Can ChromeOS devices enroll certificates via SCEP directly without Google Cloud Certificate Connector (GCCC)?
Environment:
- We have a public-facing SCEP server (RFC 8894 compliant)
- SCEP server is accessible via HTTPS from the internet
- We successfully use this SCEP server for Intune and JAMF device enrollment
- We're trying to extend it to ChromeOS devices
Our Approach:
Instead of deploying GCCC (Google Cloud Certificate Connector), we want to:
1. Configure SCEP CA Connection in Google Admin Console → directly point to our SCEP endpoint
2. Create SCEP Profile Configuration in Google Admin Console
3. Have ChromeOS devices call our SCEP server directly (similar to how Intune/JAMF devices do)
Our Question:
Is it possible for ChromeOS devices to enroll certificates via SCEP directly to an external SCEP server WITHOUT using GCCC?
Specifically:
- Will ChromeOS devices make direct HTTPS calls to a custom SCEP endpoint?
- Are there any security policies or platform limitations that prevent this?
- If supported, what's the recommended configuration in Google Admin Console?
Context:
- Our SCEP server is public-facing and already handles Intune/JAMF enrollment
- We have SSL certificates and proper TLS setup
- We can configure challenge passwords in the SCEP profile
Any guidance or reference documentation would be appreciated. Thank you!
