Skip to main content

Setting Up a Microsoft CA for EAP-TLS Authentication

Tutorial | Windows Server 2022 | Audience: Junior IT Admins

Table of Contents

  1. Introduction
  2. Prerequisites
  3. Part 1 — Installing and Configuring Active Directory Certificate Services
  4. Part 2 — Certificate Templates and Group Policy
  5. Part 3 — Deploying Device Certificates to Windows Devices
  6. Part 4 — Deploying Device Certificates to Apple Devices
  7. Part 5 — Deploying Device Certificates to Chromebooks
  8. Troubleshooting
  9. Next Steps

Introduction

By the end of this tutorial, you will have a working Microsoft Certificate Authority (CA) running on Windows Server 2022 that automatically issues device certificates to your Windows, Apple, and Chromebook devices. Those certificates will be used to authenticate devices to your Wi-Fi network using EAP-TLS.

Key concepts (plain English)

  • Certificate Authority (CA): Your organization's ID card printer. It issues digital certificates that prove a device is trusted. Because you run the CA, you decide what gets a certificate — and your RADIUS server will only let in devices that have one.

  • EAP-TLS: A method for authenticating to a Wi-Fi network using a certificate instead of a password. Significantly more secure than password-based methods because there is no shared secret that can be stolen or guessed.

  • Device-based certificate: The certificate is tied to the machine itself, not to a specific user account. Any user who logs into that device can connect to the network, and devices can authenticate even before a user logs in.

  • SCEP (Simple Certificate Enrollment Protocol): A protocol that allows devices to request and receive certificates automatically over the network. Apple devices and Chromebooks use SCEP to obtain certificates, since they cannot use Windows Group Policy.

  • NDES (Network Device Enrollment Service): A Windows role service that provides the SCEP endpoint. It acts as a go-between — devices send their certificate requests to NDES, and NDES forwards them to your CA.

Architecture overview

+-------------------------------+       issues certs        +---------------------+
|  Windows Server 2022          |  -----------------------> |  Windows Devices    |
|                               |  (Group Policy / AD)      |                     |
|  Roles installed:             |  -----------------------> |  Apple Devices      |
|  - Certification Authority    |  (SCEP via NDES)          |  (via iMazing + MDM)|
|  - NDES                       |                           |                     |
|  - Online Responder           |  <-- Google Cloud Cert    |  Chromebooks        |
|  - Web Enrollment             |      Connector (SCEP)     |  (via GCCC)         |
+-------------------------------+                           +---------------------+
              |                                                       |
              |                                              presents cert
              v                                                       v
+-------------------+          validates             +---------------------+
|  PacketFence      |  <-----------------------------| Wi-Fi Access Point  |
|  (RADIUS Server)  |                                | (802.1X)            |
+-------------------+                                +---------------------+

Prerequisites

Infrastructure

Requirement Details
Windows Server 2022 A domain-joined server dedicated to the CA role. Do not install the CA on a Domain Controller.
Active Directory Domain Services (AD DS) Your domain must already be set up and running.
PacketFence Installed and reachable on your network. PacketFence configuration is outside the scope of this tutorial.
Google Workspace (for Chromebooks) Admin Console access with Chromebooks enrolled in your domain.
Google Cloud Platform (GCP) project A GCP project with a configured billing account. Required for the Google Cloud Certificate Connector.
MDM solution (for Apple devices) Such as Jamf, Mosyle, or Kandji. iMazing Profile Editor will be used to build the profile.

Software to download

  • iMazing Profile Editor — Free download from imazing.com/profile-editor
  • Google Cloud Certificate Connector — Downloaded from the Google Admin Console during Part 5

Accounts and permissions

  • A domain account that is a member of Enterprise Admins for the CA installation
  • A dedicated NDES service account (e.g., svc-ndes) — create this before starting Part 1:
    • Standard domain user account
    • Set Password never expires
    • Check User cannot change password
    • Do not grant any special permissions yet — the wizard and IIS steps will configure them
  • Google Admin super-admin access for the Chromebook section
  • GCP Owner or Editor access on your GCP project

Part 1 — Installing and Configuring Active Directory Certificate Services (AD CS)

In this part, you will install all four CA role services in a single pass, then configure each one in sequence: the Certification Authority itself, NDES (SCEP endpoint for Apple and Chromebook devices), Online Responder (certificate revocation checking), and Web Enrollment (used by PacketFence to communicate with your CA). You will then perform the post-installation IIS configuration that NDES requires to function correctly.

