the SCEP profile. For ChromeOS devices, make sure to check Chromebook (user), Chromebook (device), or both, depending on the type of certificate you want to deploy.
    • SCEP profile name—A descriptive name for the profile. The name is shown in the list of profiles and in the profile selector in the Wi-Fi network configuration.
    • Subject name format—Choose how you want to identify the certificate owner. If you select Fully Distinguished Name, the certificate Common Name is the user's username.
    • Subject alternative name—Provide an SAN. Default is None. For ChromeOS devices, you can define subject alternative names based on user and device attributes. To use a custom certificate signing request (CSR), configure the certificate template on the CA to expect and generate a certificate with the subject values defined in the request itself. At minimum, you need to provide a value for the subject's CommonName.
      You can use the following placeholders. All values are optional.
      • ${DEVICE_DIRECTORY_ID}—Device’s directory ID
      • ${USER_EMAIL}—Signed-in user’s email address
      • ${USER_EMAIL_DOMAIN}—Signed-in user’s domain name
      • ${DEVICE_SERIAL_NUMBER}—Device's serial number
      • ${DEVICE_ASSET_ID}—Asset ID assigned to device by administrator
      • ${DEVICE_ANNOTATED_LOCATION}—Location assigned to device by administrator
      • ${USER_EMAIL_NAME}—First part (part before @) of the signed-in user’s email address

      If a placeholder value isn’t available, it’s replaced with an empty string.

    • Signing algorithm—The hash function used to encrypt the authorization key. Only SHA256 with RSA is available.
    • Key usage—Options for how to use the key, key encipherment and signing. You can select more than one.
    • Key size (bits)—The size of the RSA key. For ChromeOS devices, select 2048.
    • For Security, select the type of attestation that will be required for connected devices. This setting does not apply to mobile devices.
    • In the SCEP server attributes section, configure values and preferences for the SCEP server.
      • SCEP server URL—The URL of the SCEP server.
      • Certificate validity period (years)—How long the device certificate is valid. Enter as a number.
      • Renew within days—How long before the device certificate expires to try to renew the certificate.
      • Extended key usage—How the key can be used. You can choose more than one value.
      • Challenge type—To require Google to provide a specified challenge phrase when it requests a certificate from the SCEP server, select Static and enter the phrase. If you select None, the server doesn’t require this check.
      • Template name—The name of the template used by your NDES server.
      • Certificate authority—The name of a certificate you uploaded to use as the Certificate Authority.
      • Network type this profile applies to—The type of networks that use the SCEP profile.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit.

After you add a profile, it's listed with its name and the platforms its enabled on. In the Platform column, the profile is enabled for platforms with blue icons and disabled for platforms with gray icons. To edit a profile, point to the row and click Edit .

The SCEP profile is automatically distributed to users in the organizational unit.

Step 3: Configure the Google Cloud Certificate Connector's keystore

If your certificate is issued by a trusted CA or your SCEP server URL starts with HTTP, skip this step.

If your certificate isn’t issued by a trusted CA, such as a self-signed certificate, you need to import the certificate to the Google Cloud Certificate Connector keystore. Otherwise, the device certificate can’t be provisioned and the device can’t connect.

  1. Sign in to your CA.
  2. If a Java JRE isn’t already installed, install one so that you can use keytool.exe.
  3. Open a command prompt.
  4. Export your CA certificate and convert it to a PEM file by running the following commands:

    certutil ‐ca.cert C:\root.cer
    certutil ‐encode cacert.cer cacert.pem

  5. Import the CA certificate to the keystore. From the subdirectory of the Google Cloud Certificate Connector folder created during installation, typically C:\Program Files\Google Cloud Certificate Connector, run the following command and replace java-home-dir with the path to the JRE in the Google Cloud Certificate Connector folder and cert-export-dir with the path to the certificate you exported in step 4: java-home-dir\bin\keytool.exe ‐import ‐keystore rt\lib\security\cacerts ‐trustcacerts ‐file cert-export-dir\cacert.pem ‐storepass changeit

Step 4: Configure networks to require the SCEP profile (Optional)

Depending on the type of network, you can set it up to require the SCEP profile.

