Setting Up a Microsoft CA for EAP-TLS Authentication

Setting Up a Microsoft CA for EAP-TLS Authentication

Tutorial | Windows Server 2022 | Audience: Junior IT Admins

Table of Contents

1. Introduction
2. Prerequisites
3. Part 1 — Installing and Configuring Active Directory Certificate Services (AD CS)
4. Part 2 — ConfiguringCertificate the CATemplates and CertificateGroup TemplatesPolicy
5. Part 3 — Deploying Device Certificates to Windows Devices
6. Part 4 — Deploying Device Certificates to Apple Devices
7. Part 5 — Deploying Device Certificates to Chromebooks
8. Troubleshooting
9. Next Steps

Introduction

By the end of this tutorial, you will have a working Microsoft Certificate Authority (CA) running on Windows Server 2022 that automatically issues device certificates to your Windows, Apple, and Chromebook devices. Those certificates will be used to authenticate devices to your Wi-Fi network using EAP-TLS.

Key concepts (plain English)

Before diving in, it helps to understand a few terms you will see throughout this tutorial:

• Certificate Authority (CA): Think of this as yourYour organization's ID card printer. It issues digital certificates that prove a device is trusted. Because you run the CA, you decide what gets a certificate — and your RADIUS server will only let in devices that have one.

• EAP-TLS: A method for authenticating to a Wi-Fi network using a certificate instead of a password. It is significantlySignificantly more secure than password-based methods because there is no shared secret that can be stolen or guessed.

• Device-based certificate: The certificate is tied to the machine itself, not to a specific user account. This means anyAny user who logs into that device can connect to the network, and devices can authenticate even before a user logs in.

• SCEP (Simple Certificate Enrollment Protocol): A protocol that allows devices to request and receive certificates automatically over the network. Apple devices and Chromebooks use SCEP to obtain certificates, since they cannot use Windows Group Policy.

• NDES (Network Device Enrollment Service): A Windows role service that provides the SCEP endpoint. It acts as a go-between — devices send their certificate requests to NDES, and NDES forwards them to your CA.

Architecture overview

+-------------------------------+       issues certs        +---------------------+
|  Windows Server 2022          |  -----------------------> |  Windows Devices    |
|                               |  (Group Policy / AD)      |                     |
|  Roles installed:             |  -----------------------> |  Apple Devices      |
|  - Certification Authority    |  (SCEP via NDES)          |  (via iMazing + MDM)|
|  - NDES                       |                           |                     |
|  - Online Responder           |  <-- Google Cloud Cert    |  Chromebooks        |
|  - Web Enrollment             |      Connector (SCEP)     |  (via GCC)GCCC)         |
+-------------------------------+                           +---------------------+
              |                                                       |
              |                                              presents cert
              |                                                       |
              v                                                       v
+-------------------+          validates             +---------------------+
|  PacketFence      |  <-----------------------------| Wi-Fi Access Point  |
|  (RADIUS Server)  |                                | (802.1X)            |
+-------------------+                                +---------------------+

When a device connects to your Wi-Fi network, it presents its certificate to the access point, which forwards it to PacketFence (your RADIUS server). PacketFence checks that the certificate was issued by your CA and, if so, grants the device access.

Prerequisites

Before you begin, make sure the following are in place.

Infrastructure

Software to download

• iMazing Profile Editor — Free download from imazing.com/profile-editor
• Google Cloud Certificate Connector — Downloaded from the Google Admin Console during Part 5

Accounts and permissions

• A domain account that is a member of Enterprise Admins for the CA installation
• A dedicated NDES service account for NDES (e.g., svc-ndes) — acreate standardthis before starting Part 1:
  • Standard domain user account
  with
  • Set noPassword never expires
  • Check User cannot change password
  • Do not grant any special permissions toyet start;— the wizard and IIS steps will configure itthem
• Google Admin super-admin access for the Chromebook section

Part 1 — Installing and Configuring Active Directory Certificate Services (AD CS)

In this part, you will install theall four CA role and all supporting role services in a single pass, then configure each one pass:in sequence: the Certification Authority itself, NDES (which provides the SCEP endpoint for Apple and Chromebook devices), Online Responder (which handles certificate revocation checking), and Web Enrollment (whichused by PacketFence requires to communicate with your CA). You will then perform the post-installation IIS configuration that NDES requires to function correctly.

