透過 Intune 設定並管理 PKCS 憑證Configure and manage PKCS certificates with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

需求Requirements

若要透過 Intune 使用 PKCS 憑證,您必須具備下列基礎結構:To use PKCS certificates with Intune, you must have the following infrastructure:

  • 已設定的現有 Active Directory Domain Services (AD DS) 網域。An existing Active Directory Domain Services (AD DS) domain configured.

    如果您需要如何安裝和設定 AD DS 的相關詳細資訊,請參閱文章 AD DS 設計和規劃 (機器翻譯)。If you need more information about how to install and configure AD DS see the article AD DS Design and Planning.

  • 已設定的現有企業憑證授權單位 (CA)。An existing Enterprise Certification Authority (CA) configured.

    如果您需要如何安裝和設定 Active Directory 憑證服務 (AD CS) 的相關詳細資訊,請參閱文章 Active Directory 憑證服務逐步指南If you need more information about how to install and configure Active Directory Certificate Services (AD CS) see the article Active Directory Certificate Services Step-by-Step Guide.

    警告

    Intune 需要您搭配企業憑證授權單位 (CA) 執行 AD CS,而非獨立 CA。Intune requires you to run AD CS with an Enterprise Certification Authority (CA), not a Standalone CA.

  • 具有連線至企業 CA 之能力的用戶端。A client that has connectivity to the Enterprise CA.

  • 從您的企業 CA 匯出的根憑證複本。An exported copy of your root certificate from your Enterprise CA.
  • 從您的 Intune 入口網站下載的 Microsoft Intune 憑證連接器 (NDESConnectorSetup.exe)。The Microsoft Intune Certificate Connector (NDESConnectorSetup.exe) downloaded from your Intune Portal.
  • 可用來裝載 Microsoft Intune 憑證連接器 (NDESConnectorSetup.exe) 的 Windows 伺服器。A Windows Server available to host the Microsoft Intune Certificate Connector (NDESConnectorSetup.exe).

從企業 CA 匯出根憑證Export the root certificate from the Enterprise CA

您在每個裝置上都需要根憑證或中繼 CA 憑證,以便搭配 VPN、WiFi 和其他資源進行驗證。You need a root or intermediate CA certificate on each device for authentication with VPN, WiFi, and other resources. 下列步驟說明如何從您的企業 CA 取得所需的憑證。The following steps explain how to get the required certificate from your Enterprise CA.

  1. 使用具有系統管理權限的帳戶登入您的企業 CA。Log in to your Enterprise CA with an account that has administrative privileges.
  2. 以系統管理員身分開啟命令提示字元。Open a command prompt as an administrator.
  3. 將根 CA 憑證匯出到您稍後可以加以存取的位置。Export the Root CA Certificate to a location where you can access it later.

    例如:For example:

    certutil -ca.cert certnew.cer

    如需詳細資訊,請參閱管理憑證的 Certutil 工作For more information, see Certutil tasks for managing certificates.

設定憑證授權單位上的憑證範本Configure certificate templates on the certification authority

  1. 使用具有系統管理權限的帳戶登入您的企業 CA。Log in to your Enterprise CA with an account that has administrative privileges.
  2. 開啟 [憑證授權單位] 主控台。Open the Certification Authority console.
  3. 以滑鼠右鍵按一下 [憑證範本],然後選擇 [管理]。Right-click Certificate Templates and choose Manage.
  4. 找出 [使用者] 憑證範本,以滑鼠右鍵按一下它,然後選擇 [複製範本]。Locate the User certificate template, right-click it and choose Duplicate Template. [新範本的內容] 視窗隨即開啟。A window opens, Properties of New Template.
  5. 在 [相容性] 索引標籤上On the Compatibility tab
    • 將 [憑證授權單位] 設為 [Windows Server 2008 R2]Set Certification Authority to Windows Server 2008 R2
    • 將 [憑證接收者] 設為 [Windows 7 / Server 2008 R2]Set Certificate recipient to Windows 7 / Server 2008 R2
  6. 在 [一般] 索引標籤上:On the General tab:

    • 將 [範本顯示名稱] 設為對您有意義的名稱。Set Template display name to something meaningful to you.

    警告

    [範本名稱] 預設會與 [範本顯示名稱] 相同,但沒有空格Template name by default is the same as Template display name with no spaces. 請記下範本名稱以供稍後使用。Note the template name for later use.

  7. 在 [處理要求] 索引標籤上,選取 [允許匯出私密金鑰] 方塊。On the Request Handling tab, check the Allow private key to be exported box.