Step 1.1 — Add the AD CS role and all required role services

  1. Log in to your Windows Server 2022 machine with your Enterprise Admins account.
  2. Open Server Manager from the taskbar.
  3. Click Manage in the top-right corner, then select Add Roles and Features.
  4. Click Next until you reach the Server Roles page.
  5. Check the box next to Active Directory Certificate Services.
  6. A pop-up will ask you to add required features — click Add Features.
  7. Click Next until you reach the AD CS Role Services page.
  8. Check all four of the following role services:
    • Certification Authority
    • Network Device Enrollment Service (NDES)
    • Online Responder
    • Certification Authority Web Enrollment
  9. For each role service you check, Server Manager may prompt you to add additional required features (including IIS components for NDES). Accept all of these by clicking Add Features each time.
  10. Click Next, then Install.
  11. Wait for the installation to complete. Do not close Server Manager.

Step 1.2 — Configure the Certification Authority

Once the installation finishes, a yellow warning flag will appear in Server Manager.

  1. Click the flag, then click Configure Active Directory Certificate Services on the destination server.
  2. On the Credentials page, confirm the account shown is your Enterprise Admins account. Click Next.
  3. On the Role Services page, check Certification Authority only. You will configure the remaining role services in subsequent steps within the same wizard. Click Next.

Choosing the CA type:

  • Enterprise CA — Integrated with Active Directory. This is what you want. Enables automatic enrollment via Group Policy and certificate templates.
  • Standalone CA — Not integrated with AD. Requires manual enrollment. Do not choose this.

Select Enterprise CA and click Next.

  1. On the CA Type page, select Root CA. Click Next.
  2. On the Private Key page, select Create a new private key. Click Next.
  3. On the Cryptography page:
    • Key length: 4096 bits
    • Hash algorithm: SHA256
    • Click Next
  4. On the CA Name page, enter a descriptive name, e.g., Contoso-Root-CA. Click Next.
  5. On the Validity Period page, set to 10 years. Click Next.
  6. Leave the database locations at their defaults. Click Next, then Configure.

Step 1.3 — Configure NDES

Continue in the same configuration wizard, now selecting Network Device Enrollment Service.

  1. On the Service Account for NDES page, enter the credentials for your svc-ndes service account. Click Next.
  2. On the CA for NDES page, select CA name and choose your newly created CA from the list. Click Next.
  3. On the RA Information page, fill in your organization's Registration Authority details:
    • RA Name: e.g., Contoso NDES RA
    • Fill in Country, State/Province, and Organization
  4. On the Cryptography for NDES page, leave both key lengths at 2048 and the hash algorithm at SHA-256. Click Next.
  5. Click Configure to complete the NDES configuration.

Step 1.4 — Configure Online Responder

  1. In the wizard, select Online Responder.
  2. Accept the defaults on all pages and click Configure.

Step 1.5 — Configure Certification Authority Web Enrollment

  1. In the wizard, select Certification Authority Web Enrollment.
  2. Accept the defaults and click Configure.
  3. Click Close to exit the wizard.

Step 1.6 — Grant NDES service account CA-level permissions

NDES needs more than just template permissions — it also needs the right to issue and manage certificates on the CA itself. This is separate from the template permissions you will set in Part 2.

  1. Open the Certification Authority console.
  2. Right-click your CA and select Properties.
  3. Click the Security tab.
  4. Click Add and add your svc-ndes account.
  5. With svc-ndes selected, check Allow for:
    • Issue and Manage Certificates
    • Request Certificates
  6. Click OK.

Note: You can optionally remove Authenticated Users from this list to ensure only NDES and administrators can issue certificates on this CA. If you do this, make sure your Enterprise Admin account (or the Domain Admins group) retains Issue and Manage Certificates, Manage CA, and Request Certificates — otherwise you will lock yourself out of CA management.

Step 1.7 — Add the NDES service account to the local IIS_IUSRS group

IIS requires the NDES service account to be a member of the local IIS_IUSRS group for the SCEP application pool to run correctly.

  1. Open Server Manager → Tools → Computer Management.
  2. Expand Local Users and Groups → Groups.
  3. Double-click IIS_IUSRS.
  4. Click Add and add your svc-ndes domain account.
  5. Click OK.

Step 1.8 — Configure the IIS SCEP application pool

  1. Open Internet Information Services (IIS) Manager.
  2. In the left panel, expand the server name and click Application Pools.
  3. Find the application pool named SCEP and double-click it.
  4. Set Managed pipeline mode to Integrated.
  5. Click OK.

