安装 Visual Studio 脱机安装所需的证书Install certificates required for Visual Studio offline installation

Visual Studio 主要供连接 Internet 的计算机上安装,因为许多组件需要定期更新。Visual Studio is primarily designed to be installed on an internet-connected machine, since many components are updated regularly. 不过,通过额外执行一些步骤,可以在未连接 Internet 的环境中部署 Visual Studio。However, with some extra steps, it's possible to deploy Visual Studio in an environment where a working internet connection is unavailable.

Visual Studio 安装程序引擎仅安装受信任的内容。The Visual Studio setup engine installs only content that is trusted. 为此,它会检查正在下载内容的验证码签名,并在安装前验证所有内容是否受信任。It does this by checking Authenticode signatures of the content being downloaded and verifying that all content is trusted before installing it. 这样可以保证用户环境的安全,在下载位置受到威胁时免受攻击。This keeps your environment safe from attacks where the download location is compromised. 因此,Visual Studio 安装程序要求在用户的计算机上安装多个标准的 Microsoft 根证书和中间证书,并保持最新版本。Visual Studio setup therefore requires that several standard Microsoft root and intermediate certificates are installed and up-to- date on a user's machine. 如果计算机通过 Windows 更新保持最新状态,则签名证书通常是最新状态。If the machine has been kept up to date with Windows Update, signing certificates usually are up to date. 如果计算机连接到 Internet,则在安装过程中,Visual Studio 可能会根据需要刷新证书以验证文件签名。If the machine is connected to the internet, during installation Visual Studio may refresh certificates as necessary to verify file signatures. 如果计算机处于脱机状态,则必须采用其他方式刷新证书。If the machine is offline, the certificates must be refreshed another way.

如何在处于脱机状态时刷新证书How to refresh certificates when offline

有三个选项可用于在脱机环境中安装或更新证书。There are three options for installing or updating certificates in an offline environment.

选项 1 - 从布局文件夹手动安装证书Option 1 - Manually install certificates from a layout folder

创建网络布局时,所需证书会下载到 Certificates 文件夹。When you create a network layout, the necessary certificates are downloaded to the Certificates folder. 然后可以双击每个证书文件,并单击完成证书管理器向导,从而手动安装证书。You can then manually install the certificates by double-clicking each of the certificate files, and then clicking through the Certificate Manager wizard. 如果看到输入密码提示,请将密码留空。If asked for a password, leave it blank.

更新:对于 Visual Studio 2017 版本 15.8 预览版 2 或更高版本,可以通过右键单击每个证书文件,选择“安装证书”,然后单击“证书管理器”向导来手动安装证书。Update: For Visual Studio 2017 version 15.8 Preview 2 or later, you can manually install the certificates by right-clicking each of the certificate files, selecting Install Certificate, and then clicking through the Certificate Manager wizard.

创建网络布局时,所需证书会下载到 Certificates 文件夹。When you create a network layout, the necessary certificates are downloaded to the Certificates folder. 可以通过右键单击每个证书文件,选择“安装证书”,然后单击“证书管理器”向导来手动安装证书。You can manually install the certificates by right-clicking each of the certificate files, selecting Install Certificate, and then clicking through the Certificate Manager wizard. 如果看到输入密码提示,请将密码留空。If asked for a password, leave it blank.

选项 2 - 在企业环境中分发受信任的根证书Option 2 - Distribute trusted root certificates in an enterprise environment

对于企业,如果脱机计算机不具有最新的根证书,管理员可以按照配置受信任根和不允许的证书页来更新证书。For enterprises with offline machines that do not have the latest root certificates, an administrator can use the instructions on the Configure Trusted Roots and Disallowed Certificates page to update them.

选项 3 - 在 Visual Studio 的脚本化部署过程中安装证书Option 3 - Install certificates as part of a scripted deployment of Visual Studio

如果正在编写在脱机环境中将 Visual Studio 部署到客户端工作站的脚本,应执行以下步骤:If you are scripting the deployment of Visual Studio in an offline environment to client workstations, you should follow these steps:

  1. 证书管理器工具 (certmgr.exe) 复制到安装共享(例如,\server\share\vs2017)。Copy the Certificate Manager Tool (certmgr.exe) to the installation share (for example, \server\share\vs2017). Windows 自身不附带 Certmgr.exe,但 Windows SDK 可以提供。Certmgr.exe is not included as part of Windows itself, but is available as part of the Windows SDK.

