ClientCertificateInstall 云解决方案提供商ClientCertificateInstall CSP

ClientCertificateInstall 配置服务提供程序使企业能够安装客户端证书。The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. 客户端证书具有唯一 ID,即 此配置的 [UniqueID]A client certificate has a unique ID, which is the [UniqueID] for this configuration. 每个客户端证书对于 SCEP 注册请求必须具有不同的 UniqueID。Each client certificate must have different UniqueIDs for the SCEP enrollment request.

对于 PFX 证书安装和 SCEP 安装,SyncML 命令必须封装在原子命令中,以确保在配置所有设置之前不会触发注册执行。For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. Enroll 命令必须是原子块中的最后一项。The Enroll command must be the last item in the atomic block.

备注

目前,在 Windows 10 版本 1511 中,当使用 ClientCertificateInstall 将证书安装到设备存储时,用户存储以及两个证书都将发送到同一 MDM 负载中的设备,用于设备存储的证书也将安装在用户存储中。Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. 当选择正确的证书建立Wi-Fi时,这可能会导致与连接或 VPN 有关的问题。This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. 我们正在努力解决此问题。We are working to fix this issue.

如果 KeyLocation=3,只能将 PFXKeyExportable 设置为 true。You can only set PFXKeyExportable to true if KeyLocation=3. 对于任何其他 KeyLocation 值,CSP 将失败。For any other KeyLocation value, the CSP will fail.

下面以树格式显示 ClientCertificateInstall 配置服务提供程序。The following shows the ClientCertificateInstall configuration service provider in tree format.

./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
--------UniqueID
------------KeyLocation
------------ContainerName
------------PFXCertBlob
------------PFXCertPassword
------------PFXCertPasswordEncryptionType
------------PFXKeyExportable
------------Thumbprint
------------Status
------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511)
----SCEP
--------UniqueID
------------Install
----------------ServerURL
----------------Challenge
----------------EKUMapping
----------------KeyUsage
----------------SubjectName
----------------KeyProtection
----------------RetryDelay
----------------RetryCount
----------------TemplateName
----------------KeyLength
----------------HashAlgorithm
----------------CAThumbprint
----------------SubjectAlternativeNames
----------------ValidPeriod
----------------ValidPeriodUnits
----------------ContainerName
----------------CustomTextToShowInPrompt
----------------Enroll
----------------AADKeyIdentifierList (Added in Windows 10, version 1703)
------------CertThumbprint
------------Status
------------ErrorCode
------------RespondentServerUrl

设备或用户Device or User
对于设备证书,请使用 ./Device/Vendor/MSFT 路径,对于 用户证书,请使用 ./User/Vendor/MSFT 路径。For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.

ClientCertificateInstallClientCertificateInstall
ClientCertificateInstaller 配置服务提供程序的根节点。The root node for the ClientCertificateInstaller configuration service provider.

ClientCertificateInstall/PFXCertInstallClientCertificateInstall/PFXCertInstall
PFX 证书安装是必需的。Required for PFX certificate installation. 对 PFX 证书相关设置的父节点进行分组。The parent node grouping the PFX certificate related settings.

支持的操作为 Get。Supported operation is Get.

ClientCertificateInstall/PFXCertInstall/ UniqueIDClientCertificateInstall/PFXCertInstall/UniqueID
PFX 证书安装是必需的。Required for PFX certificate installation. 用于区分不同证书安装请求的唯一 ID。A unique ID to differentiate different certificate install requests.

格式数据类型节点。The data type format is node.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

在此节点上调用 Delete 应删除相应的 PFX blob 安装的证书和密钥。Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.

ClientCertificateInstall/PFXCertInstall/UniqueID/KeyLocationClientCertificateInstall/PFXCertInstall/UniqueID/KeyLocation
PFX 证书安装是必需的。Required for PFX certificate installation. 指示要面向私钥安装的 KeyStorage 提供程序。Indicates the KeyStorage provider to target the private key installation to.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

the 数据类型 is an integer corresponding to one of the following values:The data type is an integer corresponding to one of the following values:

Value 描述Description
11 安装到 TPM(如果存在)时失败(如果不存在)。Install to TPM if present, fail if not present.
22 安装到 TPM(如果存在)。Install to TPM if present. 如果不存在,则回退到软件。If not present, fallback to software.
33 安装到软件。Install to software.
44 安装到 Windows Hello 企业 (以前称为 Microsoft Passport for Work) 其名称已指定Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified

ClientCertificateInstall/PFXCertInstall/UniqueID/ContainerNameClientCertificateInstall/PFXCertInstall/UniqueID/ContainerName
可选。Optional. 如果为 KeyLocation (选择了 Windows Hello 企业存储提供程序 (KSP) ,则指定以前称为 Microsoft Passport for Work) 容器名称 (的 Windows Hello 企业) 。Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). 如果在选择 Windows Hello 企业 KSP 时未指定此节点,则注册将失败。If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.