  8. 在 [密碼編譯] 索引標籤上,確認 [最小金鑰大小] 已設為 2048。On the Cryptography tab, confirm that the Minimum key size is set to 2048.
  9. 在 [主體名稱] 索引標籤上,選擇選項按鈕 [在要求中提供]。On the Subject Name tab, choose the radio button Supply in the request.
  10. 在 [延伸模組] 索引標籤上,確認您在 [應用程式原則] 下看到「加密檔案系統」、「安全電子郵件」和「用戶端驗證」。On the Extensions tab, confirm that you see Encrypting File System, Secure Email, and Client Authentication under Application Policies.

    重要

    若為 iOS 和 macOS 憑證範本,請在 [延伸模組] 索引標籤上,編輯 [金鑰使用方法],並確認未選取 [簽章是原件證明]。For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure that Signature is proof of origin is not selected.

  11. 在 [安全性] 索引標籤上,新增您安裝 Microsoft Intune 憑證連接器之伺服器的電腦帳戶。On the Security tab, add the Computer Account for the server where you install the Microsoft Intune Certificate Connector.

    • 允許此帳戶的 [讀取] 和 [註冊] 權限。Allow this account Read and Enroll permissions.
  12. 按一下 [套用],然後按一下 [確定] 以儲存憑證範本。Click Apply, then click OK to save the certificate template.
  13. 關閉 [憑證範本主控台] 。Close the Certificate Templates Console.
  14. 從 [憑證授權單位] 主控台,以滑鼠右鍵按一下 [憑證範本],[新增],[要發出的憑證範本]。From the Certification Authority console, right-click Certificate Templates, New, Certificate Template to Issue.
    • 選擇您在前述步驟中建立的範本,然後按一下 [確定]。Choose the template that you created in the preceding steps and click OK.
  15. 若要讓伺服器代表已在 Intune 註冊的裝置及使用者來管理憑證,請遵循這些步驟:For the server to manage certificates on behalf of Intune enrolled devices and users, follow these steps:

    a.a. 以滑鼠右鍵按一下憑證授權單位,選擇 [內容]。Right-click the Certification Authority, choose Properties.

    b。b. 在 [安全性] 索引標籤上,新增您執行 Microsoft Intune 憑證連接器之伺服器的電腦帳戶。On the security tab, add the Computer account of the server where you run the Microsoft Intune Certificate Connector.

    • 將 [發行及管理憑證] 和 [要求憑證] 的「允許」權限授與該電腦帳戶。Grant Issue and Manage Certificates and Request Certificates Allow permissions to the computer account.
  16. 登出企業 CA。Log out of the Enterprise CA.

下載、安裝和設定 Microsoft Intune 憑證連接器Download install and configure the Microsoft Intune Certificate Connector

ConnectorDownloadConnectorDownload

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 瀏覽至 [Intune],[裝置設定],[憑證授權單位],然後按一下 [下載憑證連接器]。Navigate to Intune, Device configuration, Certification Authority, and click Download the certificate connector.
    • 將下載項目儲存到要安裝它的伺服器上您可以存取的位置。Save the download to a location where you can access it on the server where you will install it.
  3. 登入您將安裝 Microsoft Intune 憑證連接器的伺服器。Log in to the server where you will install the Microsoft Intune Certificate Connector.
  4. 執行安裝程式,並接受預設位置。Run the installer and accept the default location. 它會將連接器安裝到 C:\Program Files\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe。It installs the connector to C:\Program Files\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.

    a.a. 在 [安裝程式選項] 頁面上,選擇 [PFX 發佈] 並按一下 [下一步]。On the Installer Options page chose PFX Distribution and click Next.

    b。b. 按一下 [安裝],然後等候安裝完成。Click Install and wait for installation to complete.

    c.c. 在 [完成] 頁面上,選取標籤為 [啟動 Intune 連接器] 的方塊,然後按一下 [完成]。On the completion page, check the box labeled Launch Intune Connector and click Finish.

  5. NDES 連接器現在應該會開啟至 [註冊] 索引標籤。若要連線到 Intune,您必須按一下 [登入] 並提供具有系統管理權限的帳戶。The NDES Connector window should now open to the Enrollment tab. To enable the connection to Intune, you must click Sign In and provide an account with administrative permissions.

  6. 在 [進階] 索引標籤上,您可以讓選項按鈕 [使用此電腦的 SYSTEM 帳戶 (預設)] 保持選取。On the Advanced tab, you can leave the radio button Use this computer's SYSTEM account (default) selected.
  7. 按一下 [套用],然後按一下 [關閉]。Click Apply then Close.
  8. 現在請返回 Azure 入口網站。Now go back on the Azure portal. 在幾分鐘之後,您在 [Intune],[裝置設定],[憑證授權單位] 底下,應該會看到 [連線狀態] 下顯示綠色的核取記號和 [作用中] 的文字。Under Intune, Device configuration, Certification Authority, you should see a green check mark and the word Active under Connection status after a few minutes. 這項確認可讓您知道您的連接器伺服器能夠與 Intune 通訊。This confirmation lets you know that your connector server can communicate with Intune.

