配置证书基础结构Configure certificate infrastructure

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本主题介绍创建和部署 .PFX 证书配置文件所需具备的条件。This topic describes what you need in order to create and deploy .PFX certificate profiles.

若要在组织中执行任何基于证书的身份验证,你需要企业证书颁发机构。To do any certificate-based authentication in your organization, you need an Enterprise Certification Authority.

若要使用 .PFX 证书配置文件,除了企业证书颁发机构,你还需要:To use .PFX Certificate profiles, in addition to the Enterprise Certification Authority, you also need:

  • 可以与证书颁发机构进行通信的计算机,或可以使用证书颁发机构计算机本身。A computer that can communicate with the Certification Authority, or you can use the Certification Authority computer itself.

  • Intune 证书连接器,它在可以与证书颁发机构进行通信的计算机上运行。The Intune Certificate Connector, which runs on the computer that can communicate with the Certification Authority.

本地基础结构说明On-premises infrastructure description

  • Active Directory 域:本部分列出的所有服务器(Web 应用程序代理服务器除外)必须加入你的 Active Directory 域。Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server) must be joined to your Active Directory domain.

  • 证书颁发机构:Windows Server 2008 R2 企业版或更高版本上运行的企业证书颁发机构 (CA)。Certification Authority: An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支持独立 CA。A Standalone CA is not supported. 有关如何设置证书颁发机构的说明,请参阅安装证书颁发机构For instructions on how to set up a Certification Authority, see Install the Certification Authority. 如果 CA 是在 Windows Server 2008 R2 上运行,必须安装 KB2483564 中的修补程序If your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564.

  • 可以与证书颁发机构进行通信的计算机:或者,使用证书颁发机构计算机本身。Computer that can communicate with Certification Authority: Alternatively, use the Certification Authority computer itself.

  • Microsoft Intune 证书连接器:使用 Intune 管理控制台下载证书连接器安装程序 (ndesconnectorssetup.exe)。Microsoft Intune Certificate Connector: You use the Intune admin console to download the Certificate Connector installer (ndesconnectorssetup.exe). 随后可以在想要安装证书连接器的计算机上运行 ndesconnectorssetup.exeThen you can run ndesconnectorssetup.exe on the computer where you want to install the Certificate Connector. 对于 .PFX 证书配置文件,请在与证书颁发机构进行通信的计算机上安装证书连接器。For .PFX Certificate profiles, install the Certificate Connector on the computer that communicates with the Certification Authority.
  • Web 应用程序代理服务器(可选):你可以使用运行 Windows Server 2012 R2 或更高版本的服务器作为 Web 应用程序代理 (WAP) 服务器。Web Application Proxy server (optional): You can use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server. 该配置:This configuration:

    • 允许设备使用 Internet 连接接收证书。Allows devices to receive certificates using an Internet connection.
    • 是设备通过 Internet 连接接收和续订证书时的安全建议。Is a security recommendation when devices connect through the Internet to receive and renew certificates.


    • 托管 WAP 的服务器必须安装更新程序,以支持网络设备注册服务 (NDES) 使用的长 URL。The server that hosts WAP must install an update that enables support for the long URLs that are used by the Network Device Enrollment Service (NDES). 此更新程序包括在 2014 年 12 月更新汇总中,或单独包括在 KB3011135 中。This update is included with the December 2014 update rollup, or individually from KB3011135.
    • 此外,托管 WAP 的服务器还必须具有与将要向外部客户端发布的名称相匹配的 SSL 证书,并且信任 NDES 服务器上使用的 SSL 证书。Also, the server that hosts WAP must have an SSL certificate that matches the name being published to external clients as well as trust the SSL certificate that is used on the NDES server. 这些证书使 WAP 服务器可以终止来自客户端的 SSL 连接,并创建至 NDES 服务器的新 SSL 连接。These certificates enable the WAP server to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. 若要了解 WAP 证书,请参阅规划使用 Web 应用程序代理发布应用程序规划证书部分。For information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications Using Web Application Proxy. 有关 WAP 服务器的一般信息,请参阅 Working with Web Application Proxy(使用 Web 应用程序代理)。|For general information about WAP servers, see Working with Web Application Proxy.|

证书和模板Certificates and Templates

对象Object 详细信息Details
证书模板Certificate Template 在发证 CA 上配置此模板。You configure this template on your issuing CA.
受信任的根 CA 证书Trusted Root CA certificate 你可以从发证 CA 或信任该发证 CA 的任何设备中将其导出为 .cer 文件,并通过使用可信 CA 证书配置文件将其部署至设备。You export this as a .cer file from the issuing CA or any device which trusts the issuing CA, and deploy it to devices by using the Trusted CA certificate profile.

