透過 Intune 設定並管理 PKCS 憑證Configure and manage PKCS certificates with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題說明如何透過 Intune 設定基礎結構,並建立及指派 PKCS 憑證設定檔。This topic shows how to configure your infrastructure, then create and assign PKCS certificate profiles with Intune.

若要在組織中執行任何憑證式驗證,需要企業憑證授權單位。To do any certificate-based authentication in your organization, you need an Enterprise Certification Authority.

若要使用 PKCS 憑證設定檔,除了企業憑證授權單位之外,您還需要︰To use PKCS Certificate profiles, in addition to the Enterprise Certification Authority, you also need:

  • 可以與憑證授權單位通訊的電腦,或者您可以使用憑證授權單位電腦本身。A computer that can communicate with the Certification Authority, or you can use the Certification Authority computer itself.

  • Intune Certificate Connector,其在可與憑證授權單位通訊的電腦上執行。The Intune Certificate Connector, which runs on the computer that can communicate with the Certification Authority.

重要詞彙Important terms

  • Active Directory 網域:本節所列的所有伺服器 (除了 Web 應用程式 Proxy 伺服器) 均須加入 Active Directory 網域。Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server) must be joined to your Active Directory domain.

  • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification Authority: An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported. 如需如何設定憑證授權單位的指示,請參閱 安裝憑證授權單位For instructions on how to set up a Certification Authority, see Install the Certification Authority. 如果您的 CA 執行 Windows Server 2008 R2,您必須 從 KB2483564 安裝 HotfixIf your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564.

  • 可以與憑證授權單位通訊的電腦:也可以使用憑證授權單位電腦本身。Computer that can communicate with Certification Authority: Alternatively, use the Certification Authority computer itself.

  • Microsoft Intune 憑證連接器︰從 Azure 入口網站下載憑證連接器安裝程式 (ndesconnectorssetup.exe)。Microsoft Intune Certificate Connector: From the Azure portal, you download the Certificate Connector installer (ndesconnectorssetup.exe). 然後您可以在要安裝 Certificate Connector 的電腦上執行 ndesconnectorssetup.exeThen you can run ndesconnectorssetup.exe on the computer where you want to install the Certificate Connector. 為 PKCS 憑證設定檔在與憑證授權單位通訊的電腦上安裝憑證連接器。For PKCS Certificate profiles, install the Certificate Connector on the computer that communicates with the Certification Authority.
  • Web 應用程式 Proxy 伺服器 (選用)︰您可以將執行 Windows Server 2012 R2 或更新版本的伺服器用作 Web 應用程式 Proxy (WAP) 伺服器。Web Application Proxy server (optional): You can use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server. 此組態:This configuration:

    • 允許裝置使用網際網路連線接收憑證。Allows devices to receive certificates using an Internet connection.
    • 是裝置連線透過網際網路來接收和更新憑證時的安全性建議。Is a security recommendation when devices connect through the Internet to receive and renew certificates.
    • 裝載 WAP 的伺服器必須安裝更新,以允許支援網路裝置註冊服務 (NDES) 所使用的長 URL。The server that hosts WAP must install an update that enables support for the long URLs that are used by the Network Device Enrollment Service (NDES). 此更新隨附於 2014 年 12 月更新彙總套件,或個別提供於 KB3011135This update is included with the December 2014 update rollup, or individually from KB3011135.
    • 此外,裝載 WAP 的伺服器必須有 SSL 憑證,該憑證符合發佈給外部用戶端的名稱,並且信任 NDES 伺服器上使用的 SSL 憑證。Also, the server that hosts WAP must have an SSL certificate that matches the name being published to external clients as well as trust the SSL certificate that is used on the NDES server. 這些憑證讓 WAP 伺服器能從用戶端終止 SSL 連線,以及建立與 NDES 伺服器的新 SSL 連線。These certificates enable the WAP server to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. 如需 WAP 憑證的相關資訊,請參閱計劃使用 Web 應用程式 Proxy 發行應用程式規劃憑證小節。For information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications Using Web Application Proxy. 如需 WAP 伺服器的一般資訊,請參閱使用 Web 應用程式 Proxy。|For general information about WAP servers, see Working with Web Application Proxy.|

憑證和範本Certificates and templates

物件Object 詳細資料Details
憑證範本Certificate Template 在發行的 CA 上所設定的範本。You configure this template on your issuing CA.
可信任的根 CA 憑證Trusted Root CA certificate 您會從發行 CA (或任何信任發行 CA 的裝置) 將此匯出為 .cer 檔案,並使用受信任的 CA 憑證設定檔將它指派給裝置。You export this as a .cer file from the issuing CA or any device which trusts the issuing CA, and assign it to devices by using the Trusted CA certificate profile.

