在 Intune 中配置和使用 PKCS 证书Configure and use PKCS certificates with Intune

Intune 支持使用私钥和公钥对 (PKCS) 证书。Intune supports the use of private and public key pair (PKCS) certificates. 本文有助于帮助配置所需的本地证书连接器等基础结构,导出 PKCS 证书,然后将证书添加到 Intune 设备配置配置文件。This article can help you configure the required infrastructure like on-premises certificate connectors, export a PKCS certificate, and then add the certificate to an Intune device configuration profile.

Microsoft Intune 包括内置的设置来使用 PKCS 证书对组织资源进行访问和身份验证。Microsoft Intune includes built-in settings to use PKCS certificates for access and authentication to your organizations resources. 证书用于进行身份验证并保证用户安全访问公司资源(例如 VPN 或 WiFi 网络)。Certificates authenticate and secure access to your corporate resources like a VPN or a WiFi network. 使用 Intune 中的设备配置配置文件,将这些设置部署到设备。You deploy these settings to devices using device configuration profiles in Intune.

有关使用导入的 PKCS 证书的信息,请参阅导入的 PFX 证书For information about using imported PKCS certificates, see Imported PFX Certificates.

要求Requirements

要在 Intune 中使用 PKCS 证书,必须具有以下基础结构:To use PKCS certificates with Intune, you'll need the following infrastructure:

  • Active Directory 域Active Directory domain:
    此部分中列出的所有服务器都必须加入 Active Directory 域。All servers listed in this section must be joined to your Active Directory domain.

    有关安装和配置 Active Directory 域服务 (AD DS) 的详细信息,请参阅 AD DS 设计和规划For more information about installing and configuring Active Directory Domain Services (AD DS), see AD DS Design and Planning.

  • 证书颁发机构Certification Authority:
    企业证书颁发机构 (CA)。An Enterprise Certification Authority (CA).

    有关安装和配置 Active Directory 证书服务 (AD CS) 的信息,请参阅 Active Directory 证书服务分步指南For information on installing and configuring Active Directory Certificate Services (AD CS), see Active Directory Certificate Services Step-by-Step Guide.

    警告

    Intune 要求在企业证书颁发机构 (CA) 而非独立 CA 中运行 AD CS。Intune requires you to run AD CS with an Enterprise Certification Authority (CA), not a Standalone CA.

  • 客户端A client:
    连接到企业 CA。To connect to the Enterprise CA.

  • 根证书Root certificate:
    从企业 CA 导出的根证书的副本。An exported copy of your root certificate from your Enterprise CA.

  • Microsoft Intune 的 PFX 证书连接器PFX Certificate Connector for Microsoft Intune:

    有关先决条件和发行版等 PFX 证书连接器的信息,请参阅证书连接器For information about the PFX Certificate connector, including prerequisites and release versions, see Certificate connectors.

    重要

    从 PFX 证书连接器 6.2008.60.607 版本开始,PKCS 证书配置文件不再需要 Microsoft Intune 连接器。Beginning with the release of the PFX Certificate Connector, version 6.2008.60.607, the Microsoft Intune Connector is no longer required for PKCS certificate profiles. PFX 证书连接器支持向所有设备平台颁发 PKCS 证书。The PFX Certificate Connector supports issuing PKCS certificates to all device platforms. 这包括以下 Microsoft Intune 连接器不支持的平台:This includes the following platforms which aren’t supported by the Microsoft Intune Connector:

    • Android Enterprise - 完全托管Android Enterprise – Fully Managed
    • Android Enterprise - 专用设备Android Enterprise – Dedicated
    • Android Enterprise - 公司拥有的工作配置文件Android Enterprise – Corporate Owned Work Profile

从企业 CA 中导出根证书Export the root certificate from the Enterprise CA

要使用 VPN、WiFi 或其他资源对设备进行身份验证,设备需要根证书或中间 CA 证书。To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate. 以下步骤介绍如何从企业 CA 中获取所需的证书。The following steps explain how to get the required certificate from your Enterprise CA.