建立裝置組態設定檔Create a device configuration profile

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 瀏覽至 [Intune],[裝置設定],[設定檔],然後按一下 [建立設定檔]。Navigate to Intune, Device configuration, Profiles, and click Create profile.

    NavigateIntuneNavigateIntune

  3. 填入下列資訊:Populate the following information:

    • 設定檔的 [名稱]Name for the profile
    • 可選擇性地設定說明Optionally set a description
    • 要部署設定檔的目標 [平台]Platform to deploy the profile to
    • 將 [設定檔類型] 設為 [信任的憑證]Set Profile type to Trusted certificate
  4. 瀏覽至 [設定],並提供由根 CA 憑證先前匯出的 .cer 檔案。Navigate to Settings and provide the .cer file Root CA Certificate exported previously.

    注意

    視您在步驟 3中選擇的平台而定,您可能會有選擇憑證 [目的地存放區] 的選項。Depending on the Platform you chose in Step 3 you may or may not have an option to choose the Destination store for the certificate.

    ProfileSettingsProfileSettings

  5. 按一下 [確定],然後按一下 [建立] 以儲存您的設定檔。Click OK then Create to save your profile.

  6. 若要將新的設定檔指派給一或多個裝置,請參閱如何指派 Microsoft Intune 裝置設定檔To assign the new profile to one or more devices see How to assign Microsoft Intune device profiles.

建立 PKCS 憑證設定檔Create a PKCS Certificate profile

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 瀏覽至 [Intune],[裝置設定],[設定檔],然後按一下 [建立設定檔]。Navigate to Intune, Device configuration, Profiles, and click Create profile.
  3. 填入下列資訊:Populate the following information:
    • 設定檔的 [名稱]Name for the profile
    • 可選擇性地設定說明Optionally set a description
    • 要部署設定檔的目標 [平台]Platform to deploy the profile to
    • 將 [設定檔類型] 設為 [PKCS 憑證]Set Profile type to PKCS Certificate
  4. 瀏覽至 [設定] 並提供下列資訊:Navigate to Settings and provide the following information:

    • 更新閾值 (%):建議為 20%。Renewal threshold (%) - Recommended is 20%.
    • 憑證有效期間:如果您沒有變更憑證範本,此選項應設定為一年。Certificate validity period - If you did not change the certificate template this option should be set to one year.
    • 憑證授權單位:此選項是您企業 CA 的內部完整網域名稱 (FQDN)。Certification authority - This option is the internal fully qualified domain name (FQDN) of your Enterprise CA.
    • 憑證授權單位名稱:此選項是您企業 CA 的名稱,且可能與前一項目不同。Certification authority name - This option is the name of your Enterprise CA and may be different than the previous item.
    • 憑證範本名稱:此選項是稍早建立之範本的名稱。Certificate template name - This option is the name of the template created earlier. 請記住,[範本名稱] 預設會與 [範本顯示名稱] 相同,但沒有空格Remember Template name by default is the same as Template display name with no spaces.
    • 主體名稱格式:除非另有需要,否則請將此選項設為 [一般名稱]。Subject name format - Set this option to Common name unless otherwise required.
    • 主體替代名稱:除非另有需要,否則請將此選項設為 [使用者主體名稱 (UPN)]。Subject alternative name - Set this option to User principal name (UPN) unless otherwise required.
    • 擴充金鑰使用方法:只要您在上一節<設定憑證授權單位上的憑證範本>的步驟 10 中是使用預設的設定,請從選項方塊中新增下列 [預先定義的值]:Extended key usage - As long as you used the default settings in Step 10 in the preceding section Configure certificate templates on the certification authority, add the following Predefined values from the selection box:
      • 任何目的Any Purpose
      • 用戶端驗證Client Authentication
      • 安全電子郵件Secure Email
    • 根憑證:(針對 Android 設定檔) 此選項是在上一節從企業 CA 匯出根憑證的步驟 3 中所匯出的 .cer 檔案。Root Certificate - (For Android Profiles) This option is the .cer file exported in Step 3 under the previous section Export the root certificate from the Enterprise CA.
  5. 按一下 [確定],然後按一下 [建立] 以儲存您的設定檔。Click OK, then click Create to save your profile.

  6. 若要將新的設定檔指派給一或多個裝置,請參閱如何指派 Microsoft Intune 裝置設定檔一文。To assign the new profile to one or more devices, see the article How to assign Microsoft Intune device profiles.