安装受信任的 TPM 根证书Install trusted TPM root certificates

适用于: Windows Server 2019、Windows Server (半年频道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

将 HGS 配置为使用 TPM 证明时,还需要将 HGS 配置为信任服务器中 Tpm 的供应商。When you configure HGS to use TPM attestation, you also need to configure HGS to trust the vendors of the TPMs in your servers. 这一额外的验证过程仅确保可信 Tpm 可以通过您的 HGS 证明。This extra verification process ensures only authentic, trustworthy TPMs are able to attest with your HGS. 如果你尝试向注册不受信任的 TPM Add-HgsAttestationTpmHost ,你将收到一条错误消息,指示 TPM 供应商不受信任。If you try to register an untrusted TPM with Add-HgsAttestationTpmHost, you will receive an error indicating the TPM vendor is untrusted.

要信任你的 Tpm,需要在 HGS 上安装用于签署服务器 Tpm 中认可密钥的根和中间签名证书。To trust your TPMs, the root and intermediate signing certificates used to sign the endorsement key in your servers' TPMs need to be installed on HGS. 如果在数据中心中使用多个 TPM 模型,则可能需要为每个模型安装不同的证书。If you use more than one TPM model in your datacenter, you may need to install different certificates for each model. HGS 将在 "TrustedTPM_RootCA" 和 "TrustedTPM_IntermediateCA" 证书存储中查找供应商证书。HGS will look in the "TrustedTPM_RootCA" and "TrustedTPM_IntermediateCA" certificate stores for the vendor certificates.

备注

TPM 供应商证书不同于 Windows 中默认安装的证书,表示 TPM 供应商使用的特定根证书和中间证书。The TPM vendor certificates are different from those installed by default in Windows and represent the specific root and intermediate certificates used by TPM vendors.

为了方便起见,Microsoft 发布了受信任的 TPM 根证书和中间证书的集合。A collection of trusted TPM root and intermediate certificates is published by Microsoft for your convenience. 你可以使用以下步骤来安装这些证书。You can use the steps below to install these certificates. 如果以下包中未包含您的 TPM 证书,请与您的 TPM 供应商或服务器 OEM 联系,以获取特定 TPM 型号的根证书和中间证书。If your TPM certificates are not included in the package below, contact your TPM vendor or server OEM to obtain the root and intermediate certificates for your specific TPM model.

每个 HGS 服务器上重复以下步骤:Repeat the following steps on every HGS server:

  1. 从下载最新的包 https://go.microsoft.com/fwlink/?linkid=2097925Download the latest package from https://go.microsoft.com/fwlink/?linkid=2097925.

  2. 验证 cab 文件的签名,以确保其真实性。Verify the signature of the cab file to ensure its authenticity. 如果签名无效,请不要继续操作。Do not proceed if the signature is not valid.

    Get-AuthenticodeSignature .\TrustedTpm.cab
    

    下面是一些示例输出:Here's some example output:

    Directory: C:\Users\Administrator\Downloads
    
    SignerCertificate                         Status                                 Path
    -----------------                         ------                                 ----
    0DD6D4D4F46C0C7C2671962C4D361D607E370940  Valid                                  TrustedTpm.cab
    
  3. 展开 cab 文件。Expand the cab file.

    mkdir .\TrustedTPM
    expand.exe -F:* <Path-To-TrustedTpm.cab> .\TrustedTPM
    
  4. 默认情况下,配置脚本将为每个 TPM 供应商安装证书。By default, the configuration script will install certificates for every TPM vendor. 如果你只想要为特定 TPM 供应商导入证书,请删除你的组织不信任的 TPM 供应商文件夹。If you only want to import certificates for your specific TPM vendor, delete the folders for TPM vendors not trusted by your organization.

  5. 通过在扩展文件夹中运行安装脚本来安装受信任的证书包。Install the trusted certificate package by running the setup script in the expanded folder.

    cd .\TrustedTPM
    .\setup.cmd
    

若要在之前的安装过程中添加新证书或有意跳过的证书,只需在 HGS 群集中的每个节点上重复上述步骤。To add new certificates or ones intentionally skipped during an earlier installation, simply repeat the above steps on every node in your HGS cluster. 现有证书将保持受信任,但扩展的 cab 文件中找到的新证书将添加到受信任的 TPM 存储中。Existing certificates will remain trusted but new certificates found in the expanded cab file will be added to the trusted TPM stores.

后续步骤Next step