使用命令行Use a command line:

  1. 使用管理员帐户登录根证书颁发机构服务器。Log into the Root Certification Authority server with Administrator Account.

  2. 转到“开始” > “运行”,然后输入“Cmd”以打开命令提示符 。Go to Start > Run, and then enter Cmd to open command prompt.

  3. 指定“certutil -ca.cert ca_name.cer”,以将根证书导出为“ca_name.cer”文件。Specify certutil -ca.cert ca_name.cer to export the Root certificate as a file named ca_name.cer.

在 CA 上配置证书模板Configure certificate templates on the CA

  1. 使用具有管理权限的帐户登录到企业 CA。Sign in to your Enterprise CA with an account that has administrative privileges.

  2. 打开“证书颁发机构”控制台,右键单击“证书模板”,然后选择“管理”。Open the Certification Authority console, right-click Certificate Templates, and select Manage.

  3. 找到“用户”证书模板,右键单击该模板,然后选择“复制模板”以打开“新建模板的属性面板” 。Find the User certificate template, right-click it, and choose Duplicate Template to open Properties of New Template.

    备注

    对于 S/MIME 电子邮件签名和加密方案,许多管理员使用单独的证书进行签名和加密。For S/MIME email signing and encryption scenarios, many administrators use separate certificates for signing and encryption. 如果使用 Microsoft Active Directory 证书服务,则针对 S/MIME 电子邮件签名证书可使用“仅 Exchange 签名”模板,针对 S/MIME 加密证书可使用“Exchange 用户”模板 。If you're using Microsoft Active Directory Certificate Services, you can use the Exchange Signature Only template for S/MIME email signing certificates, and the Exchange User template for S/MIME encryption certificates. 如果使用第三方证书颁发机构,建议查看其指南,设置签名和加密模板。If you're using a 3rd-party certification authority, it's suggested to review their guidance to set up signing and encryption templates.

  4. 在“兼容性”选项卡上:On the Compatibility tab:

    • 将“证书颁发机构”设置为“Windows Server 2008 R2”Set Certification Authority to Windows Server 2008 R2
    • 将“证书接收人”设置为“Windows 7 / Server 2008 R2”Set Certificate recipient to Windows 7 / Server 2008 R2
  5. 在“通用”选项卡上,将“模板显示名称”设置为对你有意义的名称 。On the General tab, set Template display name to something meaningful to you.

    警告

    默认情况下,“模板名称”与“模板显示名称”相同,不包含空格。Template name by default is the same as Template display name with no spaces. 请记下模板名称,供以后使用。Note the template name, you need it later.

  6. 在“请求处理”中,选择“允许导出私钥” 。In Request Handling, select Allow private key to be exported.

    备注

    与 SCEP 相反,使用 PKCS 时,系统在安装了连接器的服务器上而不是在设备上生成证书私钥。In contrary to SCEP, with PKCS the certificate private key is generated on the server where the connector is installed and not on the device. 证书模板必须允许导出私钥,以便证书连接器能够导出 PFX 证书并将其发送到设备。It is required that the certificate template allows the private key to be exported, so that the certificate connector is able to export the PFX certificate and send it to the device.

    但请注意,证书安装在设备本身之上,其私钥标记为不可导出。However, please note that the certificates are installed on the device itself with the private key marked as not exportable.

  7. 在“加密”处,确认将“最小密钥大小”设置为 2048。In Cryptography, confirm that the Minimum key size is set to 2048.

  8. 在“使用者名称”处,选择“在请求中提供” 。In Subject Name, choose Supply in the request.

  9. 在“扩展”处,确认在“应用程序策略”下显示有加密文件系统、安全电子邮件和客户端身份验证。In Extensions, confirm that you see Encrypting File System, Secure Email, and Client Authentication under Application Policies.

    重要

    对于 iOS/iPadOS 证书模板,转到“扩展”选项卡,更新“密钥用法”,并确保未选择“数字签名为原件的证明” 。For iOS/iPadOS certificate templates, go to the Extensions tab, update Key Usage, and confirm that Signature is proof of origin isn't selected.