Step 1.1 — Add the AD CS role and all required role services

1. Log in to your Windows Server 2022 machine with your Enterprise Admins account.
2. Open Server Manager from the taskbar.
3. Click Manage in the top-right corner, then select Add Roles and Features.
4. Click Next until you reach the Server Roles page.
5. Check the box next to Active Directory Certificate Services.
6. A pop-up will ask you to add required features — click Add Features.
7. Click Next until you reach the AD CS Role Services page.
8. Check all four of the following role services:
   • Certification Authority
   • Network Device Enrollment Service (NDES)
   • Online Responder
   • Certification Authority Web Enrollment
9. For each role service you check, Server Manager may prompt you to add additional required features.features (including IIS components for NDES). Accept all of these by clicking Add Features each time.
10. Click Next, then Install.
11. Wait for the installation to complete. Do not close Server Manager.

Step 1.2 — Configure the Certification Authority

Once the installation finishes, a yellow warning flag will appear in Server Manager.

1. Click the flag, then click Configure Active Directory Certificate Services on the destination server.
2. On the Credentials page, confirm the account shown is your Enterprise Admins account. Click Next.
3. On the Role Services page, you will see all four role services listed. Start by checkingcheck Certification Authority onlyonly. — youYou will configure the otherremaining role services in subsequent steps within the same wizard. Click Next.

Choosing the CA type — this is important:type:

On the Setup Type page you will see two options:

• Enterprise CA — Integrated with Active Directory. This is what you want. It enablesEnables automatic certificate enrollment via Group Policy and allows the use of certificate templates.
• Standalone CA — Not integrated with AD. Requires manual enrollment. Do not choose this.

Select Enterprise CA and click Next.

4. On the CA Type page, select Root CA. This is the first and only CA in your environment — it is the trust anchor for all certificates. Click Next.
5. On the Private Key page, select Create a new private key. Click Next.
6. On the Cryptography page:
   • SetKey the key length tolength: 4096 bits
   • LeaveHash the hash algorithm asalgorithm: SHA256
   • Click Next
7. On the CA Name page, give your CAenter a clear, descriptive name, for examplee.g., Contoso-Root-CA. Click Next.
8. On the Validity Period page, set the validity to 10 years. Click Next.
9. Leave the database locations at their defaults. Click Next, then Configure.

Step 1.3 — Configure NDES

Continue in the same configuration wizard, now selecting Network Device Enrollment Service.

1. On the Service Account for NDES page, enter the credentials for theyour svc-ndes service account you created in Prerequisites.account. Click Next.
2. On the CA for NDES page, select CA name and choose your newly created CA from the list. Click Next.
3. On the RA Information page, fill in theyour organization's Registration Authority details. These appear in certificate requests that NDES submits on behalf of devices. Use your organization's details:
   • RA Name: e.g., Contoso NDES RA
   • Fill in Country, State/Province, and Organization as appropriate
4. On the Cryptography for NDES page, leave both key lengths at 2048 and the hash algorithm asat SHA-256. Click Next.
5. Click Configure to complete the NDES configuration.

Step 1.4 — Configure Online Responder

The Online Responder handles OCSP (Online Certificate Status Protocol) requests, allowing clients and PacketFence to quickly check whether a certificate has been revoked.

1. In the wizard, select Online Responder.
2. Accept the defaults on all pages and click Configure.

Step 1.5 — Configure Certification Authority Web Enrollment

Web Enrollment provides an HTTPS interface that PacketFence uses to request certificates.

1. In the wizard, select Certification Authority Web Enrollment.
2. Accept the defaults and click Configure.
3. Click Close to exit the wizard when all role services are configured.wizard.

Step 1.6 — Grant NDES service account CA-level permissions

NDES needs more than just template permissions — it also needs the right to issue and manage certificates on the CA itself. This is separate from the template permissions you will set in Part 2.

1. Open the Certification Authority console.
2. Right-click your CA and select Properties.
3. Click the Security tab.
4. Click Add and add your svc-ndes account.
5. With svc-ndes selected, check Allow for:
   • Issue and Manage Certificates
   • Request Certificates
6. Click OK.

Note: You can optionally remove Authenticated Users from this list to ensure only NDES and administrators can issue certificates on this CA. If you do this, make sure your Enterprise Admin account (or the Domain Admins group) retains Issue and Manage Certificates, Manage CA, and Request Certificates — otherwise you will lock yourself out of CA management.

