The following diagram illustrates the architecture and components of a Chromebook (with ChromeOS) that can enroll for a certificate over SCEP with Entrust Certificate Enrollment Gateway.
Google Admin requirements:
- Google Admin requires either the Chrome Enterprise Upgrade or the Chrome Education Upgrade.
- Google Admin requires the CA certificate chain (from the root CA certificate to the issuing CA certificate) for the on-premises Managed CA or Entrust PKI as a Service (PKIaas).
Google Cloud Certificate Connector requirements:
- The Google Cloud Certificate Connector must be installed on Domain-joined Windows server.
- The Google Cloud Certificate Connector requires outbound network connectivity to Google Admin.
- The Google Cloud Certificate Connector requires outbound network connectivity to Entrust Certificate Enrollment Gateway.
Entrust Certificate Enrollment Gateway requirements:
Static challenge passwords are not secure. To increase security, it is recommended that you configure the firewall on the Certificate Enrollment Gateway server to limit incoming traffic for the SCEP service to only the Google Cloud Certificate Connector.
- The SCEP service must be configured with a static challenge password.
- Certificate Enrollment Gateway requires inbound connectivity from the Google Cloud Certificate Connector.
ChromeOS requirements:
- ChromeOS must be enrolled with Google Admin using the Enterprise enrollment option. See the Google documentation for instructions about enrolling a device using the Enterprise enrollment option (https://support.google.com/chrome/a/answer/1360534).
- ChromeOS requires outbound connectivity to Google Admin without the interference of SSL decryption.