Enrolling Chrome OS Devices against EJBCA

The following sections describe how to install and configure the Google Cloud Certificate Connector to set up Chrome OS devices to automatically enroll for certificates from EJBCA.

Introduction

Chrome OS is an operating system based on Chromium (with Google Chrome as its primary UI) which is the default operating system on devices such as Chromebooks, Chromeboxes, Chromebases, and similar devices. To allow these devices to access the network, ensure internal network security and other PKI use cases, Chrome OS can be easily set up to automatically enroll for certificates from EJBCA over the SCEP protocol.

This scenario requires three parties:

images/inline/c200782587524e77f2326809d86fc0a70e79c0fa88a780c716360cfd4f3498e9.png

Google Cloud Certificate Connector is a service installed on a third device that acts as an enrollment and administration portal for the enrolling Chrome OS devices.

EJBCA Configuration

Before you install and configure the Google Cloud Certificate Connector, you should have installed EJBCA and configured a CA that you would like to enroll against. The following sections outline the relevant settings of the Certificate Profile, End Entity Profile, and SCEP Alias.

Certificate Profile

Ensure that the following relevant fields are set in the Certificate Profile (EJBCA CA Functions > Certificate Profiles):

  • Authority Key ID: Use

  • Subject Key ID: Use

  • Key Usage: Digital Signature.

  • Extended Key Usage: Client Authentication.
    images/download/attachments/134450134/Screenshot_2021-10-20_at_15.54.28-version-1-modificationdate-1634806587000-api-v2-effects-drop-shadow.png

For more information on Certificate Profiles, see Managing Certificate Profiles.

End Entity Profile

Ensure that the following Subject DN Attributes and Subject Alternative Names values are available in the End Entity profile (EJBCA RA Functions > End Entity Profiles):

Subject DN Attributes

  • Common Name (CN)

  • Organizational Unit (OU)

  • Organization (O)

  • Country (C)
    images/download/attachments/134450134/Screenshot_2021-10-20_at_15.53.38-version-1-modificationdate-1634808683000-api-v2-effects-drop-shadow.png

Subject Alternative Name (SAN)

  • RFC 822 Name (e-mail address)

  • DNS Name

  • IP Adress

  • MS User Principal Name (UPN)
    images/download/attachments/134450134/Screenshot_2021-10-20_at_15.53.49-version-1-modificationdate-1634808685000-api-v2-effects-drop-shadow.png

For more information on End Entity Profile settings, see End Entity Profile Operations.

SCEP Alias

Lastly, ensure that the SCEP alias is set up as follows (EJBCA System Configuration > SCEP Configuration ):

images/download/attachments/134450134/Screenshot_2021-10-20_at_15.53.16-version-1-modificationdate-1634809171000-api-v2-effects-drop-shadow.png

For more information on Configuring SCEP, see SCEP Operations Guide.

Google Cloud Certificate Connector

The following describes how to install and configure the Google Cloud Certificate Connector.

Step 1 - Install the Google Cloud Certificate Connector

The Google Cloud Certificate Connector is downloaded when first setting up your Google Cloud account, as documented in the Google Help page Set up certificates for managed mobile devices. The Connector needs to be installed on a Microsoft Windows Server.

To install the Google Cloud Certificate Connector, perform the following steps:

  1. Create an Active Directory service account user which will run the Google Cloud Certificate Connector. This account must have a static password.

  2. Connect to the Google Admin console with an administrator account

  3. Under Devices > Networks, click Secure SCEP connector.

  4. The download connector page gives you access to:

    • The Connector Executable.

    • The connector configuration JSON file (config.json).

    • The service account credentials JSON file (key.json).

      images/download/attachments/134450134/Picture_1-version-1-modificationdate-1634655058000-api-v2-effects-drop-shadow.png
  5. Copy all the files downloaded to the server hosting the Google Cloud Certificate Connector.

  6. Run the Google Cloud Certificate Connector installer as an Administrator.

  7. In the Google Cloud Certificate Connector Installer wizard, click Next .

    images/download/attachments/134450134/Picture_2-version-1-modificationdate-1634655273000-api-v2-effects-drop-shadow.png
  8. Accept the terms of the license agreement and click Next .

  9. Choose to install the service for Anyone who uses this computer and click Next .

  10. Select the installation location. Google recommends using the default. Click Next .

  11. Select a program folder, in this example Google Cloud Certificate Connector, and click Next .

  12. Enter your AD service account credentials and click Next . images/s/hhvsxs/8703/189cb2l/_/images/icons/emoticons/warning.svg The connector cannot be installed with a non-domain account.
    images/download/attachments/134450134/Picture_7-version-1-modificationdate-1634655448000-api-v2-effects-drop-shadow.png

  13. View the settings and click Next to begin the installation.
    images/download/attachments/134450134/Picture_8-version-1-modificationdate-1634655565000-api-v2-effects-drop-shadow.png

  14. The Connector installs.

Step 2 - Configure the Google Cloud Certificate Connector

To configure the Google Cloud Certificate Connector, perform the following steps:

  1. Put the connector configuration JSON file (config.json) and the service account credentials JSON file (key.json) in the Google Cloud Certificate Connector folder created during installation, typically: C:\Program Files\Google Cloud Certificate Connector.

  2. For the SSL handshake between the Google Cloud Certificate Connector and EJBCA to work, EJBCA's Management CA certificate needs to be added to the CA store of the Google Cloud Certificate Connector:

    • Locate the CA store of the Google Cloud Certificate Connector. The default location is: C:\Program Files\Google Cloud Certificate Connector\rt\lib\security\cacerts.

