Home Knowledge Base SecureW2 Documentation ChromeOS Migration: Google SCEP to Google Certificate Provisioning API

ChromeOS Migration: Google SCEP to Google Certificate Provisioning API

Introduction

The Certificate Provisioning Solution is a modern, API-based solution mandated by Google for ChromeOS certificate enrollment, replacing the legacy Simple Certificate Enrollment Protocol (SCEP) model. This transition reflects a broader shift toward a Zero Trust security model.

The Certificate Provisioning Connector leverages Google Verified Access to cryptographically confirm that each request originates from a trusted, enterprise-enrolled Chromebook with an intact Trusted Platform Module (TPM) chip, unlike legacy SCEP, which lacks device-level validation. This prevents unauthorized use cases such as credential cloning, where a user might extract a SCEP challenge and use it on an unmanaged device to access corporate resources.

This guide explains how to migrate ChromeOS devices from Google SCEP-based certificate enrollment to Google Certificate Provisioning using SecureW2. The migration is non-disruptive: existing SCEP certificates remain valid while SecureW2 provisions new certificates in the background. The Wi-Fi profile updates only after all devices receive the new certificates.

Impact of Not Migrating and Key Deadlines

Google is deprecating the Google SCEP API at the end of 2026. If you don’t migrate before this deadline, you won’t be able to enroll new certificates for your ChromeOS devices. Your existing certificates will remain valid until they expire, and your devices will stay connected — but once they expire, they can’t be renewed. To avoid disruption, migrate to Certificate Provisioning Solution before the deadline.

Prerequisites

The following prerequisites are required to enroll Chromebooks using the Google Certificate Provisioning Connector:

 

Requirement

Details

Google Cloud Console access

Project Owner or Editor role at https://console.cloud.google.com 

Google Admin Console access

Super Admin role at https://admin.google.com 

SecureW2 Admin Portal access

CA Admin and Integration Hub permissions

Existing SCEP Wi-Fi profile

Already deployed to ChromeOS devices

WiFi profile settings

The SSID configured on the Getting Started page (Device Onboarding > Getting Started) in JoinNow matches your target WiFi network, and the EAP Method is set to EAP-TLS.

New Intermediate CA

Created in SecureW2 specifically for Certificate Provisioning


NOTE: Create a new Intermediate CA in SecureW2 for Certificate Provisioning. Do not reuse the existing SCEP Intermediate CA, as this can cause conflicts during migration.

Configure Google Cloud Console

In this section, you set up the Google Cloud resources that enable communication between Google and SecureW2. This includes creating a Pub/Sub topic for certificate events, enabling the required APIs, and creating a service account with the permissions SecureW2 needs to process enrollment requests.

Create a Pub/Sub Topic

Pub/Sub is the messaging service that enables real-time communication between Google and SecureW2’s Certificate Provisioning API. When a ChromeOS device requests a certificate, Google publishes the request to the Pub/Sub topic. SecureW2’s Certificate Provisioning API subscribes to that topic, receives the request, and forwards it to the Dynamic PKI-driven policy engine to issue the certificate. The issued certificate is then returned to the device.

Pub/Sub is a core requirement of the Certificate Provisioning Solution. Without it, SecureW2’s Certificate Provisioning Connector cannot receive certificate requests from Google in real time.

To configure Topic in the Pub/Sub, perform the following steps:

  1. Log in to the Google Cloud.
  2. Navigate to Pub/Sub > Topics.
  3. Click Create topic.
  4. On the Create topic page, enter a name in the Topic ID field. The Topic name is automatically populated and serves as the globally unique identifier for the topic. The topic name follows this format: projects/<project_id>/topics/<topic_name>
  5. Copy the Topic name to a text editor. You will need it when configuring the Google Admin Console.
  6. Click Create
  7. Copy the Subscription ID to a text editor. You will need it to configure the JoinNow Management Portal.

Enable Chrome Management API

The Chrome Management API is enabled to allow the Google Cloud project to communicate with SecureW2’s Certificate Provisioning API for ChromeOS device enrollment. This section describes how to enable the Chrome Management API for your Google Cloud project.

  1. Navigate to APIs & Services > Library.
  2. Search for “Chrome Management API and click Enable to activate the Chrome Management API for the project.
  3. Verify the Cloud Pub/Sub API is also enabled.
    1. Go to APIs & Services > Enabled APIs & Services.
    2. Confirm Cloud Pub/Sub API appears in the list. 
    3. If not, return to APIs & Services > Library, search for it, and click Enable.