日期类型为 string。Date type is string.

支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

ClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertBlobClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertBlob
CRYPT_DATA_BLOB包含包含已导出和加密证书和密钥的 PFX 数据包的加密结构。CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. 添加操作将触发对 PFX 证书的添加。The Add operation triggers the addition to the PFX certificate. 这要求 UniqueID 下作为 PFX 安装参数的所有其他节点 (容器名称、KeyLocation、CertPassword、KeyExportable) ,然后才能调用它。This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. 这还会将"状态"节点设置为操作的当前"状态"。This also sets the Status node to the current Status of the operation.

格式数据类型二进制。The data type format is binary.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

如果 blob 已存在,Add 操作将失败。If a blob already exists, the Add operation will fail. 如果在此节点上调用了 Replace,则覆盖现有证书。If Replace is called on this node, the existing certificates are overwritten.

如果在此节点上为新的 PFX 调用 Add,将添加证书。If Add is called on this node for a new PFX, the certificate will be added. 当证书不存在时,此节点上的 Replace 操作将失败。When a certificate does not exist, Replace operation on this node will fail.

换句话说,使用 Replace 或 Add 将导致覆盖旧证书或添加新证书CRYPT_DATA_BLOB,可以在 CRYPT_INTEGER_BLOB 中找到。In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.

ClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPasswordClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPassword
保护 PFX blob 的密码。Password that protects the PFX blob. 如果 PFX 受密码保护,则此为必需项。This is required if the PFX is password protected.

数据类型为字符串。Data Type is a string.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

ClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPasswordEncryptionTypeClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPasswordEncryptionType
可选。Optional. 用于指定 MDM 服务器是否使用 MDM 证书加密 PFX 证书密码。Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.

the 数据类型 is int.有效值:The data type is int. Valid values:

  • 0 - 密码未加密。0 - Password is not encrypted.
  • 1 - 使用 MDM 证书加密密码。1 - Password is encrypted with the MDM certificate.
  • 2 - 使用自定义证书加密密码。2 - Password is encrypted with custom certificate.

当 PFXCertPasswordEncryptionType =2 时,必须在 PFXCertPasswordEncryptionStore 设置中指定存储名称。When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

ClientCertificateInstall/PFXCertInstall/UniqueID/PFXKeyExportableClientCertificateInstall/PFXCertInstall/UniqueID/PFXKeyExportable
可选。Optional. 用于指定安装的私钥是否可导出 (稍后可以导出) 。Used to specify if the private key installed is exportable (and can be exported later). PFX 在安装到 TPM 时不可导出。The PFX is not exportable when it is installed to TPM.

备注

如果 KeyLocation=3,只能将 PFXKeyExportable 设置为 true。You can only set PFXKeyExportable to true if KeyLocation=3. 对于任何其他 KeyLocation 值,CSP 将失败。For any other KeyLocation value, the CSP will fail.

the 数据类型 bool.The data type bool.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

ClientCertificateInstall/PFXCertInstall/UniqueID/ThumbprintClientCertificateInstall/PFXCertInstall/UniqueID/Thumbprint
返回已安装的 PFX 证书的指纹。Returns the thumbprint of the installed PFX certificate.

数据类型为字符串。The datatype is a string.

支持的操作为 Get。Supported operation is Get.

ClientCertificateInstall/PFXCertInstall/UniqueID/StatusClientCertificateInstall/PFXCertInstall/UniqueID/Status
必需。Required. 从在 PfxImportCertStore 之后调用的 GetLastError 命令中返回 PFX 安装的错误代码。Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.

数据类型为整数。Data type is an integer.

支持的操作为 Get。Supported operation is Get.

ClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPasswordEncryptionStoreClientCertificateInstall/PFXCertInstall/UniqueID/PFXCertPasswordEncryptionStore
在 Windows 10 版本 1511 中添加。Added in Windows 10, version 1511. 当 PFXCertPasswordEncryptionType = 2 时,它指定用于解密 PFXCertPassword 的证书的存储名称。When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.