  2. 使用下面的命令创建批处理文件:Create a batch file with the following commands:

    certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Code Signing PCA 2011" -s -r LocalMachine CA
    
    certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
    
    certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Time-Stamp PCA 2010" -s -r LocalMachine CA
    
    certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
    
    certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Code Signing PCA" -s -r LocalMachine CA
    
    certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
    

    更新:对于 Visual Studio 2017 版本 15.8 预览版 2 或更高版本,使用以下命令创建批处理文件:Update: For Visual Studio 2017 version 15.8 Preview 2 or later, create the batch file with the following commands:

    certmgr.exe -add [layout path]\certificates\manifestRootCertificate.cer -n "Microsoft Root Certificate Authority 2011" -s -r LocalMachine root
    
    certmgr.exe -add [layout path]\certificates\manifestCounterSignRootCertificate.cer -n "Microsoft Root Certificate Authority 2010" -s -r LocalMachine root
    
    certmgr.exe -add [layout path]\certificates\vs_installer_opc.RootCertificate.cer -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
    

    或者,通过以下命令创建批处理文件,该文件使用 Windows 中随附的 certutil.exe:Alternatively, create a batch file that uses certutil.exe, which ships with Windows, with the following commands:

    certutil.exe -addstore -f "Root" "[layout path]\certificates\manifestRootCertificate.cer
    
    certutil.exe -addstore -f "Root" [layout path]\certificates\manifestCounterSignRootCertificate.cer"
    
    certutil.exe -addstore -f "Root" "[layout path]\certificates\vs_installer_opc.RootCertificate.cer"
    
  3. 将批处理文件部署到客户端。Deploy the batch file to the client. 应从提升的进程中运行此命令。This command should be run from an elevated process.

  1. 证书管理器工具 (certmgr.exe) 复制到安装共享(例如,\server\share\vs2019)。Copy the Certificate Manager Tool (certmgr.exe) to the installation share (for example, \server\share\vs2019). Windows 自身不附带 Certmgr.exe,但 Windows SDK 可以提供。Certmgr.exe is not included as part of Windows itself, but is available as part of the Windows SDK.

  2. 使用下面的命令创建批处理文件:Create a batch file with the following commands:

    certmgr.exe -add [layout path]\certificates\manifestRootCertificate.cer -n "Microsoft Root Certificate Authority 2011" -s -r LocalMachine root
    
    certmgr.exe -add [layout path]\certificates\manifestCounterSignRootCertificate.cer -n "Microsoft Root Certificate Authority 2010" -s -r LocalMachine root
    
    certmgr.exe -add [layout path]\certificates\vs_installer_opc.RootCertificate.cer -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
    

    或者,通过以下命令创建批处理文件,该文件使用 Windows 中随附的 certutil.exe:Alternatively, create a batch file that uses certutil.exe, which ships with Windows, with the following commands:

    certutil.exe -addstore -f "Root" "[layout path]\certificates\manifestRootCertificate.cer
    
    certutil.exe -addstore -f "Root" [layout path]\certificates\manifestCounterSignRootCertificate.cer"
    
    certutil.exe -addstore -f "Root" "[layout path]\certificates\vs_installer_opc.RootCertificate.cer"
    
  3. 将批处理文件部署到客户端。Deploy the batch file to the client. 应从提升的进程中运行此命令。This command should be run from an elevated process.

Certificates 文件夹中的证书文件有哪些?What are the certificates files in the Certificates folder?

此文件夹有三个 .P12 文件,每个文件都包含中间证书和根证书。The three .P12 files in this folder each contain an intermediate certificate and a root certificate. 采用 Windows 更新的大多数系统都已安装这些证书。Most systems that are current with Windows Update have these certificates already installed.

  • ManifestSignCertificates.p12 包含:ManifestSignCertificates.p12 contains:
    • 中间证书:Microsoft 代码签名 PCA 2011Intermediate certificate: Microsoft Code Signing PCA 2011
      • 不要求。Not required. 如果存在,可以在某些情况下提高性能。Improves performance in some scenarios if present.
    • 根证书:Microsoft 根证书颁发机构 2011Root certificate: Microsoft Root Certificate Authority 2011
      • 未安装最新的 Windows 更新的 Windows 7 Service Pack 1 系统需要此证书。Required on Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
  • ManifestCounterSignCertificates.p12 包含:ManifestCounterSignCertificates.p12 contains:
    • 中间证书:Microsoft 时间戳 PCA 2010Intermediate certificate: Microsoft Time-Stamp PCA 2010
      • 不要求。Not required. 如果存在,可以在某些情况下提高性能。Improves performance in some scenarios if present.
    • 根证书:Microsoft 根证书颁发机构 2010Root certificate: Microsoft Root Certificate Authority 2010
      • 未安装最新的 Windows 更新的 Windows 7 Service Pack 1 系统需要此证书。Required for Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
  • Vs_installer_opc.SignCertificates.p12 包含:Vs_installer_opc.SignCertificates.p12 contains:
    • 中间证书:Microsoft 代码签名 PCAIntermediate certificate: Microsoft Code Signing PCA
      • 所有系统均需要此证书。Required for all systems. 请注意,通过 Windows 更新实现所有更新的系统可能没有此证书。Note that systems with all updates applied from Windows Update might not have this certificate.
    • 根证书:Microsoft 根证书颁发机构Root certificate: Microsoft Root Certificate Authority
      • 必需。Required. 运行 Windows 7 或更高版本的系统附带此证书。This certificate ships with systems running Windows 7 or later.

更新:对于 Visual Studio 2017 版本 15.8 预览版 2 或更高版本,Visual Studio 安装程序只需要在系统上安装根证书。Update: For Visual Studio 2017 version 15.8 Preview 2 or later, the Visual Studio Installer requires only the root certificates to be installed on the system. 这些证书存储在 .cer 文件而不是 .p12 文件中。These certificates are stored in .cer files instead of .p12.