您針對每個作業系統平台使用單一受信任根 CA 憑證,並將它與您建立的每個受信任根憑證設定檔產生關聯。You use a single Trusted Root CA certificate per operating system platform, and associate it with each Trusted Root Certificate profile you create.

您可以在需要時使用其他受信任根 CA 憑證。You can use additional Trusted Root CA certificates when needed. 比方說,當您需要向 CA 提供信任,好讓它為您簽署 Wi-Fi 存取點的伺服器驗證憑證時,您可能就會這麼做。For example, you might do this to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points.

設定基礎結構Configure your infrastructure

在您可以設定憑證設定檔之前,必須先完成下列步驟。Before you can configure certificate profiles, you must complete the following steps. 執行這些步驟需要對 Windows Server 2012 R2 及 Active Directory 憑證服務 (ADCS) 有一定程度的了解:These steps require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):

  • 步驟 1:設定憑證授權單位上的憑證範本。Step 1 - Configure certificate templates on the certification authority.
  • 步驟 2:啟用、安裝及設定 Intune 憑證連接器。Step 2 - Enable, install, and configure the Intune Certificate Connector.

步驟 1:設定憑證授權單位上的憑證範本Step 1 - Configure certificate templates on the certification authority

設定憑證授權單位To configure the certification authority

  1. 在發行 CA 上,使用 [憑證範本] 嵌入式管理單元建立新的自訂範本,或複製及編輯現有的範本 (例如使用者範本) 來使用 PKCS。On the issuing CA, use the Certificate Templates snap-in to create a new custom template, or copy and edit an existing template (like the User template), for use with PKCS.

    範本必須包含下列項目:The template must include the following:

    • 指定範本的易記「範本顯示名稱」 。Specify a friendly Template display name for the template.

    • 在 [主體名稱] 索引標籤上,選取 [在要求中提供] 。On the Subject Name tab, select Supply in the request. (安全性由 NDES 的 Intune 原則模組加強)。(Security is enforced by the Intune policy module for NDES).

    • 在 [延伸] 索引標籤上,確定 [應用程式原則描述] 包含 [用戶端驗證] 。On the Extensions tab, ensure the Description of Application Policies includes Client Authentication.


      若為 iOS 和 macOS 憑證範本,請在 [延伸模組] 索引標籤上,編輯 [金鑰使用方法],並確認未選取 [簽章是原件證明]。For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure that Signature is proof of origin is not selected.

  2. 檢閱範本 [一般] 索引標籤上的 [有效期間] 。Review the Validity period on the General tab of the template. 根據預設,Intune 使用範本中所設定的值。By default, Intune uses the value configured in the template. 不過,您可以選擇設定 CA 以允許要求者指定不同的值,然後您可以從 Intune 管理主控台內設定該值。However, you have the option to configure the CA to allow the requester to specify a different value, which you can then set from within the Intune Administrator console. 如果您想要一律使用範本中的值,請略過此步驟中的其餘部分。If you want to always use the value in the template, skip the remainder of this step.


    iOS 和 macOS 一律會使用範本中的值,而不管您所做的其他組態設定。iOS and macOS always use the value set in the template, regardless of other configurations you make.

    若要設定 CA 以允許要求者指定有效期間,請在 CA 上執行下列命令:To configure the CA to allow the requester to specify the validity period, run the following commands on the CA:

    a.a. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE

    b。b. net stop certsvcnet stop certsvc

    c.c. net start certsvcnet start certsvc

  3. 在發行的 CA 上使用 [憑證授權單位] 嵌入式管理單元來發行憑證範本。On the issuing CA, use the Certification Authority snap-in to publish the certificate template.

    a.a. 選取 [憑證範本] 節點,並按一下 [動作]-> [新增]> [要發出的憑證範本],然後選取您在步驟 2 中建立的範本。Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the template you created in step 2.

    b。b. 檢視 [憑證範本] 資料夾下的發行範本來加以驗證。Validate that the template published by viewing it under the Certificate Templates folder.