Create a Service Account & Download Key

In this section, you create a service account in your Google Cloud project and download its JSON key. SecureW2 uses this key to authenticate with your Google Cloud project and subscribe to certificate enrollment events from the Pub/Sub topic.

  1. Navigate to IAM & Admin > Service Accounts.
  2. Click Create service account.
  3. On the Create Service Account page: 
    1. In the Create Service Account section, provide the following details:
      1. In the Service account name field, enter a name for the service account. The name you enter also serves as the service account ID. Copy the service account email address to a text editor. 
      2. Click Create and Continue. The service account is created. Skip the role assignment and click Done.
  4. Select the newly created service account.
  5. Select the Keys tab. 
  6. Click Add Key and select Create new key.
  7. Select JSON as the key type and click Create. The key file is downloaded to your machine.

NOTE: The JSON key file grants access to your Google Cloud project, so store it securely. You’ll need it later to configure the Certificate Provisioning API in the JoinNow Management Portal.

Assign IAM Permissions

IAM permissions control what each service account can do in your Google Cloud project. For Certificate Provisioning to work, two service accounts must have specific permissions: the one you created earlier and Google’s built-in system account. Without these permissions, Certificate provisioning events can’t flow between Google and SecureW2.

Assign IAM Roles to Your Service Account

In this section, you grant your service account the IAM roles it needs to interact with Pub/Sub and the Chrome Management API.

  1. Navigate to IAM & Admin > IAM > Grant access.
  2. On the Grant access to pane:
    1. In the Add principals field, enter the service account email address that you copied in the Create a Service Account & Download Key section.
    2. In the Assign roles section: 
      1. From the Role drop-down list, select Pub/Sub Publisher
      2. Click + Add another role.
      3. From the Role drop-down list, select Pub/Sub Subscriber.
      4. Click + Add another role.
      5. From the Role drop-down list, select API Management Admin.
    3. Click Save.

Assign IAM Roles to Google's Built-in System Service Account

Google uses this system service account to publish certificate provisioning events to your Pub/Sub topic. Without these permissions, Google cannot communicate enrollment events to SecureW2.

  1. On the IAM page, click Grant Access.
  2. On the Grant access to pane:
    1. In the Add principals field, enter cert-provisioning-api-pubsub-publisher@system.gserviceaccount.com
    2. In the Assign roles section: 
      1. From the Role drop-down list, select Pub/Sub Publisher
      2. Click + Add another role.
      3. From the Role drop-down list, select Pub/Sub Subscriber.
      4. Click + Add another role.
      5. From the Role drop-down list, select API Management Admin.
    3. Click Save.

Configure Google Admin Console

In this section, you configure the Google Admin Console to connect Google’s certificate provisioning infrastructure with SecureW2. You upload the dedicated Intermediate CA certificate, create a Certificate Authority connection that references the Pub/Sub topic and service account from the previous section, and create a Certificate Provisioning Profile that defines how and when ChromeOS devices request certificates through this connection.

Create a Server Certificate Authority

Prerequisite: Create a new dedicated Intermediate CA in SecureW2 for Certificate Provisioning before this step. Do not upload the existing SCEP Intermediate CA.

  1. Log in to the Google Admin Console.
  2. Navigate to Devices > Networks > Certificates > Server Certificate Authority Certificates.
  3. Click ADD CERTIFICATE and upload the intermediate CA certificate from the JoinNow Management Portal.
  4. On the Add certificate page:
    1. In the Name field, enter a name for the certificate.
    2. Click UPLOAD to upload the intermediate CA certificate downloaded from the JoinNow Management Portal.
    3. Select the Enabled for Chromebook option.
    4. Click Add.

Create a Certificate Authority Connection

To create a Certificate Authority Connection in the Google Admin Console, perform the following steps:

  1. Navigate to Devices > Networks > Certificates > Certificate Authority connections.
  2. Click ADD CONNECTION.
  3. On the Add Certificate Authority connection page:
    1. In the Certificate Authority Connection Type field, select Generic Certificate Authority connection.
    2. In the Certificate Authority connection name field, enter a name that identifies the purpose of the connection in the Google Admin Console.
    3. In the Service account field, enter the service account email address that you copied in the Create a Service Account & Download Key section.
    4. In the Pub/Sub topic field, enter the topic name that you copied in the Create a Pub/Sub Topic section.
    5. In the Certificate Authority connection configuration identifier field, enter the exact name of the intermediate CA certificate that you uploaded in the Create a Server Certificate Authority section.
    6. Click ADD.