Step 1.7 — Add the NDES service account to the local IIS_IUSRS group

IIS requires the NDES service account to be a member of the local IIS_IUSRS group for the SCEP application pool to run correctly.

1. Open Server Manager → Tools → Computer Management.
2. Expand Local Users and Groups → Groups.
3. Double-click IIS_IUSRS.
4. Click Add and add your svc-ndes domain account.
5. Click OK.

Step 1.8 — Configure the IIS SCEP application pool

1. Open Internet Information Services (IIS) Manager.
2. In the left panel, expand the server name and click Application Pools.
3. Find the application pool named SCEP and double-click it.
4. Set Managed pipeline mode to Integrated.
5. Click OK.

Step 1.9 — Enable Load User Profile on the SCEP application pool

This step is required for the static SCEP challenge password to function correctly.

1. Still in IIS Manager, right-click the SCEP application pool and select Advanced Settings.
2. Scroll down to the Process Model section.
3. Find Load User Profile and set it to True.
4. Click OK.

Step 1.10 — Configure a static SCEP challenge password

By default, NDES generates a new, short-lived challenge password for every individual certificate request. For use with the Google Cloud Certificate Connector, a static challenge password is much easier to manage — it does not expire or rotate, and can be reused across all Chromebook enrollments.

1. Open Registry Editor (regedit.exe) on your CA server.
2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
3. Find the UseSinglePassword value and double-click it.
4. Set the value data to 1 (hexadecimal).
5. Click OK.

What this does: Setting UseSinglePassword to 1 tells NDES to issue a single persistent challenge password, visible at http://localhost/certsrv/mscep_admin/, rather than rotating per-request. This password can be used multiple times and does not expire.

Step 1.11 — Set NDES certificate templates in the registry

NDES uses three registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP to determine which certificate template to use depending on the type of SCEP request it receives. Apple devices and Chromebooks send different request types, so they must be routed to different templates via different registry values.

1. Still in Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
2. Double-click GeneralPurposeTemplate and set the value data to the template name of your Chromebook template. You will create a template named EAPTLSChromeDevice in Part 2 — enter that exact string here.
3. Double-click EncryptionTemplate and set the value data to the template name of your Apple template: EAPTLSAppleDevice.
4. Double-click SignatureTemplate and set the value data to the same Apple template name: EAPTLSAppleDevice.

When finished, the three values should look like this:

Template name vs. display name: These are two different fields in the Certificate Templates console. The display name is what you see in the UI (e.g., EAP-TLS Chrome Device). The template name is a separate identifier with no spaces (e.g., EAPTLSChromeDevice). When configuring NDES registry values and the Google Cloud Certificate Connector, always use the template name, not the display name. You will set both explicitly when creating templates in Part 2.

Step 1.12 — Disable Internet Explorer Enhanced Security Configuration

The mscep_admin challenge password page requires IE to function on the server. This is needed to retrieve the challenge password in Step 5.

1. In Server Manager, click Local Server in the left panel.
2. Find IE Enhanced Security Configuration in the Properties list.
3. Click the current value (likely On) and set it to Off for both Administrators and Users.
4. Click OK.

Step 1.13 — Restart the server

Restart your CA server now so that all IIS and registry changes take effect cleanly.

Step 1.14 — Verify all services are running

After the server restarts:

1. Open the Certification Authority console (search for it in the Start Menu).console. Your CA should appear with a green icon.
2. Open Internet Information Services (IIS)IIS Manager. YouConfirm shouldthe seeSCEP twoapplication virtualpool directories:is CertSrv (Web Enrollment)started and its identity is showing the CertSrv/mscepsvc-ndes (NDES).account.
3. From a browser on the server, browsenavigate to http://localhost/certsrv/mscep_admin/. You should see a page displayingwith ana CA thumbprint and a static enrollment challenge password. This confirms NDES is running correctly.

If anythe servicechallenge showspassword aspage stopped,does right-clicknot itload, check: Is the SCEP app pool running? Is Load User Profile set to True? Is svc-ndes in the IIS_IUSRS group? Check Event Viewer under Applications and selectServices Start,Logs or→ restartMicrosoft the relevant→ Windows service→ fromNetworkDeviceEnrollmentService services.msc.for specific error messages.

