The Certificate Provisioning API allows for certificate issuance for ChromeOS enterprise customers.
Create a Cloud Billing account
Before you can use Pub/Sub for certificates, you’ll need to set up a self-serve online Google Cloud Billing account.
Provisioning each certificate results in a single Pub/Sub message. For billing purposes, these messages are calculated at a minimum size of 1KB. For most organizations, Google anticipates that annual Pub/Sub usage for certificates will not exceed the 10 GiB/month free tier. For details about Pub/Sub pricing, go to Google Cloud documentation.
Set up
Configuring Pub/Sub for certificates involves multiple steps across the Google Cloud Project, Admin Console, and Google Cloud Certificate Connector (GCCC). For details, go to Configuring Certificate Enrollment for ChromeOS via SCEP.
Things to watch for
Domain Restricted Sharing (DRS)
As outlined in Configuring Certificate Enrollment for ChromeOS via SCEP, the Pub/Sub setup requires granting the Identity and Access Management (IAM) Pub/Sub Publisher role to a Google-owned service account which is external to your domain.
If domain restricted sharing is activated for the organization that’s affiliated with your Google Cloud Project, you’ll need to configure an exception from domain restricted sharing.
For details about Pub/Sub roles and permissions, go to Google Cloud documentation.