Skip to main content
sam140702
New Member
June 29, 2026
Solved

Can ChromeOS devices enroll certificates via SCEP directly without Google Cloud Certificate Connector (GCCC)?

  • June 29, 2026
  • 1 reply
  • 46 views

Environment:
- We have a public-facing SCEP server (RFC 8894 compliant)
- SCEP server is accessible via HTTPS from the internet
- We successfully use this SCEP server for Intune and JAMF device enrollment
- We're trying to extend it to ChromeOS devices

Our Approach:
Instead of deploying GCCC (Google Cloud Certificate Connector), we want to:
1. Configure SCEP CA Connection in Google Admin Console → directly point to our SCEP endpoint
2. Create SCEP Profile Configuration in Google Admin Console
3. Have ChromeOS devices call our SCEP server directly (similar to how Intune/JAMF devices do)

Our Question:
Is it possible for ChromeOS devices to enroll certificates via SCEP directly to an external SCEP server WITHOUT using GCCC? 

Specifically:
- Will ChromeOS devices make direct HTTPS calls to a custom SCEP endpoint?
- Are there any security policies or platform limitations that prevent this?
- If supported, what's the recommended configuration in Google Admin Console?

Context:
- Our SCEP server is public-facing and already handles Intune/JAMF enrollment
- We have SSL certificates and proper TLS setup
- We can configure challenge passwords in the SCEP profile

Any guidance or reference documentation would be appreciated. Thank you!
 

    Best answer by Rafa

    Hi ​@sam140702,

    Thanks for bringing your query into the community!

    I checked with a few experts internally and can confirm that the GCCC connector is still required even if you're using Cloud PKI.

    When using a non-NDES SCEP solution, this guide applies (starting from "Configure Google Cloud Project (Page 22)").

    Hope this helps and please do let us know if you have any other questions.

    1 reply

    Rafa
    RafaCommunity ManagerAnswer
    Community Manager
    June 30, 2026

    Hi ​@sam140702,

    Thanks for bringing your query into the community!

    I checked with a few experts internally and can confirm that the GCCC connector is still required even if you're using Cloud PKI.

    When using a non-NDES SCEP solution, this guide applies (starting from "Configure Google Cloud Project (Page 22)").

    Hope this helps and please do let us know if you have any other questions.

    Community Manager
    sam140702
    sam140702Author
    New Member
    June 30, 2026

    Thanks for the clarification. This answers my question and gives us the right direction for our implementation. Much appreciated!

    Rafa
    Community Manager
    June 30, 2026

    You’re very welcome and glad to hear it! 

    Community Manager