Part 2 — ConfiguringCertificate the CATemplates and Group Policy

Certificate Templates

Each device platform uses a different enrollment method, which meansso each needs aits own certificate template configured differently. In this part you will create three separate templates — one for Windows devices, one for Apple devices, and one for Chromebooks.template:

Important: The keyTemplate differencename between(no thespaces) Windowsis templateused in registry settings, NDES configuration, and the SCEPGCCC templatesadapter_config.json file. The Display name is what appears in the Subject Name tab. The Windows template can look up the machine name from Active Directory. SCEP-based templates cannot do this — the device tells the CA whoconsole itUI. isSet atboth thedeliberately timewhen of the request, so the template must be configured to accept that information rather than look it up.

The Apple and Chrome templates are also kept separate fromcreating each othertemplate.

because they use different subject name variable syntax, and keeping them separate makes troubleshooting and auditing much cleaner.

Step 2.1 — Open the Certificate Templates console

In the Certification Authority console, right-click Certificate Templates and select Manage. This opens the Certificate Templates console in a separate window.

Template A — Windows Device Certificate

This template uses Active Directory autoenrollment and is scoped to the computer account.

1. In the Certificate Templates console, findFind the Computer template.
2. Right-click it and select Duplicate Template.

Compatibility tab:

• Set both fields to Windows Server 2012 R2 / Windows 8.1 or higher (matching your environment)

General tab:

• Template display name: EAP-TLS Windows Device
• Template name: EAPTLSWindowsDevice
• Validity period: 1 year
• Renewal period: 6 weeks
• Check Publish certificate in Active Directory

Subject Name tab:

• Select Build from this Active Directory information
• Subject name format: Common name
• Under "Include this information in alternate subject name", check DNS name

Extensions tab:

• Click Application Policies >→ Edit
• Confirm Client Authentication is present
• Click OK

Security tab:

• Find Domain Computers
• Check Allow for both Enroll and Autoenroll

Click OK to save.

Template B — Apple Device Certificate

This template is used by Apple devices enrolling via SCEP. The subject name is supplied by the device at enrollment time, not looked up from AD.

1. In the Certificate Templates console, findFind the Computer templatetemplate. again.
2. Right-click it and select Duplicate Template.

General tab:

• Template display name: EAP-TLS Apple Device
• Validity period: 1 year
• Renewal period: 6 weeks
• Leave Publish certificate in Active Directory unchecked — SCEP-enrolled devices are not AD objects

Subject Name tab:

• Select Supply in the request
• You will see a warning that the CA manager will need to approve each request. This is expected behaviour — for SCEP, NDES handles the approval automatically using the challenge password, so this does not result in manual approval queues.

Extensions tab:

• Click Application Policies > Edit
• Confirm Client Authentication is present
• Click OK

Security tab:

• Remove Domain Computers from the list (Apple devices are not domain members)
• Find or add the svc-ndes service account
• Grant svc-ndes: Read and Enroll (check Allow for both)

Click OK to save.

Template C — Chrome Device Certificate

This template is nearly identical to the Apple template but is kept separate to use Google-specific subject name conventions and to keep issuance auditing clean.

1. In the Certificate Templates console, find the Computer template again.
2. Right-click it and select Duplicate Template.

General tab:

• Template display name: EAP-TLS Chrome DeviceEAPTLSAppleDevice
• Validity period: 1 year
• Renewal period: 6 weeks
• Leave Publish certificate in Active Directory unchecked

Subject Name tab:

• Select Supply in the request
• SameYou reasoningwill assee a warning about CA manager approval — this is expected. For SCEP, NDES handles approval via the Applechallenge templatepassword — the Google Cloud Certificate Connector will supply the subject name based on the Chromebook's device serial number.automatically.

Extensions tab:

• Click Application Policies >→ Edit
• Confirm Client Authentication is present
• Click OK

Security tab:

• Remove Domain Computers from the list
• Find or add the svc-ndes service account
• Grant svc-ndes: Read and Enroll (check Allow for both)

Click OK to save.

Template C — Chrome Device Certificate

1. Find the Computer template. Right-click and select Duplicate Template.

General tab:

• Template display name: EAP-TLS Chrome Device
• Template name: EAPTLSChromeDevice (This exact string must match what you entered in the registry in Step 1.11 and what you will enter in the GCCC adapter_config.json in Part 5)
• Validity period: 1 year
• Renewal period: 6 weeks
• Leave Publish certificate in Active Directory unchecked

Subject Name tab:

• Select Supply in the request

Extensions tab:

• Click Application Policies → Edit
• Confirm Client Authentication is present
• Click OK

Security tab:

• Remove Domain Computers from the list
• Find or add the svc-ndes service account
• Grant svc-ndes: Read and Enroll

Click OK to save.