Create a Certificate Provisioning Profile

This section describes how to create a Certificate Provisioning Profile in the Google Admin Console.

  1. Navigate to Devices > Networks > Certificates > Certificate provisioning profiles.
  2. Click ADD PROFILE.
  3. On the Add Certificate provisioning profile page:
    1. From the Referenced Certificate Authority connection drop-down list, select the  Certificate Authority Connection that you created earlier.
    2. In the Certificate provisioning profile name field, enter a name to identify the certificate provisioning profile in the Google Admin Console.
    3. In the Certificate provisioning profile config reference field, enter the exact name of the intermediate CA certificate that you uploaded in the Create a Server Certificate Authority section.
      NOTE: The Intermediate CA Name must exactly match the Intermediate CA created in the Create a Server Certificate Authority section. A mismatch prevents certificate issuance.
    4. Click ADD.

Configure JoinNow Management Portal

This section connects SecureW2 to Google Certificate Provisioning and defines how certificates are issued and validated. The following sections are configured:

  1. Create a Device Management Platform
  2. Create a SecureW2 Intermediate CA
  3. Create Policies

Create a Device Management Platform

Google Certificate Provisioning is Google’s API-based implementation of a dynamic SCEP workflow. Unlike legacy SCEP, which uses a static challenge, Certificate Provisioning Connector generates a unique, dynamic challenge for each certificate request.

To create a Device Management Platform, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Integration Hub > Device Management Platforms.
  3. Click Add.
  4. In the Basic section, enter the device management platform name in the Name field.
  5. In the Description field, enter the description for the device management platform.
  6. From the Type drop-down list, select Google Certificate Provisioning.
  7. Click Save.
  8. Click the Configuration tab and configure the following settings:
    1. In the Service Account Key File (key.json) field, click Choose file to upload the key file obtained from the Create a Service Account & Download Key section.
    2. In the Subscription Name field, enter the subscription ID obtained from the Create a Pub/Sub Topic section.
    3. Click Validate to verify the connection with Google. A “Connection verified successfully” message is displayed when validation succeeds.
  9. Click Update.
  10. If validation fails, check the following:
    1. The JSON key file belongs to the correct service account.
    2. The Subscription ID is correct, and the Pub/Sub subscription exists.
    3. IAM roles are assigned to both service accounts (refer to the Assign IAM Permissions section).
    4. The Chrome Management API is enabled (refer to the Enable Chrome Management API section).

Create a SecureW2 Intermediate CA

SecureW2 recommends using a new intermediate CA as a best practice for enrollments.

To create a new Intermediate CA, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA
  5. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  6. For the Common Name field, enter a name.
  7. From the Key Size drop-down list, select 2048 for the CA certificate key pair. 
  8. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  9. In the Validity Period (in years) field, enter the validity period for the Intermediate CA in terms of the number of years.
  10. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive a certificate-issued or expired notification; otherwise, they will not.
  11. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      1. Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      2. Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked. 
      1. Certificate Hold
      2. AA Compromise
      3. Privilege Withdrawn
      4. Unspecified
  12. Click Save. This generates the new intermediate CA.

Policy Management

Policy Management defines how JoinNow segments devices, issues certificates, and grants network access. Configure the following policies:

  1. Policy Workflow – segments users and devices based on attributes or groups
  2. Enrollment Policy – assigns the certificate template and Intermediate CA for each workflow.
  3. Network Policy – applies RADIUS attributes such as VLAN assignment during WiFi authentication.

Create a Policy Workflow

The Policy Workflow facilitates the segmentation of users and devices based on predefined criteria or associated attributes and groups, with each segment identified as a distinct Policy Workflow. This allows admins to configure the issuance of specific certificate types or formats for each Policy Workflow through an Enrollment Policy.

To create a policy workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save. The page refreshes, and the Conditions tab is displayed.
  6. Select the Conditions tab.
  7. From the Core Provider drop-down list, select the API token you created in the Create a Device Management Platform section.
  8. Click Update.

