Digital Certificates & ChromeOS – NAC to the Rescue!
The phrase “game-changer” may get thrown around a bit too much, but it’s fair to say that when Google released ChromeOS and the Chromebook in 2011, it revolutionized the portable computer market. It had an especially large impact on the education market; by 2018 60% of all computers used in schools were Chromebooks. Thanks to their low price point and out-of-the-box security features, Chromebooks and ChromeBoxes (the 2012-released desktop appliance) are seeing wider adoption among businesses where users don’t need laptops with a ton of processing power. As Google Workspace (formerly GSuite) gains popularity as a cloud-based productivity suite, the seamless integration with ChromeOS makes it an even more attractive proposition.
Managing a large fleet of ChromeOS-based devices might sound a bit daunting, especially if you’re used to traditional operating systems like Windows and macOS which require some work to get them deployed, permissions set, applications installed, users set up, and the other million things you need to do to make sure everything is secure before your turn the computer over to a user. Thankfully Google’s Admin Console makes life incredibly easy – you can customize everything from the antivirus software to the wallpaper remotely from the web. And speaking of security, integrating with Portnox Cloud and Simple Certificate Enrollment Protocol (SCEP – more on this below) makes device enrollment simple, fast, and secure.
But First, Let’s Talk About Digital Certificates…
Digital certificates are an excellent way to add an extra layer of security to your network. Since over 80% of all data breaches involve user credentials, it’s imperative that network administrators rely on more than just a username and password to access corporate resources. Once upon a time, people used to seal their letters with wax and a special stamp that represented their family and position – that’s how you could verify communication was official. Certificates are the digital, modern-day version of wax sealing, just with a bit more sophistication and security.
Digital Certificates & Portnox
Portnox NAC supports X.509 digital certificates, a type of digital certificate you’ve definitely encountered if you’ve ever used a website that starts with HTTPS (which would be hard not to do since you’re reading this blog post).
An X.509 digital certificate contains an identity (a hostname, an organization, or an individual) and a public key, along with other attributes like an expiration date. The certificate is then signed, usually by a CA (certificate authority), although it can also be self–signed. When the certificate is signed by a CA, the holder of that certificate can then use the public key it contains in conjunction with the private key to establish secure communications with another party. In this case, Portnox NACaaS will check the certificate to ensure it’s signed, and not expired or revoked, before granting access to the network.
SCEP to the Rescue
As much as IT folks care about keeping the networks safe (and they care a lot!), the thought of deploying digital certificates en masse to all of your devices is enough to make even the most seasoned administrator weep. Thankfully, we also support SCEP – Simple Certificate Enrollment Protocol. SCEP offers a fully automated procedure for issuing certificates, compatible with most devices and operating systems.
Here’s a quick overview of how a SCEP server processes a request for a certificate with the Google Cloud
- The Google Cloud Certificate Connector is installed on a Windows server & creates an exclusive connection to your SCEP server
- Create a SCEP profile in the Google Admin console
- The device connects based on the profile & parameters you set, and requests a certificate
- The SCEP server issues a one-time password (the “challenge” password), transmitted to the client
- The client generates a key pair and sends the certificate signing request to the SCEP server along with the one-time password
- The SCEP server validates the client certificate data and makes the signed certificate available to the client
Assuming you are using Google Workspace, you can configure it to use Portnox NAC SCEP server to distribute digital certificates on Chromebooks.
You can find a step-by-step guide here; you will also need to integrate Portnox NACaaS with your Google Workspace directory. You can find a guide to doing that here.
Related Reading
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!