Step 2.2 — Enable all three templates on your CA

Creating templates in the Certificate Templates console does not automatically make them available for issuance. You must add them to your CA.

1. Return to the Certification Authority console.
2. Right-click Certificate Templates and select New >→ Certificate Template to Issue.
3. Select EAP-TLS Windows Device and click OK.
4. Repeat steps 2–3 for EAP-TLS Apple Device.
5. Repeat steps 2–3 for EAP-TLS Chrome Device.

All three templates should now be listed under Certificate Templates in your CA.

Step 2.3 — Configure Windows computer auto-enrollment via Group Policy

Now you will tell all domain-joined Windows computers to automatically request a certificate using the Windows template.

1. Open Group Policy Management (run gpmc.msc).
2. Right-clickand edit the Default Domain Policy and(or selecta dedicated GPO scoped to your computer accounts). All settings below are under EditComputer Configuration.

Note: For production environments it is best practice to createenvironments, a dedicated GPO ratheris thanpreferable to editing the Default Domain Policy. For the purposes of this tutorial, theeither Default Domain Policy is acceptable.works.

2.3a

3. — Publish the CA root certificate to all computers

   Navigate to: Computer Configuration >→ Policies >→ Windows Settings >→ Security Settings >→ Public Key Policies → Trusted Root Certification Authorities

4. Double-

   Right-click and select Import. Import your CA's .cer file. This ensures all domain computers automatically trust certificates issued by your CA.

   2.3b — Auto-enrollment for computer certificates

   Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Auto-Enrollment.

• Set the Configuration ModelModel: to Enabled.
• Check both:
  • Renew expired certificates, update pending certificates, and remove revoked certificates
  • Check Update certificates that use certificate templates
  • Click OK

  2.3c — Automatic Certificate Request Settings

  Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Automatic Certificate Request Settings

  Right-click and select New → Automatic Certificate Request. Follow the wizard and select the Computer certificate template (this provides the base request mechanism; auto-enrollment via the setting above handles the specific template targeting).

  2.3d — Certificate Services Client – Certificate Enrollment Policy

  Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Certificate Enrollment Policy

  • Set Configuration Model to Enabled
  • Click OK

  2.3e — Wireless Network Policy (802.1X)

  Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Wireless Network (IEEE 802.11) Policies

  Right-click and select Create A New Wireless Network Policy for Windows Vista and Later. Configure the policy for your EAP-TLS SSID:

  1. Click Add to add a new network profile.
  2. Enter your SSID name. Check Connect automatically.
  3. Set Security type to WPA2-Enterprise.
  4. Set Encryption type to AES.
  5. Click the Security tab, set Authentication method to Microsoft: Smart Card or other certificate.
  6. Click Properties:
     • Check Use a certificate on this computer
     • Check Use simple certificate selection
     • Under Trusted Root Certification Authorities, check your CA
     • Click OK
  7. Click OK to save the profile and click OK to close the Group Policy editor.policy.

  ---

  Part 3 — Deploying Device Certificates to Windows Devices

  With Group Policy configured, Windows domain computers will automatically enroll for the EAP-TLS Windows Device certificate. This part walks you through confirming it works.

  Step 3.1 — Trigger enrollment on a test device

  On a domain-joined Windows device, open Command Prompt or PowerShell as Administrator and run:

  gpupdate /force
  

  This forces the computer to refresh Group Policy immediately. Certificate auto-enrollment is triggered as part of this process. Wait about 30 seconds, then run:

  certutil -pulse
  

  This manually triggers the auto-enrollment process if gpupdate alone did not initiate it.

  Step 3.2 — Verify the certificate in the computer store

  1. Press Windows + R, type mmc, and press Enter.
  2. Click File >→ Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Choose Computer account, then Local computer. Click Finish, then OK.
  5. In the MMC console, expandExpand Certificates (Local Computer) >→ Personal >→ Certificates.
  6. You should see a certificate with:
     • Issued By: your CA name (e.g., Contoso-Root-CA)
     • Template: EAP-TLS Windows Device
     • Intended Purposes: Client Authentication

  Important: MakeThe surecertificate youmust are lookingbe in the Computer store,store (not the User store.store). EAP-TLS device authentication requires the certificate to be in the computer's Personal store.