Create an Enrollment Policy

An Enrollment Policy defines the client certificate template and the Certificate Issuer to be used for each Policy Workflow. It leverages the segmentation established in the Policy Workflow to ensure that the appropriate client certificate template is issued for each workflow.

To create an Enrollment policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Select the Conditions tab.
    1. From the Policy Workflow list, select the policy workflow you created earlier (see the Create a Policy Workflow section).
    2. From the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  7. Select the Settings tab.
    1. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Create a SecureW2 Intermediate CA​ section).
    2. From the Use Certificate Template drop-down list, select the default certificate template.
    3. In the other settings, retain the default values.
  8. Click Update.

Create a Network Policy

Similar to the Enrollment Policy, the Network Policy applies settings to a particular Policy Workflow. It allows us to specify whether the device will be granted or denied network access, along with other RADIUS attributes that can be sent, which are most commonly VLAN assignments. 

Like with the Enrollment Policy, we are just going to show how to map our Policy Workflow (created in the Create a Policy Workflow section) to our Network Policy.

  1. Navigate to Policy Management > Network.
  2. Click Add Network Policy.
  3. Under the Basic section, in the Name field, enter the name of the network policy.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs appear.
  7. Select the Conditions tab.
  8. Click Add rule and select the policy workflow to assign to this network policy. This mapping directs SecureW2 RADIUS to validate device certificates through the Certificate Provisioning flow during Wi-Fi authentication.

     

    NOTE: You can assign a network policy to multiple user roles.
  9. Select the Settings tab.
    1. Click Add Attribute.
    2. From the Dictionary drop-down list, select an option: 
      1. Radius: IETF: This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
      2. Custom: Used for any VSAs (Vendor-Specific Attributes).
    3. From the Attribute drop-down list, select an option.
    4. In the Value field, enter the appropriate value for the attribute.
    5. Click Save.
    6. Repeat for any other RADIUS attribute you would like to send. For reference, here is what is commonly required for VLAN Assignment:
      1. Tunnel-Medium-Type: IEE-802
      2. Tunnel-Private-Group-ID:  {VLAN Name} 
      3. Server
Tunnel-Type: VLAN
  10. Click Update.

Every RADIUS Authentication request will run through the policies configured here. Now, when a device attempts to authenticate to the network, we will validate its attributes before deciding whether to grant it access and which VLAN to assign it to.

WiFi Profile Migration in the Google Admin Console

In this section, you complete the migration by switching the WiFi profile from SCEP to Certificate Pattern. Once saved, devices stop using SCEP-issued certificates and begin authenticating with the new certificates provisioned by SecureW2 through Google Certificate Provisioning.

Before updating the WiFi profile, confirm that the new certificates have been issued and installed on all managed ChromeOS devices.

NOTE: Switching the WiFi profile before certificate issuance will disconnect devices from the network.

Modify the Wi-Fi Profile to Use Certificate Pattern

To modify the existing Wi-Fi profile currently configured for SCEP, perform the following steps:

  1. Log in to the Google Admin Console.
  2. Navigate to Devices > Networks > Wi-Fi.
  3. Select the existing Wi-Fi profile configured for SCEP.
  4. Scroll to Security settings.
    1. From the Provisioning Type drop-down list, select Certificate pattern.
    2. In the Common name field, enter the new Certificate Provisioning CA name.
  5. Click SAVE. Devices automatically disconnect and reconnect to Wi-Fi using the new Certificate Provisioning certificate. No user action is required.

Deployment and Certificate Issuance

SecureW2 administrators can verify successful certificate enrollment by navigating to Data and Monitoring > Enhanced Events in the JoinNow Management Portal.

The RADIUS Events page details the device lookup attributes. To access the RADIUS Events page, log in to the JoinNow Management Portal and navigate to Data and Monitoring > RADIUS Events.

Revert the Wi-Fi Profile Update

If issues occur after updating the Wi-Fi profile, immediately revert the change:

  1. Navigate to Devices > Networks > Wi-Fi.
  2. Select the updated Wi-Fi profile.
  3. Change the Provisioning Type back to SCEP.
  4. In the Issuer pattern field, restore the original value (the old SCEP CA name).
  5. Click Save.

NOTE: Devices immediately fall back to SCEP certificates. No re-enrollment is required for the rollback.

More Google Explainers