  4. 在 CA 電腦上,確認裝載 Intune 憑證連接器的電腦具備註冊權限,能夠存取建立 PKCS 憑證設定檔時所使用的範本。On the CA computer, ensure that the computer that hosts the Intune Certificate Connector has enroll permission, so that it can access the template used in creating the PKCS certificate profile. 在 CA 電腦內容的 [安全性] 索引標籤上設定該權限。Set that permission on the Security tab of the CA computer properties.

步驟 2:啟用、安裝及設定 Intune 憑證連接器Step 2 - Enable, install, and configure the Intune certificate connector

在這個步驟中,您將:In this step you will:

  • 啟用針對憑證連接器的支援Enable support for the Certificate Connector
  • 下載、安裝及設定憑證連接器。Download, install, and configure the Certificate Connector.

啟用針對憑證連接器的支援To enable support for the certificate connector

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中選擇 [設定] > [憑證授權單位]。On the Device Configuration blade, choose Setup > Certificate Authority.
  5. 在 [步驟 1] 中選擇 [啟用]。Under Step 1, choose Enable.

下載、安裝及設定憑證連接器To download, install, and configure the certificate connector

  1. 在 [設定裝置] 刀鋒視窗中選擇 [設定] > [憑證授權單位]。On the Configure devices blade, choose Setup > Certificate Authority.
  2. 選擇 [下載憑證連接器]。choose Download the certificate connector.
  3. 下載完成後,執行下載的安裝程式 (ndesconnectorssetup.exe)。After the download completes, run the downloaded installer (ndesconnectorssetup.exe). 在可連接至憑證授權單位的電腦上執行安裝程式。Run the installer on the computer that is able to connect with the Certification Authority. 選擇 PKCS (PFX) 發佈選項,然後選擇 [安裝]。Choose the PKCS (PFX) Distribution option, and then choose Install. 安裝完成後,請依照如何設定憑證設定檔所述建立憑證設定檔。When the installation has completed, continue by creating a certificate profile as described in How to configure certificate profiles.

  4. 當提示您提供憑證連接器的用戶端憑證時,請選擇 [選取],然後選取您安裝的用戶端驗證憑證。When prompted for the client certificate for the Certificate Connector, choose Select, and select the client authentication certificate you installed.

    選取用戶端驗證憑證之後,您會回到 [Microsoft Intune Certificate Connector 的用戶端憑證] 介面。After you select the client authentication certificate, you are returned to the Client Certificate for Microsoft Intune Certificate Connector surface. 雖然您選取的憑證未顯示,請選擇 [下一步] 檢視該憑證的屬性。Although the certificate you selected is not shown, choose Next to view the properties of that certificate. 然後依序選擇 [下一步] 與 [安裝]。Then choose Next, and then Install.

  5. 在精靈完成後,但在關閉精靈之前,按一下 [啟動 Certificate Connector UI] 。After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.


    如果您在啟動 Certificate Connector UI 之前關閉精靈,您可以藉由執行下列命令重新加以開啟:If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following command:


  6. Certificate Connector UI 中:In the Certificate Connector UI:

    a.a. 選擇 [登入] 並輸入您的 Intune 服務管理員認證,或擁有全域管理權限的租用戶管理員認證。Choose Sign In and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.

    b。b. 選取 [進階] 索引標籤,然後提供對您的發行憑證授權單位具有 [發行及管理憑證] 權限的帳戶認證。Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority.

    c.c. 選擇 [套用]。Choose Apply.

    您現在可以關閉 Certificate Connector UI。You can now close the Certificate Connector UI.

  7. 開啟命令提示字元,然後鍵入 services.mscOpen a command prompt and type services.msc. 然後按 Enter,以滑鼠右鍵按一下 [Intune 連接器服務],再選擇 [重新啟動]。Then press Enter, right-click the Intune Connector Service, and choose Restart.

若要驗證服務正在執行,請開啟瀏覽器並輸入下列 URL,這應傳回 403 錯誤:To validate that the service is running, open a browser and enter the following URL, which should return a 403 error:

http:// <NDES 伺服器的 FQDN>/certsrv/mscep/mscep.dllhttp:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

如何建立 PKCS 憑證設定檔How to create a PKCS certificate profile

在 Azure 入口網站中,選取 [設定裝置] 工作負載。In the Azure Portal, select the Configure devices workload.