数据类型为 string。Data type is string.

支持的操作包括添加、获取和替换。Supported operations are Add, Get, and Replace.

ClientCertificateInstall/SCEPClientCertificateInstall/SCEP
SCEP 的节点。Node for SCEP.

备注

安装 SCEP 证书后发送警报。An alert is sent after the SCEP certificate is installed.

ClientCertificateInstall/SCEP/ UniqueIDClientCertificateInstall/SCEP/UniqueID
用于区分不同证书安装请求的唯一 ID。A unique ID to differentiate different certificate installation requests.

ClientCertificateInstall/SCEP/UniqueID/InstallClientCertificateInstall/SCEP/UniqueID/Install
SCEP 证书注册所需的节点。A node required for SCEP certificate enrollment. 与 SCEP 证书安装相关的请求的父节点。Parent node to group SCEP cert installation related requests.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

备注

尽管"安装支持替换"命令下的子节点将 Exec 命令发送到设备后,设备将接受 Exec 命令时设置的值。Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. 服务器不应期望接受 Exec 命令后节点值会发生变化,因为它将影响进行中的当前注册。The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. 服务器应检查"状态"节点值,并确保设备未处于未知状态,然后再更改子节点值。The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.

ClientCertificateInstall/SCEP/UniqueID/Install/ServerURLClientCertificateInstall/SCEP/UniqueID/Install/ServerURL
注册 SCEP 证书时必需。Required for SCEP certificate enrollment. 指定证书注册服务器。Specifies the certificate enrollment server. 可以列出多个服务器 URL,用分号分隔。Multiple server URLs can be listed, separated by semicolons.

数据类型为 string。Data type is string.

支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/ChallengeClientCertificateInstall/SCEP/UniqueID/Install/Challenge
注册 SCEP 证书时必需。Required for SCEP certificate enrollment. B64 编码 SCEP 注册质询。B64 encoded SCEP enrollment challenge. 接受 Exec 命令后,质询将被删除。Challenge is deleted shortly after the Exec command is accepted.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/EKUMappingClientCertificateInstall/SCEP/UniqueID/Install/EKUMapping
必需。Required. 指定扩展密钥用法。Specifies extended key usages. 受 SCEP 服务器配置要求。Subject to SCEP server configuration. OID 的列表用加号 分隔 + The list of OIDs are separated by a plus +. 例如 ,OID1 + OID2 + OID3 For example, OID1+OID2+OID3.

数据类型为 string。Data type is string. 注册时必需。Required for enrollment. 以十进制格式 (0x80证书的密钥 (0x80、0x20、0xA0等) 位。Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. 值应至少设置第二个 (0x20) 、第四 (0x80) 位或两位。The value should at least have the second (0x20), fourth (0x80) or both bits set. 如果值未设置这些位,则配置将失败。If the value doesn’t have those bits set, the configuration will fail.

数据类型为 int。Data type is int.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/SubjectNameClientCertificateInstall/SCEP/UniqueID/Install/SubjectName
必需。Required. 指定主题名称。Specifies the subject name.

如果 SubjectName 值包含前导或尾随空格或下列字符之一,则使用 SubjectName 值: (," "=" "+" ";" ) 。The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).

有关详细信息,请参阅 CertNameToStrA 函数For more details, see CertNameToStrA function.

数据类型为 string。Data type is string.

支持的操作包括添加、获取和替换。Supported operations are Add, Get, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/KeyProtectionClientCertificateInstall/SCEP/UniqueID/Install/KeyProtection
可选。Optional. 指定私钥的保留位置。Specifies where to keep the private key.

备注

即使私钥受 TPM 保护,它也不使用 TPM PIN 进行保护。Even if the private key is protected by TPM, it is not protected with a TPM PIN.

the 数据类型 is an integer corresponding to one of the following values:The data type is an integer corresponding to one of the following values:

Value 描述Description
11 受 TPM 保护的私钥。Private key protected by TPM.
22 受手机 TPM 保护的私钥(如果设备支持 TPM)。Private key protected by phone TPM if the device supports TPM. 所有 Windows Phone 8.1 设备都支持 TPM,并且将值 2 视为 1。All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
33 (默认) 保存在软件 KSP 中的私钥。(Default) Private key saved in software KSP.
44 受 Windows Hello 企业 (以前称为 Microsoft Passport for Work) 保护的私钥。Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). 如果指定此选项,则必须指定 ContainerName,否则注册将失败。If this option is specified, the ContainerName must be specified, otherwise enrollment will fail.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/KeyUsageClientCertificateInstall/SCEP/UniqueID/Install/KeyUsage
注册时必需。Required for enrollment. 以十进制格式 (0x80证书的密钥0x20、0xA0、) 位等。Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. 值应至少具有第二个或 (0x20) 两 (0x80) 位。The value should at least have second (0x20) or forth (0x80) or both bits set. 如果值未设置这些位,则配置将失败。If the value doesn’t have those bits set, configuration will fail.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace. 值类型为整数。Value type is integer.

ClientCertificateInstall/SCEP/UniqueID/Install/RetryDelayClientCertificateInstall/SCEP/UniqueID/Install/RetryDelay
可选。Optional. 当 SCEP 服务器发送挂起状态时,此值指定设备重试等待时间(分钟)。When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.

数据类型格式是一个整数。Data type format is an integer.

默认值为 5。The default value is 5.

最小值为 1。The minimum value is 1.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/RetryCountClientCertificateInstall/SCEP/UniqueID/Install/RetryCount
可选。Optional. SCEP 所特有的。Unique to SCEP. 指定 SCEP 服务器发送挂起状态时的设备重试次数。Specifies the device retry times when the SCEP server sends a pending status.

数据类型为整数。Data type is integer.

默认值为 3。Default value is 3.

最大值为 30。Maximum value is 30. 如果值大于 30,设备将使用 30。If the value is larger than 30, the device will use 30.

最小值为 0,表示不重试。Minimum value is 0, which indicates no retry.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/TemplateNameClientCertificateInstall/SCEP/UniqueID/Install/TemplateName
可选。Optional. 证书模板名称的 OID。OID of certificate template name.

备注

SCEP 服务器通常会忽略此名称;因此 MDM 服务器通常不需要提供。This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/KeyLengthClientCertificateInstall/SCEP/UniqueID/Install/KeyLength
注册时必需。Required for enrollment. 指定 RSA (私钥) 。Specify private key length (RSA).

数据类型为整数。Data type is integer.

有效值为 1024、2048 和 4096。Valid values are 1024, 2048, and 4096.

对于 Windows Hello 企业 (以前称为 Microsoft Passport for Work) ,只有 2048 是受支持的密钥长度。For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/HashAlgorithmClientCertificateInstall/SCEP/UniqueID/Install/HashAlgorithm
必需。Required. 由 MDM 服务器 (SHA-1、SHA-2、SHA-3) 哈希算法系列。Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. 如果指定了多个哈希算法系列,则必须使用 分隔它们 + If multiple hash algorithm families are specified, they must be separated with +.

对于 Windows Hello 企业版,仅 SHA256 是受支持的算法。For Windows Hello for Business, only SHA256 is the supported algorithm.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/CAThumbprintClientCertificateInstall/SCEP/UniqueID/Install/CAThumbprint
必需。Required. 指定根 CA 指纹。Specifies Root CA thumbprint. 这是 SHA1 证书哈希的 20 字节值,指定为十六进制字符串值。This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. 当客户端对 SCEP 服务器进行身份验证时,它会检查 SCEP 服务器的 CA 证书以验证是否与此证书匹配。When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. 如果不匹配,身份验证将失败。If it is not a match, the authentication will fail.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/SubjectAlternativeNamesClientCertificateInstall/SCEP/UniqueID/Install/SubjectAlternativeNames
可选。Optional. 指定 SAN 中 () 。Specifies subject alternative names (SAN). 此节点可指定多个备用名称。Multiple alternative names can be specified by this node. 每个名称都是名称格式+实际名称的组合。Each name is the combination of name format+actual name. 有关详细信息,请参阅 MSDN 中的名称类型定义。Refer to the name type definitions in MSDN for more information.

每对用分号分隔。Each pair is separated by semicolon. 例如,以 [name format1] + [actual name1] 格式呈现多个 SAN; [名称格式 2] + [实际名称2] For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/ValidPeriodClientCertificateInstall/SCEP/UniqueID/Install/ValidPeriod
可选。Optional. 指定有效证书周期的单位。Specifies the units for the valid certificate period.

数据类型为 string。Data type is string.