Step 1.9 — Enable Load User Profile on the SCEP application pool

This step is required for the static SCEP challenge password to function correctly.

  1. Still in IIS Manager, right-click the SCEP application pool and select Advanced Settings.
  2. Scroll down to the Process Model section.
  3. Find Load User Profile and set it to True.
  4. Click OK.

Step 1.10 — Configure a static SCEP challenge password

By default, NDES generates a new, short-lived challenge password for every individual certificate request. For use with the Google Cloud Certificate Connector, a static challenge password is much easier to manage — it does not expire or rotate, and can be reused across all Chromebook enrollments.

  1. Open Registry Editor (regedit.exe) on your CA server.
  2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
  3. Find the UseSinglePassword value and double-click it.
  4. Set the value data to 1 (hexadecimal).
  5. Click OK.

What this does: Setting UseSinglePassword to 1 tells NDES to issue a single persistent challenge password, visible at http://localhost/certsrv/mscep_admin/, rather than rotating per-request. This password can be used multiple times and does not expire.

Step 1.11 — Set NDES certificate templates in the registry

NDES uses three registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP to determine which certificate template to use depending on the type of SCEP request it receives. Apple devices and Chromebooks send different request types, so they must be routed to different templates via different registry values.

Registry value Purpose Set to
GeneralPurposeTemplate Used by the Google Cloud Certificate Connector for Chromebook enrollments Your Chrome template name
EncryptionTemplate Used by Apple devices requesting an encryption key certificate Your Apple template name
SignatureTemplate Used by Apple devices requesting a signature key certificate Your Apple template name
  1. Still in Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
  2. Double-click GeneralPurposeTemplate and set the value data to the template name of your Chromebook template. You will create a template named EAPTLSChromeDevice in Part 2 — enter that exact string here.
  3. Double-click EncryptionTemplate and set the value data to the template name of your Apple template: EAPTLSAppleDevice.
  4. Double-click SignatureTemplate and set the value data to the same Apple template name: EAPTLSAppleDevice.

When finished, the three values should look like this:

Name Type Data
GeneralPurposeTemplate REG_SZ EAPTLSChromeDevice
EncryptionTemplate REG_SZ EAPTLSAppleDevice
SignatureTemplate REG_SZ EAPTLSAppleDevice

Template name vs. display name: These are two different fields in the Certificate Templates console. The display name is what you see in the UI (e.g., EAP-TLS Chrome Device). The template name is a separate identifier with no spaces (e.g., EAPTLSChromeDevice). When configuring NDES registry values and the Google Cloud Certificate Connector, always use the template name, not the display name. You will set both explicitly when creating templates in Part 2.

Step 1.12 — Disable Internet Explorer Enhanced Security Configuration

The mscep_admin challenge password page requires IE to function on the server. This is needed to retrieve the challenge password in Step 5.

  1. In Server Manager, click Local Server in the left panel.
  2. Find IE Enhanced Security Configuration in the Properties list.
  3. Click the current value (likely On) and set it to Off for both Administrators and Users.
  4. Click OK.

Step 1.13 — Restart the server

Restart your CA server now so that all IIS and registry changes take effect cleanly.

Step 1.14 — Verify all services are running

After the server restarts:

  1. Open the Certification Authority console. Your CA should appear with a green icon.
  2. Open IIS Manager. Confirm the SCEP application pool is started and its identity is showing the svc-ndes account.
  3. From a browser on the server, navigate to http://localhost/certsrv/mscep_admin/. You should see a page with a CA thumbprint and a static enrollment challenge password. This confirms NDES is running correctly.

If the challenge password page does not load, check: Is the SCEP app pool running? Is Load User Profile set to True? Is svc-ndes in the IIS_IUSRS group? Check Event Viewer under Applications and Services Logs → Microsoft → Windows → NetworkDeviceEnrollmentService for specific error messages.

Part 2 — Certificate Templates and Group Policy

Certificate template overview

Each device platform uses a different enrollment method, so each needs its own certificate template:

Template Display Name Template Name Enrollment method Subject name source
Windows EAP-TLS Windows Device EAPTLSWindowsDevice Group Policy autoenrollment Built from Active Directory
Apple EAP-TLS Apple Device EAPTLSAppleDevice SCEP via NDES Supplied by the device (serial number)
Chromebook EAP-TLS Chrome Device EAPTLSChromeDevice SCEP via Google Cloud Certificate Connector Supplied by Google (device serial number)

Important: The Template name (no spaces) is used in registry settings, NDES configuration, and the GCCC adapter_config.json file. The Display name is what appears in the CA console UI. Set both deliberately when creating each template.