  Step 3.3 — Confirm issuance in the CA console

  On your CA server, open the Certification Authority console→ and expand Issued Certificates. You should see the certificate for your test device listed here, with the template column showing EAP-TLS Windows Device.

  ---

  Part 4 — Deploying Device Certificates to Apple Devices (iOS & macOS)

  Apple devices do not join a Windows domain, so they cannot use Group Policy auto-enrollment.Policy. Instead, you will create a configuration profile using iMazing Profile Editor that instructs the device to request a certificate from your CA via SCEP/NDES.

  Step 4.1 — Export the CA root certificate

  Apple devices need to trust your CA before they will accept certificates it has issued. You must include the CA's root certificate in the configuration profile.

  1. On your CA server, open the Certification Authority console.
  2. Right-click your CA and select Properties.
  3. On the General tab, click View Certificate.
  4. Click the Details tab, then Copy to File.
  5. In the Export Wizard:
     • Select Base-64 encoded X.509 (.CER)
     • Saveand the filesave as Contoso-Root-CA.cer
  6. Click Finish.

  Step 4.2 — Obtain anthe NDES enrollment challenge password

  NDES uses a one-time challenge password to authorize each certificate request. You need to supply this password in the SCEP configuration profile.

  1. From a browser onOn your CA server, browseopen an incognito browser window and navigate to: http://localhost/certsrv/mscep_admin/
  2. Sign in using the svc-ndes account if prompted.
  3. The page will display athe static challenge password. Copy thisit passwordcarefully — itno isleading validor fortrailing a limited time (default 60 minutes) and is single-use.spaces.

  Note: In a production environment with many Apple devices, your MDM solution typically retrieves challenge passwords automatically via the NDES challenge URL. Consult your MDM documentation for details. For testing a single device manually, the approach above works fine.

  Step 4.3 — Build the configuration profile in iMazing Profile Editor

  1. Open iMazing Profile Editor onand your workstation.

  2. Clickclick New Profile.

  3. Fill in the General section:

     • Name: EAP-TLS Apple Device Certificate
     • Identifier: com.yourorg.eaptls.appledevice
     • Organization: Your organization name

  4. In the left panel, click + to addAdd a payload. Select Certificates. payload:

     • Click Add Certificate
     • Importand yourimport Contoso-Root-CA.cer file
     • This installs your CA as a trusted root on the Apple device

  5. Add another payload:a SCEP. Configure it as follows:payload:

     • URL: http://your-ca-server/certsrv/mscep/mscep.dll (Replace your-ca-server with your server's hostname or IP)
     • Name: EAP-TLS Apple Device
     • Subject: CN=%SerialNumber% (This is Apple's built-in variable for the device serial number)
     • Challenge: Paste the challenge password you copied infrom Step 4.2
     • Key Size: 2048
     • Key Usage: Check both Signing and Encryption
     • CA Fingerprint: Paste the SHA-256 fingerprintthumbprint of your CA certificate (Open the .cer file in Windows Certificate viewer, go to Details tab >→ Thumbprint)

  6. Save the profile as eaptls-apple-device.mobileconfig.

  Step 4.4 — Deploy the profile via MDM

  The exact steps vary by MDM solution, but the general process is:

  1. Upload eaptls-apple-device.mobileconfig to your MDM as a new device configuration profile.
  2. Scope it to the device groups you want to target (e.g., all managed Macs, all managed iPhones).target.
  3. Push the profile. Devices will receive it at next MDM check-in.

  Step 4.5 — Verify on an Apple device

  On macOS:

  1. Open Keychain Access → System keychain. (Applications > Utilities).
  2. Select the System keychain.
  3. Look for a certificate with:
     • Issuedissued by your CA
     • Awith a Common Name matching the device serial number
  number.

  On iOS/iPadOS:

  1. Go to Settings >→ General >→ VPN & Device Management.
  2. Tapand yourtap the profile. The SCEP payload should show a certificate issued by your CA.

  ---

  Part 5 — Deploying Device Certificates to Chromebooks

  Chromebooks cannot use Groupa Policydifferent orpath Apple MDM profiles.entirely. Google provides the Google Cloud Certificate Connector (GCCC) — a lightweight Windows service that bridges your Google Admin Console to your Microsoft CA.CA Whenvia SCEP/NDES. The setup has three phases: configuring a managedGCP Chromebookproject, needssetting a certificate, it requests one through Google Admin, which passes the request throughup the connector toon your NDESCA endpoint,server, whichand forwardsconfiguring itthe toenrollment yourprofile CA.in Google Admin.