  10. 在“安全”选项中,为安装 Microsoft Intune 连接器的服务器添加计算机帐户。In Security, add the Computer Account for the server where you install the Microsoft Intune Connector. 允许该帐户具有读取和注册权限。Allow this account Read and Enroll permissions.

  11. 选择“应用” > “确认”以保存证书模板。Select Apply > OK to save the certificate template. 关闭“证书模板控制台”。Close the Certificate Templates Console.

  12. 在“证书颁发机构”控制台中,右键单击“证书模板” > “新建” > “要颁发的证书模板”。In the Certification Authority console, right-click Certificate Templates > New > Certificate Template to Issue. 选择在先前步骤中创建的模板。Choose the template that you created in the previous steps. 选择“确定” 。Select OK.

  13. 为了让服务器管理已注册设备和用户的证书,请使用以下步骤:For the server to manage certificates for enrolled devices and users, use the following steps:

    1. 右键单击“证书颁发机构”,选择“属性”。Right-click the Certification Authority, choose Properties.
    2. 在“安全”选项卡上,添加运行连接器(Microsoft Intune 连接器和 Microsoft Intune 的 PFX 证书连接器)的服务器的计算机帐户 。On the security tab, add the Computer account of the server where you run the connectors (Microsoft Intune Connector or PFX Certificate Connector for Microsoft Intune).
    3. 向计算机帐户授予“发布和管理证书”以及“请求证书”允许权限。Grant Issue and Manage Certificates and Request Certificates Allow permissions to the computer account.
  14. 注销企业 CA。Sign out of the Enterprise CA.

下载、安装和配置 PFX 证书连接器Download, install, and configure the PFX Certificate Connector

开始操作前,先查看连接器的要求,并确保环境和 Windows 服务器可以支持连接器。Before you begin, review requirements for the connector and ensure your environment and your Windows server is ready to support the connector.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“租户管理” > “连接器和令牌” > “证书连接器” > “+ 添加”。Select Tenant administration > Connectors and tokens > Certificate connectors > + Add.

  3. 针对 PKCS #12 的连接器选择“下载证书连接器软件”并将文件保存到可从服务器上进行访问的位置,将在该服务器上安装连接器。Select Download the certificate connector software for the connector for PKCS #12, and save the file to a location you can access from the server where you're going to install the connector.

    Microsoft Intune 连接器下载

  4. 下载完成后,登录服务器并运行安装程序 (PfxCertificateConnectorBootstrapper.exe)。After the download completes, sign in to the server and run the installer (PfxCertificateConnectorBootstrapper.exe).

    • 如果你接受默认安装位置,连接器将安装到 Program Files\Microsoft Intune\PFXCertificateConnectorWhen you accept the default installation location, the connector installs to Program Files\Microsoft Intune\PFXCertificateConnector.
    • 连接器服务在本地系统帐户下运行。The connector service runs under the local system account. 如果需要通过代理进行 Internet 访问,请确认本地服务帐户可以访问服务器上的代理设置。If a proxy is required for internet access, confirm that the local service account can access the proxy settings on the server.
  5. 安装后,Microsoft Intune 的 PFX 证书连接器将打开“注册”选项卡。The PFX Certificate Connector for Microsoft Intune opens the Enrollment tab after installation. 要启用到 Intune 的连接,请“登录”并输入具有 Azure 全局管理员或 Intune 管理员权限的帐户。To enable the connection to Intune, Sign In, and enter an account with Azure global administrator or Intune administrator permissions.

    警告

    默认情况下,在 Windows Server 中,“IE 增强的安全配置”设置为“启用”导致登录 Office 365 出现问题。By default, in Windows Server IE Enhanced Security Configuration is set to On which can cause issues with the sign-in to Office 365.