Step 2.1 — Open the Certificate Templates console

In the Certification Authority console, right-click Certificate Templates and select Manage.

Template A — Windows Device Certificate

  1. Find the Computer template. Right-click and select Duplicate Template.

Compatibility tab:

  • Set both fields to Windows Server 2012 R2 / Windows 8.1 or higher (matching your environment)

General tab:

  • Template display name: EAP-TLS Windows Device
  • Template name: EAPTLSWindowsDevice
  • Validity period: 1 year
  • Renewal period: 6 weeks
  • Check Publish certificate in Active Directory

Subject Name tab:

  • Select Build from this Active Directory information
  • Subject name format: Common name
  • Under "Include this information in alternate subject name", check DNS name

Extensions tab:

  • Click Application Policies → Edit
  • Confirm Client Authentication is present
  • Click OK

Security tab:

  • Find Domain Computers
  • Check Allow for both Enroll and Autoenroll

Click OK to save.

Template B — Apple Device Certificate

  1. Find the Computer template. Right-click and select Duplicate Template.

General tab:

  • Template display name: EAP-TLS Apple Device
  • Template name: EAPTLSAppleDevice
  • Validity period: 1 year
  • Renewal period: 6 weeks
  • Leave Publish certificate in Active Directory unchecked

Subject Name tab:

  • Select Supply in the request
  • You will see a warning about CA manager approval — this is expected. For SCEP, NDES handles approval via the challenge password automatically.

Extensions tab:

  • Click Application Policies → Edit
  • Confirm Client Authentication is present
  • Click OK

Security tab:

  • Remove Domain Computers from the list
  • Find or add the svc-ndes service account
  • Grant svc-ndes: Read and Enroll (check Allow for both)

Click OK to save.

Template C — Chrome Device Certificate

  1. Find the Computer template. Right-click and select Duplicate Template.

General tab:

  • Template display name: EAP-TLS Chrome Device
  • Template name: EAPTLSChromeDevice (This exact string must match what you entered in the registry in Step 1.11 and what you will enter in the GCCC adapter_config.json in Part 5)
  • Validity period: 1 year
  • Renewal period: 6 weeks
  • Leave Publish certificate in Active Directory unchecked

Subject Name tab:

  • Select Supply in the request

Extensions tab:

  • Click Application Policies → Edit
  • Confirm Client Authentication is present
  • Click OK

Security tab:

  • Remove Domain Computers from the list
  • Find or add the svc-ndes service account
  • Grant svc-ndes: Read and Enroll

Click OK to save.

Step 2.2 — Enable all three templates on your CA

  1. Return to the Certification Authority console.
  2. Right-click Certificate Templates and select New → Certificate Template to Issue.
  3. Select EAP-TLS Windows Device and click OK.
  4. Repeat for EAP-TLS Apple Device.
  5. Repeat for EAP-TLS Chrome Device.

Step 2.3 — Configure Group Policy

Open Group Policy Management (gpmc.msc) and edit the Default Domain Policy (or a dedicated GPO scoped to your computer accounts). All settings below are under Computer Configuration.

Note: For production environments, a dedicated GPO is preferable to editing the Default Domain Policy. For this tutorial, either works.

2.3a — Publish the CA root certificate to all computers

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities

Right-click and select Import. Import your CA's .cer file. This ensures all domain computers automatically trust certificates issued by your CA.

2.3b — Auto-enrollment for computer certificates

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Auto-Enrollment

  • Configuration Model: Enabled
  • Check Renew expired certificates, update pending certificates, and remove revoked certificates
  • Check Update certificates that use certificate templates
  • Click OK

2.3c — Automatic Certificate Request Settings

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Automatic Certificate Request Settings

Right-click and select New → Automatic Certificate Request. Follow the wizard and select the Computer certificate template (this provides the base request mechanism; auto-enrollment via the setting above handles the specific template targeting).