  • ManifestSignCertificates.cer 包含:ManifestSignCertificates.cer contains:
    • 根证书:Microsoft 根证书颁发机构 2011Root certificate: Microsoft Root Certificate Authority 2011
      • 未安装最新的 Windows 更新的 Windows 7 Service Pack 1 系统需要此证书。Required on Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
  • ManifestCounterSignCertificates.cer 包含:ManifestCounterSignCertificates.cer contains:
    • 根证书:Microsoft 根证书颁发机构 2010Root certificate: Microsoft Root Certificate Authority 2010
      • 未安装最新的 Windows 更新的 Windows 7 Service Pack 1 系统需要此证书。Required for Windows 7 Service Pack 1 systems that do not have the latest Windows Updates installed.
  • Vs_installer_opc.SignCertificates.cer 包含:Vs_installer_opc.SignCertificates.cer contains:
    • 根证书:Microsoft 根证书颁发机构Root certificate: Microsoft Root Certificate Authority
      • 必需。Required. 运行 Windows 7 或更高版本的系统附带此证书。This certificate ships with systems running Windows 7 or later.

Visual Studio 安装程序只需要在系统上安装根证书。The Visual Studio Installer requires only the root certificates to be installed on the system.

为什么无法自动安装 Certificates 文件夹中的证书?Why are the certificates from the Certificates folder not installed automatically?

如果是在联机环境中验证签名,Windows API 可用于下载证书并将其添加到系统中。When a signature is verified in an online environment, Windows APIs are used to download and add the certificates to the system. 在此过程中,可通过管理设置验证证书是否受信任且已获允许。Verification that the certificate is trusted and allowed via administrative settings occurs during this process. 在大多数脱机环境中,无法执行此验证过程。This verification process cannot occur in most offline environments. 通过手动安装证书,企业管理员不仅能够确保使用受信任的证书,而且还能够符合组织的安全策略。Installing the certificates manually allows enterprise administrators to ensure the certificates are trusted and meet the security policy of their organization.

检查是否已安装证书Checking if certificates are already installed

检查安装系统的一种方法是按以下步骤操作:One way to check on the installing system is to follow these steps:

  1. 运行 mmc.exeRun mmc.exe.
    a.a. 单击“文件”,然后选择“添加/删除管理单元” 。Click File, and then select Add/Remove Snap-in.
    b.b. 双击“证书”,选择“计算机帐户”,然后单击“下一步” 。Double-click Certificates, select Computer account, and then click Next.
    c.c. 选择“本地计算机”,依次单击“完成”和“确定” 。Select Local computer, click Finish, and then click OK.
    d.d. 展开“证书(本地计算机)” 。Expand Certificates (Local Computer).
    e.e. 展开“受信任的根证书颁发机构”,选择“证书” 。Expand Trusted Root Certification Authorities, and then select Certificates.

    • 检查此列表中是否有必需的根证书。Check this list for the necessary root certificates.

    f.f. 展开“中间证书颁发机构”,选择“证书” 。Expand Intermediate Certification Authorities, and then select Certificates.

    • 检查此列表中是否有需要的中间证书。Check this list for the required intermediate certificates.
  2. 单击“文件”,然后选择“添加/删除管理单元” 。Click File, and then select Add/Remove Snap-in.
    a.a. 双击“证书”,选择“我的用户帐户”,单击“完成”和“确定” 。Double-click Certificates, select My user account, click Finish, and then click OK.
    b.b. 展开“证书 - 当前用户” 。Expand Certificates – Current User.
    c.c. 展开“中间证书颁发机构”,选择“证书” 。Expand Intermediate Certification Authorities, and then select Certificates.

    • 检查此列表中是否有需要的中间证书。Check this list for the required intermediate certificates.

如果证书名称不在“颁发对象”列中,请安装这些证书 。If the certificates names were not in the Issued To columns, they must be installed. 如果中间证书仅在“当前用户” 中间证书存储中,则仅供已登录的用户使用。If an intermediate certificate was only in the Current User Intermediate Certificate store, then it is available only to the user that is logged in. 可能需要为其他用户安装它。You might need to install it for other users.

安装 Visual StudioInstall Visual Studio

安装证书后,可以根据“创建 Visual Studio 网络安装”页中的从网络安装部署部分中的说明,继续部署 Visual Studio。After you install the certificates, deployment of Visual Studio can proceed by using the instructions from the Deploying from a network installation section of the "Create a network installation of Visual Studio" page.

获取支持Get support

有时,你难免遇到一些问题。Sometimes, things can go wrong. 如果 Visual Studio 安装失败,请参阅 Visual Studio 安装和升级问题疑难解答获取分步指南。If your Visual Studio installation fails, see Troubleshoot Visual Studio installation and upgrade issues for step-by-step guidance.

对于安装相关问题,我们还提供实时聊天 (仅限英语)支持选项。We also offer a live chat (English only) support option for installation-related issues.

下面是另外几个支持选项:Here are a few more support options:

请参阅See also