使用 SCEP 在 Intune 中添加合作伙伴证书颁发机构Add partner certification authority in Intune using SCEP

将第三方证书颁发机构 (CA) 与 Intune 配合使用。Use third-party certification authorities (CA) with Intune. 第三方 CA 可以使用简单证书注册协议 (SCEP) 向移动设备预配新证书或续订证书,并且可以支持 Windows、iOS/iPadOS、Android 和 macOS 设备。Third-party CAs can provision mobile devices with new or renewed certificates by using the Simple Certificate Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and macOS devices.

使用此功能分两个部分:开源代码 API 和 Intune 管理员任务。There are two parts to using this feature: open-source API, and the Intune administrator tasks.

第 1 部分 - 使用开源代码 APIPart 1 - Use an open-source API
Microsoft 创建了与 Intune 集成的 API。Microsoft created an API to integrate with Intune. 通过该 API,可验证证书、发送成功或失败通知,以及使用 SSL(特别是 SSL 套接字工厂)与 Intune 进行通信。Though the API you can validate certificates, send success or failure notifications, and use SSL, specifically SSL socket factory, to communicate with Intune.

Intune SCEP API 公共 GitHub 存储库中提供了该 API,你可以下载和在解决方案中使用。The API is available on the Intune SCEP API public GitHub repository for you to download, and use in your solutions. SCEP 向设备预配证书之前,将此 API 与第三方 SCEP 服务器配合使用,以针对 Intune 运行自定义质询验证。Use this API with third-party SCEP servers to run custom challenge validation against Intune before SCEP provisions a certificate to a device.

与 Intune SCEP 管理解决方案集成可提供有关使用 API、其方法以及测试构建的解决方案的详细信息。Integrate with Intune SCEP management solution provides more details on using the API, its methods, and testing the solution you build.

第 2 部分 - 创建应用程序和配置文件Part 2 - Create the application and profile
使用 Azure Active Directory (Azure AD) 应用程序,可以将权限委托给 Intune 来处理来自设备的 SCEP 请求。Using an Azure Active Directory (Azure AD) application, you can delegate rights to Intune to handle SCEP requests coming from devices. Azure AD 应用程序包括在开发者创建的 API 解决方案中使用的应用程序 ID 和身份验证密钥值。The Azure AD application includes application ID and authentication key values that are used within the API solution the developer creates. 然后,管理员使用 Intune 创建和部署 SCEP 证书配置文件,从而可以在设备上查看有关部署状态的报表。Administrators then create and deploy SCEP certificates profiles using Intune and can view reports on the deployment status on the devices.

本文从管理员角度概述了此功能,包括创建 Azure AD 应用程序。This article provides an overview of this feature from an Administrator-perspective, including creating the Azure AD application.


以下步骤概述了如何在 Intune 中使用 SCEP 证书:The following steps provide an overview of using SCEP for certificates in Intune:

  1. 在 Intune 中,管理员创建 SCEP 证书配置文件,然后将用户或设备作为此配置文件的目标。In Intune, an administrator creates a SCEP certificate profile, and then targets the profile to users or devices.
  2. 设备签入到 Intune。The device checks in to Intune.
  3. Intune 会创建唯一的 SCEP 质询。Intune creates a unique SCEP challenge. 它还会添加其他完整性检查信息,例如预期的主题和 SAN 应该如何。It also adds additional integrity-check information, such as what the expected subject and SAN should be.
  4. Intune 会对质询和完整性检查信息进行加密和签名,然后使用 SCEP 请求将此信息发送到设备。Intune encrypts and signs both the challenge and integrity-check information, and then sends this information to the device with the SCEP request.
  5. 设备根据从 Intune 推送的 SCEP 证书配置文件在设备上生成证书签名请求 (CSR) 和公钥/私钥对。The device generates a certificate signing request (CSR) and public/private key pair on the device based on the SCEP certificate profile that's pushed from Intune.
  6. 向第三方 SCEP 服务器终结点发送 CSR 和已加密/签名的质询。The CSR and encrypted/signed challenge are sent to the third-party SCEP server endpoint.
  7. SCEP 服务器会将 CSR 和质询发送到 Intune。The SCEP server sends the CSR and the challenge to Intune. 然后,Intune 会验证签名,解密有效负载,并将 CSR 与完整性检查信息进行比较。Intune then validates the signature, decrypts the payload, and compares the CSR to the integrity-check information.
  8. Intune 会向 SCEP 服务器发回响应,并说明质询验证是否成功。Intune sends back a response to the SCEP server, and states whether the challenge validation is successful or not.
  9. 如果质询验证成功,则 SCEP 服务器会向设备颁发证书。If the challenge is successfully verified, then the SCEP server issues the certificate to the device.

下图显示了第三方 SCEP 与 Intune 集成的详细流程:The following diagram shows a detailed flow of third-party SCEP integration with Intune:

第三方认证机构 SCEP 与 Microsoft Intune 集成的方式How third-party certification authority SCEP integrates with Microsoft Intune

设置第三方 CA 集成Set up third-party CA integration

验证第三方证书颁发机构Validate third-party certification authority

在将第三方证书颁发机构与 Intune 集成之前,请确认使用的 CA 支持 Intune。Before integrating third-party certification authorities with Intune, confirm that the CA you're using supports Intune. 第三方 CA 合作伙伴(在本文中)包含列表。Third-party CA partners (in this article) includes a list. 还可以查看证书颁发机构的指南以获取详细信息。You can also check your certification authority's guidance for more information. CA 可能包括特定于其实现的设置说明。The CA may include setup instructions specific to their implementation.