2.3d — Certificate Services Client – Certificate Enrollment Policy

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Certificate Enrollment Policy

  • Set Configuration Model to Enabled
  • Click OK

2.3e — Wireless Network Policy (802.1X)

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Wireless Network (IEEE 802.11) Policies

Right-click and select Create A New Wireless Network Policy for Windows Vista and Later. Configure the policy for your EAP-TLS SSID:

  1. Click Add to add a new network profile.
  2. Enter your SSID name. Check Connect automatically.
  3. Set Security type to WPA2-Enterprise.
  4. Set Encryption type to AES.
  5. Click the Security tab, set Authentication method to Microsoft: Smart Card or other certificate.
  6. Click Properties:
    • Check Use a certificate on this computer
    • Check Use simple certificate selection
    • Under Trusted Root Certification Authorities, check your CA
    • Click OK
  7. Click OK to save the profile and click OK to close the policy.

Part 3 — Deploying Device Certificates to Windows Devices

With Group Policy configured, Windows domain computers will automatically enroll for the EAP-TLS Windows Device certificate.

Step 3.1 — Trigger enrollment on a test device

On a domain-joined Windows device, open Command Prompt or PowerShell as Administrator and run:

gpupdate /force

Wait about 30 seconds, then run:

certutil -pulse

Step 3.2 — Verify the certificate in the computer store

  1. Press Windows + R, type mmc, and press Enter.
  2. Click File → Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Choose Computer account, then Local computer. Click Finish, then OK.
  5. Expand Certificates (Local Computer) → Personal → Certificates.
  6. You should see a certificate with:
    • Issued By: your CA name (e.g., Contoso-Root-CA)
    • Template: EAP-TLS Windows Device
    • Intended Purposes: Client Authentication

Important: The certificate must be in the Computer store (not the User store). EAP-TLS device authentication requires the certificate to be in the computer's Personal store.

Step 3.3 — Confirm issuance in the CA console

On your CA server, open Certification Authority → Issued Certificates. You should see the certificate for your test device with the template column showing EAP-TLS Windows Device.

Part 4 — Deploying Device Certificates to Apple Devices (iOS & macOS)

Apple devices do not join a Windows domain, so they cannot use Group Policy. Instead, you will create a configuration profile using iMazing Profile Editor that instructs the device to request a certificate from your CA via SCEP/NDES.

Step 4.1 — Export the CA root certificate

  1. On your CA server, open the Certification Authority console.
  2. Right-click your CA and select Properties.
  3. On the General tab, click View Certificate.
  4. Click the Details tab, then Copy to File.
  5. Select Base-64 encoded X.509 (.CER) and save as Contoso-Root-CA.cer.

Step 4.2 — Obtain the NDES enrollment challenge password

  1. On your CA server, open an incognito browser window and navigate to: http://localhost/certsrv/mscep_admin/
  2. Sign in using the svc-ndes account if prompted.
  3. The page will display the static challenge password. Copy it carefully — no leading or trailing spaces.

Step 4.3 — Build the configuration profile in iMazing Profile Editor

  1. Open iMazing Profile Editor and click New Profile.

  2. Fill in the General section:

    • Name: EAP-TLS Apple Device Certificate
    • Identifier: com.yourorg.eaptls.appledevice
    • Organization: Your organization name

  3. Add a Certificates payload:

    • Click Add Certificate and import Contoso-Root-CA.cer
    • This installs your CA as a trusted root on the Apple device

  4. Add a SCEP payload:

    • URL: http://your-ca-server/certsrv/mscep/mscep.dll
    • Name: EAP-TLS Apple Device
    • Subject: CN=%SerialNumber% (Apple's built-in variable for the device serial number)
    • Challenge: Paste the challenge password from Step 4.2
    • Key Size: 2048
    • Key Usage: Check both Signing and Encryption
    • CA Fingerprint: Paste the SHA-256 thumbprint of your CA certificate (Open the .cer file in Windows Certificate viewer, Details tab → Thumbprint)

  5. Save as eaptls-apple-device.mobileconfig.

Step 4.4 — Deploy the profile via MDM

  1. Upload eaptls-apple-device.mobileconfig to your MDM as a device configuration profile.
  2. Scope it to the device groups you want to target.
  3. Push the profile. Devices receive it at next MDM check-in.

Step 4.5 — Verify on an Apple device

On macOS: Open Keychain Access → System keychain. Look for a certificate issued by your CA with a Common Name matching the device serial number.

On iOS/iPadOS: Go to Settings → General → VPN & Device Management and tap the profile. The SCEP payload should show a certificate issued by your CA.

Part 5 — Deploying Device Certificates to Chromebooks

Chromebooks use a different path entirely. Google provides the Google Cloud Certificate Connector (GCCC) — a Windows service that bridges your Google Admin Console to your Microsoft CA via SCEP/NDES. The setup has three phases: configuring a GCP project, setting up the connector on your CA server, and configuring the enrollment profile in Google Admin.