Require SCEP profile for Wi-Fi networks

To control Wi-Fi network access for both mobile and ChromeOS devices, set up separate Wi-Fi networks for each. For example, set up one Wi-Fi network for mobile devices and assign a SCEP profile for mobile devices to it. Then, set up another Wi-Fi network for ChromeOS devices and assign a SCEP profile for ChromeOS devices.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. For Wi-Fi, click Create Wi-Fi network. If you already set up a Wi-Fi network, click Wi‐Fiand thenAdd Wi-Fi.
  5. In the Platform access section, check the following boxes as needed: Android, iOS, Chromebooks (by user), Chromebooks (by device), or Google Meet hardware.
  6. In the Details section:
    1. Enter a name and SSID for the Wi-Fi network.
    2. For Security settings, select WPA/WPA2 Enterprise (802.1X) or Dynamic WEP (802.1X).
    3. For Extensible Authentication Protocol, select EAP-TLS or EAP-TTLS.
    4. If you selected EAP-TLS, for Provisioning Type, select SCEP profile or Certificate pattern and then choose an option:
      • For SCEP profile, select the SCEP profile that you added in Step 2.
      • For Certificate pattern, enter a value for Client enrollment URLs and one or more values for Issuer pattern or Subject pattern.
    5. Enter values or select options for any other Wi-Fi details that you need.
  7. Click Save.
  8. Share information with your users about connecting to the network:
    • Their device must provide the certificate each time they try to connect to the Wi-Fi network.
    • For Android and ChromeOS devices, the certificate corresponding to the user’s SCEP profile and the network are automatically entered so they just click Connect.
    • For iOS devices, the user chooses the certificate to use and then clicks Connect.
Require SCEP profile for Ethernet networks

You can control Ethernet network access for ChromeOS devices. You set up the network for the devices and then assign a SCEP profile to it.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. For Ethernet, click Create Ethernet Network. If you already set up an Ethernet network, click Ethernetand thenAdd Ethernet.
  5. In the Platform access section, check the following boxes as needed: Chromebooks (by user), Chromebooks (by device), or Google Meet hardware.
  6. In the Detials section:
    1. Enter a name for the Ethernet network.
    2. For Authentication, select Enterprise (802.1X).
    3. For Extensible Authentication Protocol, select EAP-TLS or EAP-TTLS.
    4. If you selected EAP-TLS, for Provisioning Type, select SCEP profile or Certificate pattern and then choose an option:
      • For SCEP profile, select the SCEP profile that you added in Step 2.
      • For Certificate pattern, enter a value for Client enrollment URLs and one or more values for Issuer pattern or Subject pattern.
    5. Enter values or select options for any other Ethernet details that you need.
  7. Click Save.
  8. Share information with your users about connecting to the network:
    • Their device must provide the certificate each time they try to connect to the Ethernet network.
    • The certificate corresponding to their SCEP profile and the network are automatically entered on their ChromeOS device so they just click Connect.
Require SCEP profile for VPNs

You can control VPN access for ChromeOS devices. You set up the network for the devices and then assign a SCEP profile to it.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Networks.

    Requires having the Shared device settings administrator privilege.

  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  4. For VPN, click Create VPN Network. If you already set up a VPN, click VPNand thenAdd VPN.
  5. In the Platform access section, check the following boxes as needed: Chromebooks (by user) or Chromebooks (by device).
  6. In the Details section:
    1. Enter a name and a remote host for the VPN.
    2. For VPN Type, select the type of VPN that you want and enter details for that type.
    3. If you selected OpenVPN and checked the Use client certificate box, for Provisioning Type, select SCEP profile or Certificate pattern and then choose an option:
      • For SCEP profile, select the SCEP profile that you added in Step 2.
      • For Certificate pattern, enter a value for Client enrollment URLs and one or more values for Issuer pattern or Subject pattern.
    4. Enter values or select options for any other VPN details that you need.
  7. Click Save.
  8. Share information with your users about connecting to the network:
    • Their device must provide the certificate each time they try to connect to the VPN.
    • The certificate corresponding to their SCEP profile and the network are automatically entered on their ChromeOS device so they just click Connect.

How certificate authentication through Google Cloud Certificate Connector works

The Google Cloud Certificate Connector is a Windows service that establishes an exclusive connection between your SCEP server and Google. The certificate connector is configured and secured by a configuration file and a key file, both dedicated to your organization only.

You assign device certificates to devices and users with SCEP Profiles. To assign a profile, you choose an organizational unit and add the profile to that organizational unit. The profile includes the Certificate Authority that issues device certificates. When a user enrolls their mobile or ChromeOS device for management, Google endpoint management fetches the user’s SCEP profile and installs the certificate on the device. For ChromeOS devices, a device certificate is installed before the user signs in, whereas a user certificate is installed after the user signs in. If the device is already enrolled, the certificate is installed as part of a regular sync cycle.

When a user attempts to connect to your network, they are prompted to provide the certificate. On Android devices, the certificate is automatically selected and the user clicks Connect. On iOS devices, the user must select the certificate manually and then connect. The device accesses your organization’s network using a key negotiated by Google over the certificate connector. Google temporarily stores the key during the security negotiation, but purges the key once it’s installed on the device (or after 24 hours).


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?