有效值包括:Valid values are:

  • 默认 (天数) Days (Default)
  • Months
  • Years

备注

作为证书注册请求的一部分 (设备仅将 MDM 服务器预期的证书验证 (ValidPeriodUnits + ValidPeriod) 发送到 SCEP 服务器。The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. 根据服务器配置,服务器定义如何使用此有效期创建证书。Depending on the server configuration, the server defines how to use this valid period to create the certificate.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/ValidPeriodUnitsClientCertificateInstall/SCEP/UniqueID/Install/ValidPeriodUnits
可选。Optional. 指定在有效期中使用的所需单位数。Specifies the desired number of units used in the validity period. 这受 SCEP 服务器配置要求。This is subject to SCEP server configuration. 默认值为 0。Default value is 0. 在 ValidPeriod (定义单位类型) 天、月或年。The unit type (days, months, or years) are defined in the ValidPeriod node. 请注意,MDM 指定的有效时段将覆盖证书模板中指定的有效时段。Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. 例如,如果 ValidPeriod 为 Days,ValidPeriodUnits 为 30,则意味着总有效持续时间为 30 天。For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.

数据类型为 string。Data type is string.

备注

作为证书注册请求的一部分 (设备仅将 MDM 服务器预期的证书验证 (ValidPeriodUnits + ValidPeriod) 发送到 SCEP 服务器。The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. 根据服务器配置,服务器定义如何使用此有效期创建证书。Depending on the server configuration, the server defines how to use this valid period to create the certificate.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/ContainerNameClientCertificateInstall/SCEP/UniqueID/Install/ContainerName
可选。Optional. 如果为节点选择了 Windows Hello 企业 (KSP,则指定 Windows Hello 企业) 。Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). 如果在选择 Windows Hello 企业 KSP 时未指定此节点,则注册将失败。If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/CustomTextToShowInPromptClientCertificateInstall/SCEP/UniqueID/Install/CustomTextToShowInPrompt
可选。Optional. 指定在证书注册期间在 Windows Hello 企业 PIN 提示符上显示自定义文本。Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. 管理员可以选择在此字段中提供更多上下文信息,说明用户需要输入 PIN 的原因以及证书将用于哪些内容。The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/Install/EnrollClientCertificateInstall/SCEP/UniqueID/Install/Enroll
必需。Required. 触发设备以开始证书注册。Triggers the device to start the certificate enrollment. 完成证书注册后,设备不会通知 MDM 服务器。The device will not notify MDM server after certificate enrollment is done. MDM 服务器稍后可以查询设备,以确定是否添加了新证书。The MDM server could later query the device to find out whether new certificate is added.

日期类型格式为 Null,表示此节点不包含值。The date type format is Null, meaning this node doesn’t contain a value.

唯一受支持的操作是 Execute。The only supported operation is Execute.

ClientCertificateInstall/SCEP/UniqueID/Install/AADKeyIdentifierListClientCertificateInstall/SCEP/UniqueID/Install/AADKeyIdentifierList
可选。Optional. 将 AAD 密钥标识符列表指定为分号分隔值的列表。Specify the AAD Key Identifier List as a list of semicolon separated values. 在注册时,将针对设备上已有的 AAD 密钥验证此列表中的值。On Enroll, the values in this list are validated against the AAD Key present on the device. 如果未找到匹配项,则注册将失败。If no match is found, enrollment will fail.

数据类型为 string。Data type is string.

支持的操作包括添加、获取、删除和替换。Supported operations are Add, Get, Delete, and Replace.

ClientCertificateInstall/SCEP/UniqueID/CertThumbprintClientCertificateInstall/SCEP/UniqueID/CertThumbprint
可选。Optional. 如果证书注册成功,则指定当前证书的指纹。Specifies the current certificate’s thumbprint if certificate enrollment succeeds. 它是 SHA1 证书哈希的 20 字节值,指定为十六进制字符串值。It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.

如果证书过期时设备上证书 (,证书链无效,私钥) ,则它将返回空字符串。If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.

数据类型为 string。Data type is string.

唯一受支持的操作是 Get。The only supported operation is Get.

ClientCertificateInstall/SCEP/UniqueID/StatusClientCertificateInstall/SCEP/UniqueID/Status
必需。Required. 指定注册请求期间证书的最新状态。Specifies latest status of the certificated during the enrollment request.

数据类型为 string。Data type is string. 有效值:Valid values:

唯一受支持的操作是 Get。The only supported operation is Get.