The full request flow

Chromebook --> Google Admin --> Cloud Certificate Connector --> NDES --> CA
              (CSR submitted)  (forwards via SCEP)             (issues cert)
     <-----------------------------------------------------
     (certificate pushed back to device via Device Management)

Phase A — Configure the Google Cloud Project

Before installing the connector, you need a GCP project with the correct APIs and service accounts set up. The connector uses Google Cloud Pub/Sub to receive certificate requests from Google Admin.

Step 5.A.1 — Enable the Chrome Management API

  1. Open the Google Cloud Console (console.cloud.google.com) and select your project.
  2. In the search bar, search for Chrome Management API.
  3. Click on it and click Enable.

Step 5.A.2 — Create a Pub/Sub topic

The connector communicates with Google Admin via Google Cloud Pub/Sub. You need to create the topic that will carry certificate requests.

  1. In the GCP Console, navigate to Pub/Sub.
  2. Click Create Topic.
  3. Enter a descriptive Topic ID (e.g., chrome-cert-enrollment).
  4. Under Subscriptions, check Add a default subscription.
  5. Click Create.

Step 5.A.3 — Grant Pub/Sub Publisher role to Google's service account

Google's backend infrastructure needs permission to publish certificate requests to your topic.

  1. In the GCP Console, navigate to IAM & Admin → IAM.
  2. Click Add (Grant Access).
  3. In the New principals field, enter: cert-provisioning-api-pubsub-publisher@system.gserviceaccount.com
  4. Assign the role Pub/Sub Publisher.
  5. Click Save.

Note: This is a well-known Google service account — it is not in your project's service account list. If your GCP organization has Domain Restricted Sharing enforced, you will need to exempt this service account from that policy before you can grant it access.

Step 5.A.4 — Create a GCP service account for the connector

The connector itself needs a service account to authenticate to Pub/Sub and pull certificate requests.

  1. Navigate to IAM & Admin → Service accounts.
  2. Click Create service account.
  3. Enter a descriptive name (e.g., gccc-connector-sa) and description. Click Create and continue.
  4. Assign the role Pub/Sub Subscriber.
  5. Click Done.

Step 5.A.5 — Create and download the service account key

  1. Still in Service accounts, click on the service account you just created.
  2. Click the Keys tab.
  3. Click Add Key → Create a new key.
  4. Select JSON and click Create.
  5. A key.json file will be downloaded automatically. Copy this file to your CA server — you will place it in the GCCC installation folder in the next phase.

Phase B — Install and Configure the Google Cloud Certificate Connector

Step 5.B.1 — Download the connector installer

  1. Sign in to the Google Admin Console (admin.google.com).
  2. Navigate to Devices → Networks.
  3. Scroll down to the Certificates section.
  4. Click Certificate Authority Connections.
  5. Click Download Connector (top right of the page).

Step 5.B.2 — Install the connector

  1. Copy the downloaded connector_installer.exe to your CA server.
  2. Run it as Administrator.
  3. Accept the default installation path. The installer registers a Windows service named Google Cloud Certificate Connector and sets it to run as LocalService by default.

The installation directory will contain: connector.exe, configtool.exe, and messagefile.dll. This is where you will place your JSON files in the next steps.

Step 5.B.3 — Place the service account key in the installation folder

Copy the key.json file you downloaded in Step 5.A.5 into the GCCC installation folder:

C:\Program Files\Google\Cloud Certificate Connector\

Step 5.B.4 — Create the SCEP challenge file

The connector needs the static NDES challenge password stored in a text file in its installation directory.

  1. Open Notepad (or any plain text editor — not Word).
  2. Open an incognito browser window and navigate to http://localhost/certsrv/mscep_admin/. Sign in as svc-ndes if prompted.
  3. Copy the enrollment challenge password — no leading or trailing spaces.
  4. Paste it into Notepad. Confirm there is nothing else in the file.
  5. Save as challenge-file.txt in the GCCC installation folder.

Step 5.B.5 — Create the adapter configuration file

The connector is configured via a JSON file named adapter_config.json placed in the installation folder. Create this file now.