  1. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [設定檔]。On the Device configuration blade, choose Manage > Profiles.
  2. 在 [設定檔] 刀鋒視窗中,按一下 [建立設定檔]。On the profiles blade, click Create Profile.
  3. 在 [建立設定檔] 刀鋒視窗中,為 PKCS 憑證設定檔輸入 [名稱] 及 [描述]。On the Create Profile blade, enter a Name and Description for the PKCS certificate profile.
  4. 從 [平台] 下拉式清單中,選取此 PKCS 憑證的來源裝置平台:From the Platform drop-down list, select the device platform for this PKCS certificate from:
    • AndroidAndroid
    • Android for WorkAndroid for Work
    • iOSiOS
    • Windows 10 及更新版本Windows 10 and later
  5. 從 [設定檔類型] 下拉式清單中,選擇 [PKCS 憑證]。From the Profile type drop-down list, choose PKCS certificate.
  6. 在 [PKCS 憑證] 刀鋒視窗上,進行以下設定:On the PKCS Certificate blade, configure the following settings:
    • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
    • 憑證有效期間 - 如果您已在發行 CA 上執行 certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE 命令,允許自訂有效期間,則可以指定憑證到期之前的剩餘時間長度。Certificate validity period - If you have run the certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you can specify the amount of remaining time before the certificate expires.
      您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 該值也必須低於發行 CA 憑證的剩餘有效期。The value must also be lower than the remaining validity period of the issuing CA's certificate.
    • 金鑰儲存提供者 (KSP) (Windows 10):指定儲存憑證金鑰的位置。Key storage provider (KSP) (Windows 10) - Specify where the key to the certificate will be stored. 選擇下列其中一個值:Choose from one of the following values:
      • 註冊至受信任平台模組 (TPM) KSP (如果存在),否則註冊至軟體 KSPEnroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
      • 註冊至信賴平台模組 (TPM) KSP,否則失敗Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
      • 註冊至 Passport,否則失敗 (Windows 10 及更新版本)Enroll to Passport, otherwise fail (Windows 10 and later)
      • 註冊至軟體 KSPEnroll to Software KSP
    • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported. 如需如何設定憑證授權單位的指示,請參閱 安裝憑證授權單位For instructions on how to set up a Certification Authority, see Install the Certification Authority. 如果您的 CA 執行 Windows Server 2008 R2,您必須 從 KB2483564 安裝 HotfixIf your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564.
    • 憑證授權單位名稱:輸入您的憑證授權單位名稱。Certification authority name - Enter the name of your certification authority.
    • 憑證範本名稱:輸入網路裝置註冊服務設定要使用且已新增至發行 CA 的憑證範本名稱。Certificate template name - Enter the name of a certificate template that the Network Device Enrollment Service is configured to use and that has been added to an issuing CA. 請確定該名稱完全符合執行網路裝置註冊服務的伺服器,於登錄中列出的其中一個憑證範本。Make sure that the name exactly matches one of the certificate templates that are listed in the registry of the server that is running the Network Device Enrollment Service. 請確定您指定的是憑證範本的名稱,而非憑證範本的顯示名稱。Make sure that you specify the name of the certificate template and not the display name of the certificate template. 若要尋找憑證範本的名稱,請瀏覽至下列機碼:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP。To find the names of certificate templates, browse to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. 您將會看見憑證範本已列為 [EncryptionTemplate] 、[GeneralPurposeTemplate] 和 [SignatureTemplate] 的值。You will see the certificate templates listed as the values for EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate. 根據預示,這三個憑證範本的值是 [IPSECIntermediateOffline],對應至 [IPSec (離線要求)] 的範本顯示名稱。By default, the value for all three certificate templates is IPSECIntermediateOffline, which maps to the template display name of IPSec (Offline request).
    • 主體名稱格式從清單中選取 Intune 如何自動在憑證要求中建立主體名稱。Subject name format - From the list, select how Intune automatically creates the subject name in the certificate request. 如果憑證是針對使用者,您也可以在主體名稱中包含使用者的電子郵件地址。If the certificate is for a user, you can also include the user's email address in the subject name. 從下列選項進行選擇:Choose from:
      • 未設定Not configured
      • 一般名稱Common name
      • 包括電子郵件的一般名稱Common name including email
      • 一般名稱及電子郵件地址Common name as email
    • 主體別名指定 Intune 如何在憑證要求中,自動建立主體別名 (SAN) 的值。Subject alternative name - Specify how Intune automatically creates the values for the subject alternative name (SAN) in the certificate request. 舉例來說,如果您選擇使用者憑證類型,您可以在主體別名中包含使用者主體名稱 (UPN)。For example, if you selected a user certificate type, you can include the user principal name (UPN) in the subject alternative name. 如果用戶端憑證是用來驗證網路原則伺服器,您必須將主體別名設定成 UPN。If the client certificate is used to authenticate to a Network Policy Server, set the subject alternative name to the UPN. 您也可以選取 [自訂 Azure AD 屬性]。You can also select Custom Azure AD attribute. 當您選取此選項時,會顯示另一個下拉式欄位。When you select this option, another drop-down field is displayed. [自訂 Azure AD 屬性] 下拉式欄位中有一個選項:[部門]。From the Custom Azure AD attribute drop-down field, there is one option: Department. 當您選取此選項時,如果 Azure AD 中沒有識別部門,就不會發行憑證。When you select this option, if the department is not identified in Azure AD, the certificate is not issued. 若要解決這個問題,請識別部門並儲存變更。To resolve this issue, identify the department and save the changes. 在下一次裝置簽入時,就會解決問題並發行憑證。At the next device checkin, the problem is resolved and certificate is issued. ASN.1 是用於此欄位的標記法。ASN.1 is the notation used for this field.
    • 擴充金鑰使用方法 (Android) - 選擇 [新增] 以新增憑證使用目的值。Extended key usage (Android) - Choose Add to add values for the certificate's intended purpose. 在大部分情況下,憑證需要 [用戶端驗證] ,使用者或裝置才能向伺服器進行驗證。In most cases, the certificate will require Client Authentication so that the user or device can authenticate to a server. 不過,您可以視需要新增任何其他金鑰使用方式。However, you can add any other key usages as required.
    • 根憑證- 選擇先前所設定並指派到使用者或裝置的根 CA 憑證設定檔。Root Certificate (Android) - Choose a root CA certificate profile that you have previously configured and assigned to the user or device. 此 CA 憑證必須是將發行憑證 (您在此憑證設定檔中設定) 之 CA 的根憑證。This CA certificate must be the root certificate for the CA that will issue the certificate that you are configuring in this certificate profile. 這是您先前所建立的受信任憑證設定檔。This is the trusted certificate profile that you created previously.
  7. 當您完成時,請返回 [建立設定檔] 刀鋒視窗,然後按一下 [建立]。When you're done, go back to the Create Profile blade, and click Create.