  6. 选择“CA 帐户”选项卡,然后输入在证书颁发机构上拥有“颁发和管理证书”权限的帐户的凭据。Select the CA Account tab, and then enter credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority. 这些凭据将用于对证书颁发机构执行证书颁发和证书吊销。These credentials will be used to perform certificate issuance and certificate revocation on the Certificate Authority. (在 PFX 证书连接器版本 6.2008.60.612 之前,这些凭据只用于吊销证书。)(Prior to the PFX certificate connector version 6.2008.60.612, these credentials were used only for certificate revocation.)

    单击“应用”以应用更改。Apply your changes.

  7. 关闭窗口。Close the window.

  8. 在 Microsoft Endpoint Manager 管理中心,返回到“租户管理” > “连接器和令牌” > “证书连接器” 。In the Microsoft Endpoint Manager admin center, go back to Tenant administration > Connectors and tokens > Certificate connectors. 片刻之后,将显示绿色勾号且连接状态更新。In a few moments, a green check mark appears and the connection status updates. 连接器服务器现可与 Intune 通信。The connector server can now communicate with Intune.

创建受信任的证书配置文件Create a trusted certificate profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择并转到“设备” > “配置文件” > “创建配置文件”。Select and go to Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择将接收此配置文件的设备的平台。Platform: Choose the platform of the devices that will receive this profile.
    • 配置文件:选择“受信任的证书”Profile: Select Trusted certificate
  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入配置文件的描述性名称。Name: Enter a descriptive name for the profile. 为配置文件命名,以便稍后可以轻松地识别它们。Name your profiles so you can easily identify them later. 例如,配置文件名称最好是“整个公司的受信任证书配置文件”。For example, a good profile name is Trusted certificate profile for entire company.
    • 描述:输入配置文件的说明。Description: Enter a description for the profile. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,指定之前导出的 .cer 文件根 CA 证书。In Configuration settings, specify the .cer file Root CA Certificate you previously exported.

    备注

    能否为证书选择“目标存储区”取决于步骤三中所选的平台。Depending on the platform you chose in Step 3, you may or may not have an option to choose the Destination store for the certificate.

    创建配置文件并上传受信任的证书

  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the user or groups that will receive your profile. 计划将此证书配置文件部署到接收 PKCS 证书配置文件的相同组。Plan to deploy this certificate profile to the same groups that receive the PKCS certificate profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. (仅适用于 Windows 10)在“适用性规则”中,指定适用性规则以优化此配置文件的分配。(Applies to Windows 10 only) In Applicability Rules, specify applicability rules to refine the assignment of this profile. 可以根据操作系统版本或设备版本来选择是否分配配置文件。You can choose to assign or not assign the profile based on the OS edition or version of a device.

有关详细信息,请参阅“在 Microsoft Intune 中创建设备配置文件”中的适用性规则For more information, see Applicability rules in Create a device profile in Microsoft Intune.

  1. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

创建 PKCS 证书配置文件Create a PKCS certificate profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择并转到“设备” > “配置文件” > “创建配置文件”。Select and go to Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择设备平台。Platform: Choose the platform of your devices. 选项包括:Your options:
      • Android 设备管理员Android device administrator
      • Android Enterprise > 公司拥有的完全托管式专用工作配置文件Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile
      • Android Enterprise > 仅工作配置文件Android Enterprise > Work profile only
      • iOS/iPadOSiOS/iPadOS
      • macOSmacOS
      • Windows 10 及更高版本Windows 10 and later
    • 配置文件:选择“PKCS 证书”Profile: Select PKCS certificate

    备注

    在应用了 Android Enterprise 配置文件的设备上,使用 PKCS 证书配置文件安装的证书在设备上不可见。On devices with an Android Enterprise profile, certificates installed using a PKCS certificate profile are not visible on the device. 若要确认证书部署是否成功,请检查 Intune 控制台中配置文件的状态。To confirm successful certificate deployment, check the status of the profile in the Intune console.

