配置 Itune 证书配置文件Configure Intune certificate profiles

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

按照为 SCEP 配置证书基础结构为 PFX 配置基础结构中所述配置基础结构和证书后,可以创建证书配置文件。After you've configured your infrastructure and certificates as described in Configure certificate infrastructure for SCEP or Configure certificate infrastructure for PFX, you can create certificate profiles. 过程如下:Here's the process:

  • 任务 1:导出受信任的根 CA 证书Task 1: Export the Trusted Root CA certificate
  • 任务 2创建受信任的证书配置文件Task 2: Create Trusted certificate profiles
  • 任务 3:创建两种证书配置文件类型中的一种:Task 3: Create one of two certificate profile types:
    • SCEP 证书配置文件SCEP certificate profiles
    • .PFX 证书配置文件.PFX certificate profiles

任务 1:导出受信任的根 CA 证书Task 1: Export the Trusted Root CA certificate

将受信任的根证书颁发机构 (CA) 证书从发证 CA 或从信任你的发证 CA 的任何设备中导出为“.cer”文件。Export the Trusted Root Certification Authorities (CA) certificate as a .cer file from the issuing CA, or from any device that trusts your issuing CA. 不要导出私钥。Do not export the private key.

设置受信任的证书配置文件时,将导入该证书。You'll import this certificate when you set up a Trusted certificate profile.

任务 2创建受信任的证书配置文件Task 2: Create Trusted certificate profiles

必须在创建受信任的证书配置文件后,才能创建简单证书注册协议 (SCEP) 或 PKCS #12 (.PFX) 证书配置文件。You must create a Trusted certificate profile before you can create a Simple Certificate Enrollment Protocol (SCEP) or a PKCS #12 (.PFX) certificate profile. 对于每个移动设备平台,你需要一个受信任的证书配置文件和一个 SCEP 或 .PFX 配置文件。You need a Trusted certificate profile and an SCEP or .PFX profile for each mobile device platform.

创建受信任的证书配置文件To create a Trusted certificate profile

  1. Intune 管理控制台中,选择“策略”>“添加策略”,然后选择设备平台。In the Intune administration console, choose Policy > Add Policy, and choose a device platform. 可以为这些设备创建受信任的证书配置文件:You can create a trusted certificate profile for these devices:
  • Android 4 及更高版本Android 4 and later

  • Android for WorkAndroid for Work

  • iOS 7.1 及更高版本iOS 7.1 and later

  • Mac OS X 10.9 及更高版本Mac OS X 10.9 and later

  • Windows 8.1 及更高版本Windows 8.1 and later

  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later

  1. 添加受信任的证书配置文件策略。Add a Trusted Certificate Profile policy.

    了解详细信息:使用 Microsoft Intune 策略管理设备上的设置和功能Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  2. 输入所需信息以配置 Android、iOS、Mac OS X、Windows 8.1 或 Windows Phone 8.1 的受信任证书配置文件设置。Enter the requested information to configure the Trusted certificate profile settings for Android, iOS, Mac OS X, Windows 8.1, or Windows Phone 8.1.

  3. 在“证书文件”设置中,导入你从发证 CA 导出的受信任的根 CA 证书 (.cer file)。In the Certificate file setting, import the Trusted Root CA certificate (.cer file) that you exported from your issuing CA. “目标存储”设置仅适用于运行 Windows 8.1 及更高版本的设备并且该设备必须具有多个证书存储。The Destination store setting applies only to devices running Windows 8.1 and later, and only if the device has more than one certificate store.

  4. 选择“保存策略”。Choose Save Policy.

新的策略将显示在“策略”工作区中。The new policy is shown in the Policy workspace. 现在你可以进行部署。Now you can deploy it.

备注

Android 和 Android for Work 设备将显示第三方已安装受信任的证书的通知。Android and Android for Work devices will display a notice that a third party has installed a trusted certificate.

任务 3:创建 SCEP 或 .PFX 证书配置文件Task 3: Create SCEP or .PFX certificate profiles

创建受信任的 CA 证书配置文件后,为你要使用的各个平台创建 SCEP 或 .PFX 证书配置文件。After you create a Trusted CA certificate profile, create SCEP or .PFX certificate profiles for each platform you want to use. 创建 SCEP 证书配置文件时,必须为相同平台指定受信任的证书配置文件。When you create an SCEP certificate profile, you must specify a Trusted certificate profile for that same platform. 这链接了两个证书配置文件,但仍然必须单独部署各个配置文件。This links the two certificate profiles, but you still must deploy each profile separately.

创建 SCEP 证书配置文件To create an SCEP certificate profile

  1. Intune 管理控制台中,选择“策略”>“添加策略”,然后选择设备平台。In the Intune administration console, choose Policy > Add Policy and choose a device platform. 可以为这些设备创建 SCEP 证书配置文件:You can create a SCEP certificate profile for these devices:
  • Android 4 及更高版本Android 4 and later

  • Android for WorkAndroid for Work

  • iOS 7.1 及更高版本iOS 7.1 and later

  • Mac OS X 10.9 及更高版本Mac OS X 10.9 and later

  • Windows 8.1 及更高版本Windows 8.1 and later

  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later

  1. 添加 SCEP 证书配置文件策略Add a SCEP Certificate Profile policy

    了解详细信息:使用 Microsoft Intune 策略管理设备上的设置和功能Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  2. 按照配置文件配置页上的说明配置 SCEP 证书配置文件设置。Follow the instructions on the profile configuration page to configure the SCEP certificate profile settings.

