Add and assign digital certificates for managed devices

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition

As an administrator, you can control user access to networks and apps with digital certificates. For example, to manage network access by mobile devices, set up a SCEP profile with a certificate, assign the profile to users, then require the SCEP profile for network access. As another example, to manage app access by computers, you can assign a certificate to computers with endpoint verification, then set up Context-Aware Access to require the certificate for app access.

Certificates can be set up for the following devices and apps:

Important considerations for certificates:

  • On Chrome OS versions 61–72, certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.
  • On Chrome OS version 73 and later, certificates added to an organizational unit are available to network settings, kiosk apps, and managed guest sessions on devices.
  • Some configurations using PEAP, TLS, and TTLS need server-side certificates to ensure accessibility.
  • To use certificates for an EAP Wi-Fi network, the device must be secured with a password, PIN, or pattern verification.
  • Don't upload certificates that contain private keys.
  • You can add up to 50 certificates in each organizational unit.

Add a digital certificate

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. Click Certificates.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Click Add Certificate.
  6. Enter a name for the certificate.
  7. Click Upload, select the PEM file, and click Open.
  8. Select the platforms that the certificate is a Certificate Authority for.
  9. Click Add.

Remove a digital certificate

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. Click Certificates.
  4. Select the organizational unit you want to remove the certificate for. If you remove a certificate from the top organizational unit, the certificate is removed for your entire organization.
  5. Point to the row, and click Delete.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
3095072732804364492
true
Search Help Center
true
true
true
true
true
73010
false
false