你可以在每个操作系统平台上使用一个受信任的根 CA 证书,并将其与你创建的每个受信任的根证书配置文件相关联。You use a single Trusted Root CA certificate per operating system platform, and associate it with each Trusted Root Certificate profile you create.

你可以在需要时使用其它受信任的根 CA 证书。You can use additional Trusted Root CA certificates when needed. 例如,你可以这样做来信任为 Wi-Fi 访问点的服务器身份验证证书签名的 CA。For example, you might do this to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points.

配置你的基础结构Configure your infrastructure

在配置证书配置文件前,必须完成以下任务。Before you can configure certificate profiles, you must complete the following tasks. 完成这些任务需要 Windows Server 2012 R2 和 Active Directory 证书服务 (ADCS) 方面的知识:These tasks require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):

  • 任务 1 - 配置证书颁发机构上的证书模板。Task 1 - Configure certificate templates on the certification authority.
  • 任务 2 - 启用、安装和配置 Intune 证书连接器。Task 2 - Enable, install, and configure the Intune Certificate Connector.

任务 1 - 配置证书颁发机构上的证书模板Task 1 - Configure certificate templates on the certification authority

在该任务中,将发布证书模板。In this task, you will publish the certificate template.

配置证书颁发机构To configure the certification authority
  1. 在发证 CA 上,使用证书模板管理单元创建新的自定义模板,或复制并编辑现有模板(与用户模板相似)以与 .PFX 配合使用。On the issuing CA, use the Certificate Templates snap-in to create a new custom template, or copy and edit an existing template (like the User template), for use with .PFX.

    该模板必须包括下列操作:The template must include the following:

    • 为模板指定易记“模板显示名称”。Specify a friendly Template display name for the template.

    • “使用者名称” 选项卡上,选择 “在请求中提供”On the Subject Name tab, select Supply in the request.

    • “扩展” 选项卡上,确保 “应用程序策略描述” 包括了 “客户端身份验证”On the Extensions tab, ensure the Description of Application Policies includes Client Authentication.


      对于 iOS 和 Mac OS X 证书模板,在“扩展”选项卡上编辑“密钥用法”并确保未选择“数字签名为原件的证明”。For iOS and Mac OS X certificate templates, on the Extensions tab, edit Key Usage and ensure that Signature is proof of origin is not selected.

  2. 在模板的 “常规” 选项卡上查看 “有效期”Review the Validity period on the General tab of the template. 默认情况下,Intune 使用模板中配置的值。By default, Intune uses the value configured in the template. 不过,可以视需要将 CA 配置为允许申请者指定其他值,随后便能够在 Intune 管理员控制台中设置此值。However, you have the option to configure the CA to allow the requester to specify a different value, which you can then set from within the Intune Administrator console. 如果你想要一直使用模板中的值,跳过该步骤的其余部分即可。If you want to always use the value in the template, skip the remainder of this step.


    无论你所做出的其他配置是什么,iOS 和 Mac OS X 平台都始终使用模板中设置的值。The iOS and Mac OS X platforms always uses the value set in the template, regardless of other configurations you make.

    若要配置 CA 以允许请求者指定有效期,请在 CA 上运行以下命令:To configure the CA to allow the requester to specify the validity period, run the following commands on the CA:

    a.a. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE

    b.b. net stop certsvcnet stop certsvc

    c.c. net start certsvcnet start certsvc

  3. 在发证 CA 上,使用证书颁发机构管理单元发布证书模板。On the issuing CA, use the Certification Authority snap-in to publish the certificate template.

    a.a. 选择“证书模板”节点,依次单击“操作”->“新建”>“要颁发的证书模板”,然后选择在第 2 步中创建的模板。Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the template you created in step 2.

    b.b. 通过查看 “证书模板” 文件夹下已发布的模板来对它进行验证。Validate that the template published by viewing it under the Certificate Templates folder.