  1. Open Notepad and create a new file.
  2. Paste the following JSON, replacing the placeholder values:
{
  "adapter_configuration": {
    "request_subscriptions": [
      "projects/<YOUR-GCP-PROJECT-ID>/subscriptions/<YOUR-SUBSCRIPTION-ID>"
    ],
    "key_filename": "key.json"
  },
  "ca_configurations": [
    {
      "type": "SCEP",
      "ca_connection_config_id": "<YOUR-CA-CONNECTION-CONFIG-ID>",
      "ca_endpoint_url": "http://localhost/certsrv/mscep/mscep.dll",
      "challenge_filename": "challenge-file.txt"
    }
  ]
}

Replace:

  • <YOUR-GCP-PROJECT-ID> — your GCP project ID (found in the GCP Console dashboard)
  • <YOUR-SUBSCRIPTION-ID> — the subscription name created with your Pub/Sub topic (e.g., chrome-cert-enrollment-sub)
  • <YOUR-CA-CONNECTION-CONFIG-ID> — a short identifier string you will choose; this must exactly match the Certificate Authority connection configuration identifier you enter in Google Admin Console in Phase C below. For example: contoso-ndes-scep
  1. Save as adapter_config.json in the GCCC installation folder.

Connector co-located with NDES: Since the connector is running on the same server as NDES, localhost is correct for the ca_endpoint_url. If you later move the connector to a separate server, replace localhost with the FQDN of your CA server, and ensure IIS is bound to HTTPS for that connection.

Step 5.B.6 — Start the connector service

  1. Open Services (services.msc).
  2. Find Google Cloud Certificate Connector.
  3. Right-click and select Start.
  4. Confirm the service status shows Running.

Verify the connector is working by opening Event Viewer → Windows Logs → Application and filtering by source GoogleCloudCertificateConnector. You should see entries roughly every 30 seconds showing pull requests being sent to Pub/Sub. This confirms the connector is authenticated and listening for certificate requests.

Phase C — Configure Google Admin Console

Step 5.C.1 — Create a Certificate Authority Connection

  1. Sign in to Google Admin Console.
  2. Navigate to Devices → Networks.
  3. Scroll down to Certificates and click Certificate Authority Connections.
  4. Click Add Connection.
  5. Select SCEP Certificate Authority connection and fill in:
    • Certificate Authority connection name: A descriptive label (e.g., Contoso NDES CA)
    • GCP service account email: The email of the service account you created in Step 5.A.4 (format: gccc-connector-sa@your-project-id.iam.gserviceaccount.com)
    • Pub/Sub topic: The full topic name from Step 5.A.2 (format: projects/your-project-id/topics/chrome-cert-enrollment)
    • Certificate Authority connection configuration identifier: Enter the same identifier you used in adapter_config.json (e.g., contoso-ndes-scep)

This identifier must match exactly — it is how Google Admin links its configuration to the correct CA configuration entry in the connector's local config file.

  1. Click ADD.

Step 5.C.2 — Create a Certificate Provisioning Profile

  1. Go back to the Certificates page (Devices → Networks, scroll to Certificates).
  2. Select the Organizational Unit containing your managed Chromebooks (or stay at root to apply to all).
  3. Click Certificate provisioning profiles.
  4. Click Add Profile.
  5. Configure the profile:
    • Certificate Authority connection: Select the connection you just created
    • Profile applies to: Device
    • Profile name: EAP-TLS Chrome Device
    • Days before certificate expiration to initiate renewal: 30
    • Authentication type: Remote attestation (recommended — this verifies the Chromebook is a legitimate managed device before issuing a certificate; choose None only if you need to support ChromeOS Flex or unmanaged devices)
    • Key usage: Check both Key encipherment and Signing
    • Subject name — Common name: ${DEVICE_SERIAL_NUMBER} (Google's variable for the Chromebook's device serial number — note this uses ${DEVICE_SERIAL_NUMBER}, not %SerialNumber% as in the Apple profile)
    • Certificate template name: EAPTLSChromeDevice (This must exactly match the template name — not display name — you created in Part 2)
    • Encryption key type: RSA key - 2048 bit (ECC is generally preferred for performance, but RSA is required when using a static SCEP challenge password as configured here)
  6. Click ADD.

Google Admin will push the enrollment profile to managed Chromebooks at next policy refresh. You can also trigger an immediate sync from a device's detail page in the Admin Console.

Step 5.D — Verify on a Chromebook

  1. On a managed Chromebook, open a browser tab and navigate to: chrome://certificate-manager
  2. Under Certificates being provisioned for these certificates, you should see your profile listed (e.g., EAP-TLS Chrome Device). Click the three-dot menu next to it to check enrollment status.
  3. Refresh after 30 seconds — the certificate should appear under Your certificates with:
    • Issued by your CA
    • A Common Name matching the Chromebook's serial number

You can also confirm issuance from the CA side by opening Issued Certificates in the Certification Authority console and looking for entries showing the EAP-TLS Chrome Device template.