    备注

    在“使用者名称格式”中选择“自定义”,输入自定义使用者名称格式(仅限 iOS 配置文件)。Under Subject name format, select Custom to enter a custom subject name format (in iOS profiles, only).

    自定义格式当前支持的两个变量为 Common Name (CN)Email (E)The two variables currently supported for the custom format are Common Name (CN) and Email (E). 通过使用这些变量和静态字符串的组合,你可以创建自定义使用者名称格式,如下所示:By using a combination of these variables and static strings, you can create a custom subject name format, like this one:

    <span data-ttu-id="f24be-155">CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US</span><span class="sxs-lookup"><span data-stu-id="f24be-155">CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US</span></span>
    

    在本示例中,管理员创建了使用者名称格式,其中除了使用 CNE 变量外,还使用了组织单元、组织、位置、省/直辖市/自治区和国家/地区值的字符串。In this example, the admin created a subject name format that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization, Location, State, and Country values. CertStrToName 函数列出了受支持的字符串。CertStrToName function lists supported strings.

  3. 选择“保存策略”。Choose Save Policy.

新的策略将显示在“策略”工作区中。The new policy is shown in the Policy workspace. 现在你可以进行部署。Now you can deploy it.

创建 .PFX 证书配置文件To create a .PFX certificate profile

  1. Intune 管理控制台中,选择“策略”>“添加策略”,然后选择设备平台。In the Intune administration console, choose Policy > Add Policy, and choose a device platform. 对于以下各项支持 .PFX 证书:.PFX certificates are supported for:

    • Android 4 及更高版本Android 4 and later
    • Android for WorkAndroid for Work
    • Windows 10 及更高版本Windows 10 and later
    • Windows Phone 10 及更高版本Windows Phone 10 and later
    • iOS 8.0 及更高版本)iOS 8.0 and later)
  2. 添加 .PFX 证书配置文件策略。Add a .PFX Certificate Profile policy. 了解详细信息:使用 Microsoft Intune 策略管理设备上的设置和功能Learn more: Manage settings and features on your devices with Microsoft Intune policies.

  3. 在策略窗体上输入请求的信息。Enter the information requested on the policy form.
  4. 选择“保存策略”。Choose Save Policy.

新的策略将显示在“策略”工作区中。The new policy is shown in the Policy workspace. 现在你可以进行部署。Now you can deploy it.

部署证书配置文件Deploy certificate profiles

部署证书配置文件时,将在设备上安装受信任的 CA 证书配置文件的证书文件。When you deploy certificate profiles, the certificate file from the Trusted CA certificate profile is installed on the device. 设备使用 SCEP 或 .PFX 证书配置文件来创建设备需要的证书。The device uses the SCEP or .PFX certificate profile to create a certificate request by the device.

证书配置文件仅安装在运行你创建配置文件时使用的平台的设备上。Certificate profiles install only on devices running the platform you use when you create the profile.

  • 你可以对用户集或对设备集部署证书配置文件。You can deploy certificate profiles to user collections or to device collections.

    提示

    若要在设备注册后将证书快速发布到设备,请将证书配置文件部署到用户组(而不是部署到设备组)。To publish a certificate to a device quickly after the device enrolls, deploy the certificate profile to a user group rather than to a device group. 如果部署到设备组,则需要在设备接收策略前进行完整的设备注册。If you deploy to a device group, a full device registration is required before the device receives policies.

  • 尽管单独部署每个配置文件,但仍需部署受信任的根 CA 和 SCEP 或 .PFX 配置文件。Although you deploy each profile separately, you also need to deploy the Trusted Root CA and the SCEP or .PFX profile. 否则,SCEP 或 .PFX 证书策略将失败。Otherwise, the SCEP or .PFX certificate policy will fail.

部署证书配置文件的方法与部署其他 Intune 策略的方法相同:Deploy certificate profiles the same way you deploy other policies for Intune:

  1. 在“策略”工作区中,选择想要部署的策略,然后选择“管理部署”。In the Policy workspace, select the policy you want to deploy, and then choose Manage Deployment.
  2. 在“管理部署” 对话框中:In the Manage Deployment dialog box:
    • 若要部署策略,选择要部署策略的一个组或多个组,然后选择“添加”>“确定”。To deploy the policy, select one or more groups to deploy the policy to, and then choose Add > OK.
    • 若要关闭对话框而不对其部署,选择“取消”。To close the dialog box without deploying it, choose Cancel.

如果你选择的是已部署的策略,则可以在策略列表的下半部分看到有关部署的详细信息。When you select a deployed policy, you can see more information about the deployment in the lower part of the list of policies.

后续步骤Next steps

接下来,了解如何使用证书来帮助保护电子邮件、Wi-Fi 和 VPN 配置文件。Next, learn how to use certificates to help secure email, Wi-Fi, and VPN profiles.