  4. 在 CA 计算机上,确保托管 Intune 证书连接器的计算机具有注册权限,以便它可以访问在创建 .PFX 配置文件时使用的模板。On the CA computer, ensure that the computer that hosts the Intune Certificate Connector has enroll permission, so that it can access the template used in creating the .PFX profile. 在 CA 计算机属性的“安全性” 选项卡上设置该权限。Set that permission on the Security tab of the CA computer properties.

任务 2 - 启用、安装和配置 Intune 证书连接器Task 2 - Enable, install, and configure the Intune Certificate Connector

在此任务中,你将:In this task you will:

下载、安装和配置证书连接器。Download, install, and configure the Certificate Connector.

启用对证书连接器的支持To enable support for the Certificate Connector
  1. 打开“Intune 管理控制台”,选择“管理>“证书连接器”。Open the Intune administration console, and choose Admin > Certificate Connector.

  2. 选择“配置本地证书连接器”。Choose Configure On-Premises Certificate Connector.

  3. 选择“启用证书连接器”,然后选择“确定”。Select Enable Certificate Connector, and then choose OK.

下载、安装和配置证书连接器To download, install, and configure the Certificate Connector
  1. 打开“Intune 管理控制台”,然后选择“管理>“移动设备管理”>“证书连接器”>“下载证书连接器”。Open the Intune administration console, and then choose Admin > Mobile Device Management > Certificate Connector > Download Certificate Connector.

  2. 下载完成之后,运行下载的安装程序 (ndesconnectorssetup.exe)。After the download completes, run the downloaded installer (ndesconnectorssetup.exe).

    在能够与证书颁发机构连接的计算机上运行安装程序。Run the installer on the computer that is able to connect with the Certification Authority. 选择“.PFX 分发”选项,然后选择“安装”。Choose the .PFX Distribution option, and then choose Install. 安装完成后,如配置证书配置文件中所述,继续创建证书配置文件。When the installation has completed, continue by creating a certificate profile as described in Configure certificate profiles.

  3. 提示输入证书连接器的客户端证书时,选取“选择”,然后选择任务 3 中安装的客户端身份验证证书。When prompted for the client certificate for the Certificate Connector, choose Select, and select the client authentication certificate you installed in Task 3.

    选择客户端身份验证证书后,你将返回到“Microsoft Intune 证书连接器的客户端证书” 处。After you select the client authentication certificate, you are returned to the Client Certificate for Microsoft Intune Certificate Connector surface. 选择“下一步”查看相应证书的属性,尽管选择的证书不会显示。Although the certificate you selected is not shown, choose Next to view the properties of that certificate. 然后,依次选择“下一步”和“安装”。Then choose Next, and then Install.

  4. 在向导完成后,先单击“启动证书连接器 UI”,然后再关闭向导。After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.


    如果在启动证书连接器 UI 前关闭了向导,你可以通过运行以下命令重新打开它:If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following command:


  5. 在“证书连接器”UI 中:In the Certificate Connector UI:

    a.a. 选择“登录”,然后输入 Intune 服务管理员凭据或拥有全局管理权限的租户管理员的凭据。Choose Sign In and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.

    b.b. 选择“高级”选项卡,然后输入在证书颁发机构上拥有“颁发和管理证书”权限的帐户的凭据。Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority.

    c.c. 选择“应用”。Choose Apply.

    你现在可以关闭证书连接器 UI。You can now close the Certificate Connector UI.

  6. 打开命令提示符,然后键入“services.msc”。Open a command prompt and type services.msc. 然后按 Enter 键,右键单击“Intune 连接器服务”后选择“重新启动”。Then press Enter, right-click the Intune Connector Service, and choose Restart.

后续步骤Next steps

你现在可以像配置证书配置文件中所述的那样配置证书配置文件了。You are now ready to set up certificate profiles, as described in Configure certificate profiles.