  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入配置文件的描述性名称。Name: Enter a descriptive name for the profile. 为配置文件命名,以便稍后可以轻松地识别它们。Name your profiles so you can easily identify them later. 例如,配置文件名称最好是“整个公司的 PKCS 配置文件”。For example, a good profile name is PKCS profile for entire company.
    • 描述:输入配置文件的说明。Description: Enter a description for the profile. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,根据所选择的平台,可配置的设置有所不同。In Configuration settings, depending on the platform you chose, the settings you can configure are different. 选择平台,进行详细设置:Select your platform for detailed settings:

    • Android 设备管理员Android device administrator
    • Android EnterpriseAndroid Enterprise
    • iOS/iPadOSiOS/iPadOS
    • Windows 10Windows 10
    设置Setting 平台Platform 详细信息Details
    续订阈值 (%)Renewal threshold (%)
    • AllAll
    建议设为 20%Recommended is 20%
    证书有效期Certificate validity period
    • AllAll
    如果没有更改证书模板,则此选项可能设置为一年。If you didn't change the certificate template, this option may be set to one year.
    密钥存储提供程序 (KSP)Key storage provider (KSP)
    • Windows 10Windows 10
    对于 Windows,请选择在设备上存储密钥的位置。For Windows, select where to store the keys on the device.
    证书颁发机构Certification authority
    • AllAll
    显示企业 CA 的内部完全限定的域名 (FQDN)。Displays the internal fully qualified domain name (FQDN) of your Enterprise CA.
    证书颁发机构名称Certification authority name
    • AllAll
    列出企业 CA 的名称,例如“Contoso 证书颁发机构”。Lists the name of your Enterprise CA, such as "Contoso Certification Authority".
    证书模板名称Certificate template name
    • AllAll
    列出证书模板的名称。Lists the name of your certificate template.
    证书类型Certificate type
    • Android Enterprise(工作配置文件)Android Enterprise (Work Profile)
    • iOSiOS
    • macOSmacOS
    • Windows 10 及更高版本Windows 10 and later
    选择一个类型:Select a type:
    • 用户证书可在证书使用者和使用者可选名称 (SAN) 中同时包含用户和设备属性。User certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate.
    • “设备”证书只能在证书主题和 SAN 中包含设备属性。Device certificates can only contain device attributes in the subject and SAN of the certificate. 设备适用于无用户设备(例如网亭或其他共享设备)的情况。Use Device for scenarios such as user-less devices, like kiosks or other shared devices.

      此选择影响使用者名称格式。This selection affects the Subject name format.
    使用者名称格式Subject name format
    • AllAll
    有关如何配置使用者名称格式的详细信息,请参阅本文后面的使用者名称格式For details on how to configure the subject name format, see Subject name format later in this article.

    对于大多数平台,除非另有要求,否则请使用“公用名”选择。For most platforms, use the Common name option unless otherwise required.

    对于以下平台,使用者名称格式由证书类型决定:For the following platforms, the Subject name format is determined by the certificate type:
    • Android Enterprise(工作配置文件)Android Enterprise (Work Profile)
    • iOSiOS
    • macOSmacOS
    • Windows 10 及更高版本Windows 10 and later

    使用者可选名称Subject alternative name
    • AllAll
    对于“属性”,除非需要,请选择“用户主体名称(UPN)”,否则请配置相应的“值”,然后选择“添加”。For Attribute, select User principal name (UPN) unless otherwise required, configure a corresponding Value, and then select Add.

    对于这两种证书类型的 SAN,可以使用变量或静态文本。You can use variables or static text for the SAN of both certificate types. 变量的使用不是必需的。Use of a variable isn't required.

    有关详细信息,请参阅本文后面的使用者名称格式For more information, see Subject name format later in this article.
    扩展密钥用法Extended key usage
    • Android 设备管理员Android device administrator
    • Android Enterprise(设备所有者、工作配置文件)Android Enterprise (Device Owner, Work Profile)
    • Windows 10Windows 10
    证书通常需要“客户端身份验证”,以便用户或设备能够对服务器进行身份验证。Certificates usually require Client Authentication so that the user or device can authenticate to a server.
    允许所有应用访问私钥Allow all apps access to private key
    • macOSmacOS
    请将其设置为“启用”,以使为关联的 Mac 设备配置的应用可以访问 PKCS 证书私钥。Set to Enable to give apps that are configured for the associated mac device access to the PKCS certificates private key.

