Skip to main content
AMAT
AMAT
New Member
March 20, 2026
Solved

SCEP / NDES / Chromebook certificates

  • March 20, 2026
  • 1 reply
  • 79 views

Hello,

I’m trying to deploy certificates on Chromebooks for wifi connexion.  I’m lost in Google documentations, it’s a big labyrinth.  They seem to have change the manner to do and doc is not up to date.  I already built a environment PKI with Intune NDES/SCEP server and all is working great.  But for Google it’s another thing.  So if anyone have up to date (2026) docs, it would be appreciated.

Here are some questions that might help me:

  • Is Google Cloud Certificate Connector act as an application proxy?  Or we have to put our NDES/GCCC server in DMZ?
  • Is Pub/Sub on Google Cloud Project is mandatory?​​​​​​​
  • How to confiugre SCEP for chromebook, options for SCEP Secure are not available anymore.
  • Is all the config for certificates like device id etc is in the config connector file?

 

Thank you

 

 

 

Best answer by Connor

Hi ​@AMAT 

Assuming you are using enterprise management for your ChromeOS devices, the most updated guide is here. Download the PDF and it illustrates all the steps required. Most of the work is done in the Google admin console. 

  • Is Google Cloud Certificate Connector act as an application proxy?  Or we have to put our NDES/GCCC server in DMZ?
    • Yes, it acts like a proxy. You do not need your NDES server to be exposed to the public Internet. The cloud pub/sub endpoint is where certificate requests from clients will be handled. 
  • Is Pub/Sub on Google Cloud Project is mandatory?
    • Yes, this is now mandatory for new customers that want to use SCEP
  • How to confiugre SCEP for chromebook, options for SCEP Secure are not available anymore.
    • The guide I linked above has the details. Check the “Configure Google Admin and Google Cloud Certificate Connector” section starting on page 23. You will most likely use option A listed there. 
  • Is all the config for certificates like device id etc is in the config connector file?
    • This is configured in the SCEP profile you set up in the admin console. You choose whether to make the certificates device based or user based. 

Hope this helps!

Connor

1 reply

Connor
ConnorGoogle TeamAnswer
Google Team
March 23, 2026

Hi ​@AMAT 

Assuming you are using enterprise management for your ChromeOS devices, the most updated guide is here. Download the PDF and it illustrates all the steps required. Most of the work is done in the Google admin console. 

  • Is Google Cloud Certificate Connector act as an application proxy?  Or we have to put our NDES/GCCC server in DMZ?
    • Yes, it acts like a proxy. You do not need your NDES server to be exposed to the public Internet. The cloud pub/sub endpoint is where certificate requests from clients will be handled. 
  • Is Pub/Sub on Google Cloud Project is mandatory?
    • Yes, this is now mandatory for new customers that want to use SCEP
  • How to confiugre SCEP for chromebook, options for SCEP Secure are not available anymore.
    • The guide I linked above has the details. Check the “Configure Google Admin and Google Cloud Certificate Connector” section starting on page 23. You will most likely use option A listed there. 
  • Is all the config for certificates like device id etc is in the config connector file?
    • This is configured in the SCEP profile you set up in the admin console. You choose whether to make the certificates device based or user based. 

Hope this helps!

Connor

    AMAT
    AMATAuthor
    New Member
    March 30, 2026

    Thank you, I will have a look at that!

    Terms & ConditionsCookie settingsAccessibility statement