就會建立設定檔,並顯示在 [設定檔清單] 刀鋒視窗上。The profile is created and is displayed on the profiles list blade.

如何指派憑證設定檔How to assign the certificate profile

將憑證設定檔指派給群組之前,請考慮下列事宜︰Consider the following before you assign certificate profiles to groups:

  • 當您指派憑證設定檔給群組時,來自受信任 CA 憑證設定檔的憑證檔案,即會安裝在裝置上。When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is installed on the device. 裝置會使用 PKCS 憑證設定檔來建立裝置所要求的憑證。The device uses the PKCS certificate profile to create a certificate request by the device.
  • 憑證設定檔只會安裝在執行於您建立設定檔時所用的平台裝置上。Certificate profiles install only on devices running the platform you use when you created the profile.
  • 您可以將憑證設定檔指派到使用者集合或裝置集合。You can assign certificate profiles to user collections or to device collections.
  • 若要在裝置註冊之後快速將憑證發行至裝置,請將憑證設定檔指派到使用者群組,而不是裝置群組。To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. 如果您將它指派至裝置群組,便必須先執行完整的裝置註冊,裝置才能接收原則。If you assign to a device group, a full device registration is required before the device receives policies.
  • 雖然您會分別指派每個設定檔,但仍需指派受信任的根 CA 以及 PKCS 設定檔。Although you assign each profile separately, you also need to assign the Trusted Root CA and the PKCS profile. 否則,PKCS 憑證原則會失敗。Otherwise, the PKCS certificate policy will fail.

如需如何指派設定檔的相關資訊,請參閱如何指派裝置設定檔For information about how to assign profiles, see How to assign device profiles.