    有关此设置的详细信息,请参阅 Apple 开发人员文档中配置文件参考中的 AllowAllAppsAccess 证书有效负载部分。For more information on this setting, see AllowAllAppsAccess the Certificate Payload section of Configuration Profile Reference in the Apple developer documentation.
    根证书Root Certificate
    • Android 设备管理员Android device administrator
    • Android Enterprise(设备所有者、工作配置文件)Android Enterprise (Device Owner, Work Profile)
    选择以前分配的根 CA 证书配置文件。Select a root CA certificate profile that was previously assigned.
  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the user or groups that will receive your profile. 计划将此证书配置文件部署到接收受信任的证书配置文件的相同组。Plan to deploy this certificate profile to the same groups that receive the trusted certificate profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

使用者名称格式Subject name format

为以下平台创建 PKCS 证书配置文件时,使用者名称格式的选项取决于所选的证书类型,即“用户”或“设备”。When you create a PKCS certificate profile for the following platforms, options for the subject name format depend on the Certificate type you select, either User or Device.

平台:Platforms:

  • Android Enterprise(工作配置文件)Android Enterprise (Work Profile)
  • iOSiOS
  • macOSmacOS
  • Windows 10 及更高版本Windows 10 and later

备注

当生成的证书签名请求 (CSR) 中的使用者名称包含以下字符之一作为转义字符(后跟反斜杠 \)时,使用 PKCS 获取证书存在与 SCEP 相同的已知问题:There is a known issue for using PKCS to get certificates which is the same issue as seen for SCEP when the subject name in the resulting Certificate Signing Request (CSR) includes one of the following characters as an escaped character (proceeded by a backslash \):

  • +
  • ;;
  • ,,
  • =
  • “用户”证书类型User certificate type
    使用者名称格式的格式选项包括两个变量:公用名 (CN) 和电子邮件 (E)。Format options for the Subject name format include two variables: Common Name (CN) and Email (E). 可将“公用名(CN)”设置为以下任何变量:Common Name (CN) can be set to any of the following variables:

    • CN={{UserName}} :用户的用户主体名称,例如 janedoe@contoso.com。CN={{UserName}}: The user principal name of the user, such as janedoe@contoso.com.

    • CN={{AAD_Device_ID}} :在 Azure Active Directory (AD) 中注册设备时分配的 ID。CN={{AAD_Device_ID}}: An ID assigned when you register a device in Azure Active Directory (AD). 此 ID 通常用于向 Azure AD 进行身份验证。This ID is typically used to authenticate with Azure AD.

    • CN={{SERIALNUMBER}} :制造商通常用于标识设备的唯一序列号 (SN)。CN={{SERIALNUMBER}}: The unique serial number (SN) typically used by the manufacturer to identify a device.

    • CN={{IMEINumber}} :用于标识移动电话的国际移动设备标识 (IMEI)。CN={{IMEINumber}}: The International Mobile Equipment Identity (IMEI) unique number used to identify a mobile phone.

    • CN={{OnPrem_Distinguished_Name}} :用逗号分隔的一系列相对可分辨名称,如 CN=Jane Doe、OU=UserAccounts、DC=corp、DC=contoso、DC=com。CN={{OnPrem_Distinguished_Name}}: A sequence of relative distinguished names separated by comma, such as CN=Jane Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com.

      要使用 {{OnPrem_Distinguished_Name}} 变量,请确保使用 Azure AD Connect 将onpremisesdistinguishedname 用户属性与 Azure AD 同步 。To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the onpremisesdistinguishedname user attribute using Azure AD Connect to your Azure AD.