授权 CA 与 Intune 之间的通信Authorize communication between CA and Intune

要允许第三方 SCEP 服务器使用 Intune 运行自定义质询验证,请在 Azure AD 中创建应用。To allow a third-party SCEP server to run custom challenge validation with Intune, create an app in Azure AD. 此应用对 Intune 授予委托权限以验证 SCEP 请求。This app gives delegated rights to Intune to validate SCEP requests.

确保具有注册 Azure AD 应用所需的权限。Be sure you have the required permissions to register an Azure AD app. 请参阅 Azure AD 文档中的所需权限See Required permissions, in the Azure AD documentation.

在 Azure Active Directory 中创建应用程序Create an application in Azure Active Directory

  1. Azure 门户中转到“Azure Active Directory” > “应用注册”,然后选择“新建注册”。In the Azure portal, go to Azure Active Directory > App Registrations, and then select New registration.

  2. 在“注册应用程序” 页上,指定以下详细信息:On the Register an application page, specify the following details:

    • 在“名称” 部分中,输入一个有意义的应用程序名称。In the Name section, enter a meaningful application name.
    • 对于“支持的帐户类型” 部分,选择“任何组织目录中的帐户” 。For the Supported account types section, select Accounts in any organizational directory.
    • 对于“重定向 URI” ,保留 Web 的默认值,然后指定第三方 SCEP 服务器的登录 URL。For Redirect URI, leave the default of Web, and then specify the sign-on URL for the third-party SCEP server.
  3. 选择“注册” 以创建应用程序并打开新应用的“概述”页。Select Register to create the application and to open the Overview page for the new app.

  4. 在应用的“概述” 页上,复制“应用程序(客户端)ID” 值并记录该值以供将来使用。On the app Overview page, copy the Application (client) ID value and record it for later use. 稍后将需要此值。You'll need this value later.

  5. 在应用的导航窗格中,转到“管理”下的“证书和密码” 。In the navigation pane for the app, go to Certificates & secrets under Manage. 选择“新建客户端密码” 按钮。Select the New client secret button. 在“说明”中输入值,选择“截止期限”的任何选项 ,然后选择“添加” 以生成客户端密码的值 。Enter a value in Description, select any option for Expires, and then and choose Add to generate a value for the client secret.


    在离开此页面之前,使用第三方 CA 实现复制客户端密码的值并记录该值以供将来使用。Before you leave this page, copy the value for the client secret and record it for later use with your third-party CA implementation. 不再显示此值。This value is not shown again. 请务必查看有关他们希望如何配置应用程序 ID、身份验证密钥和租户 ID 的第三方 CA 指南。Be sure to review the guidance for your third-party CA on how they want the Application ID, Authentication Key, and Tenant ID configured.

  6. 记录租户 ID 。Record your Tenant ID. 租户 ID 是帐户中 @ 符号后面的域文本。The Tenant ID is the domain text after the @ sign in your account. 例如,如果帐户是 *admin@name.onmicrosoft.com* ,则租户 ID 是 name.onmicrosoft.com 。For example, if your account is *admin@name.onmicrosoft.com*, then your tenant ID is name.onmicrosoft.com.

  7. 在应用的导航窗格中,转到“管理”下的“API 权限” ,然后选择“添加权限” 。In the navigation pane for the app, go to API permissions under Manage, and then select Add a permission.

  8. 在“请求获取 API 权限” 页上,选择“Intune” ,然后选择“应用程序权限” 。On the Request API permissions page, select Intune, and then select Application permissions. 选中 scep_challenge_provider 对应的复选框(SCEP 质询验证)。Select the checkbox for scep_challenge_provider (SCEP challenge validation).

    选择“添加权限” 以保存此配置。Select Add permissions to save this configuration.

  9. 停留在“API 权限” 页上,然后依次选择“为 Microsoft 授予管理员同意” 、“是” 。Remain on the API permissions page, and select Grant admin consent for Microsoft, and then select Yes.

    将完成 Azure AD 中的应用注册过程。The app registration process in Azure AD is complete.

配置和部署 SCEP 证书配置文件Configure and deploy a SCEP certificate profile

以管理员身份创建针对用户或设备的 SCEP 证书配置文件。As the administrator, create a SCEP certificate profile to target to users or devices. 然后,分配配置文件。Then, assign the profile.

删除证书Removing certificates

取消注册或擦除设备时,会删除证书。When you unenroll or wipe the device, the certificates are removed. 不会撤销证书。The certificates aren't revoked.

第三方证书颁发机构合作伙伴Third-party certification authority partners

以下第三方证书颁发机构支持 Intune:The following third-party certification authorities support Intune:

如果第三方 CA 有兴趣将产品与 Intune 集成,请查看 API 指南:If you're a third-party CA interested in integrating your product with Intune, review the API guidance:

另请参阅See also