Value 描述Description
11 成功完成Finished successfully
22 挂起 (设备尚未完成操作,但已收到 SCEP 服务器挂起) Pending (the device hasn’t finished the action but has received the SCEP server pending response)
1616 操作失败Action failed
3232 UnknownUnknown

ClientCertificateInstall/SCEP/UniqueID/ErrorCodeClientCertificateInstall/SCEP/UniqueID/ErrorCode
可选。Optional. 指示上次注册错误代码的 HRESULT 的整数值。An integer value that indicates the HRESULT of the last enrollment error code.

唯一受支持的操作是 Get。The only supported operation is Get.

ClientCertificateInstall/SCEP/UniqueID/RespondentServerUrl 必填。ClientCertificateInstall/SCEP/UniqueID/RespondentServerUrl Required. 返回响应注册请求的 SCEP 服务器的 URL。Returns the URL of the SCEP server that responded to the enrollment request.

数据类型为 string。Data type is string.

唯一受支持的操作是 Get。The only supported operation is Get.

示例Example

通过 SCEP 注册客户端证书。Enroll a client certificate through SCEP.

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>
        <Atomic>
        <Add>
            <CmdID>301</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere></LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">node</Format>
                </Meta>
            </Item>
        </Add>
        <Add>
            <CmdID>302</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryCount</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>1</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>303</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryDelay</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>1</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>304</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyUsage</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>160</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>305</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyLength</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>1024</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>306</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/HashAlgorithm</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>SHA-1</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>307</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectName</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>CN=ContosoCSP</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>308</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectAlternativeNames</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data></Data>
            </Item>
        </Add>
        <Add>
            <CmdID>309</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriod</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>Years</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>310</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriodUnits</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>1</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>311</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/EKUMapping</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>312</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyProtection</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>3</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>313$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ServerURL</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>http://constoso.com/certsrv/mscep/mscep.dll</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>314</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Challenge</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>1234CB055B7EBF384A9486A22B7559A5</Data>
            </Item>
        </Add>
        <Add>
            <CmdID>315</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/CAThumbprint</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">chr</Format>
                </Meta>
                <Data>12345087E648875D1DF5D9F9FF89DD10</Data>
            </Item>
        </Add>
        <Exec>
            <CmdID>316</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Enroll</LocURI>
                </Target>
            </Item>
        </Exec>
        </Atomic>
        <Final/>
    </SyncBody>
</SyncML>

添加 PFX 证书。Add a PFX certificate. PFX 证书密码使用自定义证书"My"存储进行加密。The PFX certificate password is encrypted with a custom certificate fro "My" store.

<SyncML>
    <SyncBody>
            <Delete>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C</LocURI>
                    </Target>
                </Item>
            </Delete>
        <Atomic>
            <CmdID>$CmdID$</CmdID>
            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation</LocURI>
                    </Target>
                    <Meta>
                        <Format xmlns="syncml:metinf">int</Format>
                    </Meta>
                    <Data>2</Data>
                </Item>
            </Add>
            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob</LocURI>
                    </Target>
                     <Meta>
                        <Format xmlns="syncml:metinf">chr</Format>
                    </Meta>
                    <Data>Base64_Encode_Cert_Blob</Data>
                </Item>
            </Add>
            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword</LocURI>
                    </Target>
                     <Meta>
                        <Format xmlns="syncml:metinf">chr</Format>
                    </Meta>
                    <Data>Base64Encoded_Encrypted_Password_Blog</Data>
                </Item>
            </Add>
            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType</LocURI>
                    </Target>
                    <Meta>
                        <Format xmlns="syncml:metinf">int</Format>
                    </Meta>
                    <Data>2</Data>
                </Item>
            </Add>
            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore</LocURI>
                    </Target>
                    <Meta>
                        <Format xmlns="syncml:metinf">chr</Format>
                    </Meta>
                    <Data>My</Data>
                </Item>
            </Add>

            <Add>
                <CmdID>$CmdID$</CmdID>
                <Item>
                    <Target>
                        <LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable</LocURI>
                    </Target>
                    <Meta>
                        <Format xmlns="syncml:metinf">bool</Format>
                    </Meta>
                    <Data>true</Data>
                </Item>
            </Add>
        </Atomic>
    <Final/>
    </SyncBody>
</SyncML>

配置服务提供程序参考Configuration service provider reference