    • CN={{onPremisesSamAccountName}} :管理员可以使用 Azure AD 连接到名为 onPremisesSamAccountName 的属性,将 Active Directory 中的 samAccountName 属性同步到 Azure AD。CN={{onPremisesSamAccountName}}: Admins can sync the samAccountName attribute from Active Directory to Azure AD using Azure AD connect into an attribute called onPremisesSamAccountName. Intune 可以将该变量替换为证书使用者中的证书颁发请求的一部分。Intune can substitute that variable as part of a certificate issuance request in the subject of a certificate. samAccountName 属性是指用户登录名,该名称用于支持早期版本的 Windows(Windows 2000 之前)中的客户端和服务器。The samAccountName attribute is the user sign-in name used to support clients and servers from a previous version of Windows (pre-Windows 2000). 用户登录名的格式为:DomainName\testUser,或仅 testUser 。The user sign-in name format is: DomainName\testUser, or only testUser.

      要使用 {{onPremisesSamAccountName}} 变量,请确保使用 Azure AD Connect 将 onPremisesSamAccountName 用户属性与 Azure AD 同步 。To use the {{onPremisesSamAccountName}} variable, be sure to sync the onPremisesSamAccountName user attribute using Azure AD Connect to your Azure AD.

    通过使用这些变量的一个或多个与静态字符串的组合,可以创建一个自定义使用者名称格式,例如:By using a combination of one or many of these variables and static strings, you can create a custom subject name format, such as:

    • CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=USCN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US

    该示例包含使用者名称格式,其中除了不仅使用了 CN 和 E 变量,还使用了组织单元、组织、位置、省/直辖市/自治区和国家/地区值的字符串。That example includes a subject name format that uses the CN and E variables, and strings for Organizational Unit, Organization, Location, State, and Country values. CertStrToName 函数介绍此函数及其支持的字符串。CertStrToName function describes this function, and its supported strings.

  • “设备”证书类型Device certificate type
    “使用者名称格式”的格式选项包括以下变量:Format options for the Subject name format include the following variables:

    • {{AAD_Device_ID}}{{AAD_Device_ID}}
    • {{Device_Serial}}{{Device_Serial}}
    • {{Device_IMEI}}{{Device_IMEI}}
    • {{SerialNumber}}{{SerialNumber}}
    • {{IMEINumber}}{{IMEINumber}}
    • {{AzureADDeviceId}}{{AzureADDeviceId}}
    • {{WiFiMacAddress}}{{WiFiMacAddress}}
    • {{IMEI}}{{IMEI}}
    • {{DeviceName}}{{DeviceName}}
    • {{FullyQualifiedDomainName}}(仅适用于 Windows 和加入域的设备){{FullyQualifiedDomainName}} (Only applicable for Windows and domain-joined devices)
    • {{MEID}}{{MEID}}

    可在文本框中指定这些变量,后跟变量的文本。You can specify these variables, followed by the text for the variable, in the textbox. 例如,可以将名为 Device1 的设备的公用名添加为 CN={{DeviceName}}Device1。For example, the common name for a device named Device1 can be added as CN={{DeviceName}}Device1.

    重要

    • 指定变量时,请将变量名称括在大括号 {} 中(如示例中所示),以避免出现错误。When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error.
    • 在设备证书的使用者或 SAN 中使用的设备属性(例如 IMEI、SerialNumber 和 FullyQualifiedDomainName)可能被有权访问设备的人员仿造 。Device properties used in the subject or SAN of a device certificate, like IMEI, SerialNumber, and FullyQualifiedDomainName, are properties that could be spoofed by a person with access to the device.
    • 设备必须支持在证书配置文件中为该配置文件指定的所有变量,才能在该设备上安装。A device must support all variables specified in a certificate profile for that profile to install on that device. 例如,如果在 SCEP 配置文件的使用者名称中使用 {{IMEI}} 并将其分配给没有 IMEI 号码的设备,则配置文件安装将失败。For example, if {{IMEI}} is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.

后续步骤Next steps

使用 SCEP 证书,或从 Symantec PKI 管理器 Web 服务颁发 PKCS 证书Use SCEP for certificates, or issue PKCS certificates from a Symantec PKI manager web service.

对 PKCS 证书配置文件进行故障排除Troubleshoot PKCS certificate profiles