    • Next, either install a Java SDK on the Google Cloud Certificate Connector server or copy the cacerts file to a computer where a Java SDK is installed.

    • Add the Management CA certificate using the keytool utility:

      keytool.exe -import -keystore ./cacerts -trustcacerts -file <ManagementCA.pem> -storepass changeit

      images/download/attachments/134450134/Picture_9-version-1-modificationdate-1634656899000-api-v2-effects-drop-shadow.png

    • If keytool was not run on the server itself, copy the cacerts file back to the Google Cloud Certificate Connector server. Default location: C:\Program Files\Google Cloud Certificate Connector\rt\lib\security.

  3. Start the Google Cloud Certificate Connector service.

  4. Ensure that everything is properly started in the event viewer according to the following:

    • The Google Cloud Certificate Connector is able to parse its configuration:

      images/download/attachments/134450134/Picture_10-version-1-modificationdate-1634657143000-api-v2-effects-drop-shadow.png
    • Initialize the service.

      images/download/attachments/134450134/Picture_11-version-1-modificationdate-1634657193000-api-v2-effects-drop-shadow.png
    • Every 30 seconds the service will check against the Google backend if there are any requests to process.

      images/download/attachments/134450134/Picture_12-version-1-modificationdate-1634657281000-api-v2-effects-drop-shadow.png

Step 3 - Add your CA to Google Cloud

To add your own CA certificate to Google Cloud, do the following:

  1. Connect to the Google Admin console with an administrator account.

  2. Under Devices > Networks > Certificates, click Add certificate. This should be done at the root of the Google domain or for Chromebooks root OU

    images/download/attachments/134450134/Picture_13-version-1-modificationdate-1634718294000-api-v2-effects-drop-shadow.png
  3. Provide a name for the CA, or otherwise, the common name of the issuer will be used). Then upload the CA certificate in PEM format and choose to deploy on Chromebooks.

    images/download/attachments/134450134/Picture_14-version-1-modificationdate-1634718489000-api-v2-effects-drop-shadow.png
  4. Click Add to add the CA certificate.

Step 4 - Configure the SCEP Profile

To add and configure a secure SCEP profile in the Google Admin console, do the following_

  1. Connect to the Google Admin console with an administrator account.

  2. Under Devices > Networks > Secure SCEP connector, select Add Secure SCEP Profile. This can be done at the root domain level, at Chromebooks root OU in case of device certificates, or Users root OU in case of user certificates.

    images/download/attachments/134450134/Picture_15-version-1-modificationdate-1634735963000-api-v2-effects-drop-shadow.png
  3. Specify a SCEP profile name, Subject name format, and Key size. images/s/hhvsxs/8703/189cb2l/_/images/icons/emoticons/information.svg The following example is focused on issuing device certificates, but can easily be adapted for user certificates:
    images/download/attachments/134450134/Picture_16-version-1-modificationdate-1634736058000-api-v2-effects-drop-shadow.png ¨
    CSR subject fields are defined in the SCEP profile. Placeholder variables can be used in order to customize the CSR to the need. For available placeholder variables, refer to the Google Help article Set up digital certificate provisioning.

  4. If needed, Subject alternative names (SANs) can also be added:

    images/download/attachments/134450134/Picture_17-version-1-modificationdate-1634737065000-api-v2-effects-drop-shadow.png
  5. Configure the following:

    • SCEP server URL: The URL of the SCEP server should look something like: https://<hostname>:<port>/ejbca/publicweb/apply/scep/<alias>/pkiclient.exe.

    • Certificate characteristics.

    • Challenge type: The static challenge (pass-phrase) used to authenticate the request coming from the Google Cloud Certificate Connector on the SCEP server and the corresponding certificate authority.

      images/download/attachments/134450134/Picture_18-version-1-modificationdate-1634737821000-api-v2-effects-drop-shadow.png
  6. Configure how this template should be applied on Chromebooks, per user or per device:

    images/download/attachments/134450134/Picture_19-version-1-modificationdate-1634737900000-api-v2.png
  7. Click Save to add the profile.


The added SCEP profile is listed with its name and the platforms it is enabled on. In the Platform column, the profile is enabled for platforms with blue icons and disabled for platforms with grey icons.

You have now completed the steps for configuring the Google Cloud Certificate Connector and can continue to test the setup in the next section.

Test Enrolling a Chrome OS Device

Do the following to follow the certificate creation process and verify that the certificate is properly added to a Chromebook:

  1. Connect to a user session on a Chromebook.

  2. Ensure that the device/user gets the policies to create the certificate request in chrome://policy (RequiredClientCertificateForDevice for a device certificate and RequiredClientCertificateForUser for a user certificate).

  3. Under chrome://certificate-manager, follow the certificate creation process.

  4. On the Google Cloud Certificate Connector event viewer, look for the following events:

    • Processed Requests:

      images/download/attachments/134450134/Picture_20-version-1-modificationdate-1634805915000-api-v2-effects-drop-shadow.png
    • Google Cloud Certificate Connector submitting the SCEP request to EJBCA and receiving a certificate:

      images/download/attachments/134450134/Picture_21-version-1-modificationdate-1634805938000-api-v2-effects-drop-shadow.png
    • Acknowledgment (ACK) message between the Connector and the Google backend, pushing certificate to the Chromebook:

      images/download/attachments/134450134/Picture_22-version-1-modificationdate-1634805968000-api-v2-effects-drop-shadow.png
  5. Check that the certificate has been properly added to the Chromebook under chrome://certificate-manager.

  6. In the case of a device certificate, this process is also triggered just after a device enrollment.