  StepThe 5.1full — Understand therequest flow

  Chromebook --> Google Admin --> Cloud Certificate Connector --> NDES --> Microsoft CA
                (requestsCSR cert)submitted)  (forwards SCEPvia request)SCEP)             (issues cert)
       <-----------------------------------------------------
       (certificate pushed back to device via Device Management)
  

  ---

  Phase A — Configure the Google Cloud Project

  Before installing the connector, you need a GCP project with the correct APIs and service accounts set up. The connector uses Google Cloud Pub/Sub to receive certificate requests from Google Admin.

  Step 5.A.1 — Enable the Chrome Management API

  1. Open the Google Cloud Console (console.cloud.google.com) and select your project.
  2. In the search bar, search for Chrome Management API.
  3. Click on it and click Enable.

  Step 5.A.2 — Create a Pub/Sub topic

  The connector runscommunicates with Google Admin via Google Cloud Pub/Sub. You need to create the topic that will carry certificate requests.

  1. In the GCP Console, navigate to Pub/Sub.
  2. Click Create Topic.
  3. Enter a descriptive Topic ID (e.g., chrome-cert-enrollment).
  4. Under Subscriptions, check Add a default subscription.
  5. Click Create.

  Step 5.A.3 — Grant Pub/Sub Publisher role to Google's service account

  Google's backend infrastructure needs permission to publish certificate requests to your topic.

  1. In the GCP Console, navigate to IAM & Admin → IAM.
  2. Click Add (Grant Access).
  3. In the New principals field, enter: cert-provisioning-api-pubsub-publisher@system.gserviceaccount.com
  4. Assign the role Pub/Sub Publisher.
  5. Click Save.

  Note: This is a well-known Google service account — it is not in your project's service account list. If your GCP organization has Domain Restricted Sharing enforced, you will need to exempt this service account from that policy before you can grant it access.

  Step 5.A.4 — Create a GCP service account for the connector

  The connector itself needs a service account to authenticate to Pub/Sub and pull certificate requests.

  1. Navigate to IAM & Admin → Service accounts.
  2. Click Create service account.
  3. Enter a descriptive name (e.g., gccc-connector-sa) and description. Click Create and continue.
  4. Assign the role Pub/Sub Subscriber.
  5. Click Done.

  Step 5.A.5 — Create and download the service account key

  1. Still in Service accounts, click on the service account you just created.
  2. Click the Keys tab.
  3. Click Add Key → Create a new key.
  4. Select JSON and click Create.
  5. A key.json file will be downloaded automatically. Copy this file to your CA server since— NDESyou iswill alreadyplace installedit there.
     in the GCCC installation folder in the next phase.

  ---

  Phase B — Install and Configure the Google Cloud Certificate Connector

  Step 5.2B.1 — Download the connector from Google Admin

  installer
  1. Sign

     Inin to the Google Admin Console (admin.google.com),.

  navigate
  2. Navigate to:to Devices >→ Networks > Certificates
     .
  3. Scroll

     down to the Certificates section.

  4. Click AddCertificate CertificateAuthority Connections.
  5. Click Download Connector (top right of the page).

  Google

  Step will5.B.2 prompt— youInstall tothe downloadconnector

  two items:
  1. TheCopy connectorthe installerdownloaded (.exe)
  2. A service credentials JSON file

  Download both and copy themconnector_installer.exe to your CA server.

C:\Program Files\Google\Cloud Certificate Connector\config.json

{
  "scep_url"adapter_configuration": {
    "request_subscriptions": [
      "projects/<YOUR-GCP-PROJECT-ID>/subscriptions/<YOUR-SUBSCRIPTION-ID>"
    ],
    "key_filename": "key.json"
  },
  "ca_configurations": [
    {
      "type": "SCEP",
      "ca_connection_config_id": "<YOUR-CA-CONNECTION-CONFIG-ID>",
      "ca_endpoint_url": "http://localhost/certsrv/mscep/mscep.dll",
      "scep_challenge_url"challenge_filename": "http://localhost/certsrv/mscep_admin/",challenge-file.txt"
    "signing_key_length":}
  2048]
}