Troubleshooting

Certificate not appearing in the Windows computer certificate store

  • Run gpupdate /force followed by certutil -pulse on the affected device.
  • Confirm the device is domain-joined: run dsregcmd /status and check for DomainJoined: YES.
  • Check Certification Authority → Failed Requests on your CA. The reason column will indicate why the request was rejected.
  • Confirm Domain Computers has both Enroll and Autoenroll on the EAP-TLS Windows Device template.
  • Confirm the GPO is under Computer Configuration, not User Configuration. Run gpresult /r and check the GPO appears under Computer Settings → Applied GPOs.

Certificate not appearing on Apple devices

  • Confirm the MDM profile was successfully delivered — check device status in your MDM console.
  • Verify the NDES SCEP URL is reachable from the device. Try browsing to it from Safari on the device.
  • Check that the challenge password has not been replaced. If you regenerated the static password on the server, update the profile in your MDM.
  • Confirm svc-ndes has Read and Enroll on the EAP-TLS Apple Device template.
  • Check Event Viewer: Applications and Services Logs → Microsoft → Windows → NetworkDeviceEnrollmentService

Certificate not appearing on Chromebooks

  • Check chrome://policy on the Chromebook and confirm RequiredClientCertificateForDevice is present. If it is not, the device or user is not in the correct OU.
  • In Google Admin Console, go to Devices → Chrome → Devices, find the affected device, and click Force Policy Sync.
  • Confirm the Google Cloud Certificate Connector service is running on the CA server (services.msc).
  • Check the connector's event log: Event Viewer → Windows Logs → Application, filter by source GoogleCloudCertificateConnector. Every 30 seconds you should see pull request events. If you see OAuth errors, your key.json service account credential has been invalidated — generate a new key and restart the service.
  • Confirm that ca_connection_config_id in adapter_config.json exactly matches the Certificate Authority connection configuration identifier in Google Admin Console.
  • Confirm that template_name in adapter_config.json (or the Certificate template name in the Google Admin provisioning profile) exactly matches the template name (not display name) of the EAP-TLS Chrome Device template.
  • If the connector logs show SCEP server returned failure: badRequest, the challenge password in challenge-file.txt no longer matches what NDES is serving. Retrieve a fresh password from http://localhost/certsrv/mscep_admin/ and update the file, then restart the connector service.
  • Confirm svc-ndes has Read and Enroll on the EAP-TLS Chrome Device template, and Issue and Manage Certificates + Request Certificates at the CA level.

EAP-TLS failing at authentication (device has a cert but cannot connect)

  • Confirm the client certificate has Client Authentication under Extended Key Usage.
  • Confirm PacketFence trusts your CA — import your CA root certificate into PacketFence's trusted CA store.
  • Check PacketFence's RADIUS logs for the rejection reason. Common causes: certificate chain not trusted, certificate expired, subject name not matching what PacketFence expects.
  • Verify the device's clock is accurate — certificate validation is time-sensitive.

NDES challenge password page is inaccessible

  • Confirm svc-ndes is the Identity for the SCEP application pool in IIS Manager.
  • Confirm IIS is running and the Default Web Site is started.
  • Confirm Load User Profile is set to True on the SCEP app pool (Step 1.9).
  • Confirm svc-ndes is in the local IIS_IUSRS group (Step 1.7).
  • Confirm svc-ndes has Issue and Manage Certificates and Request Certificates on the CA Security tab (Step 1.6).

Next Steps

You now have a functioning Microsoft CA issuing device certificates to Windows, Apple, and Chromebook devices. The next step is to configure PacketFence to use your CA as the trust anchor for EAP-TLS authentication and to connect it to your Wi-Fi infrastructure via 802.1X.

Specifically, you will need to:

  1. Import your CA root certificate into PacketFence so it can validate device certificates during EAP-TLS handshakes.
  2. Issue a RADIUS server certificate from your CA for PacketFence itself, so that devices can also validate the RADIUS server's identity — mutual authentication is a core requirement of EAP-TLS.
  3. Configure your wireless access points to point to PacketFence as their 802.1X RADIUS server.

These steps are covered in the PacketFence documentation. The certificate infrastructure you have built in this tutorial is the foundation that all of those steps depend on.

Back to top