透過 Intune 設定並使用 PKCS 憑證Configure and use PKCS certificates with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

憑證用來驗證並保護您的公司資源存取,例如 VPN 或 WiFi 網路。Certificates are used to authenticate and secure access to your corporate resources, such as a VPN or your WiFi network. 本文將說明如何匯出 PKCS 憑證,然後將憑證新增至 Intune 設定檔。This article shows you how to export a PKCS certificate, and then add the certificate to an Intune profile.

需求Requirements

若要透過 Intune 使用 PKCS 憑證,您必須具備下列基礎結構:To use PKCS certificates with Intune, be sure you have the following infrastructure:

  • 已設定的現有 Active Directory Domain Services (AD DS) 網域。An existing Active Directory Domain Services (AD DS) domain configured.

    如需安裝和設定 AD DS 的詳細資訊,請參閱 AD DS 設計與規劃For more information about installing and configuring AD DS, see AD DS Design and Planning.

  • 已設定的現有企業憑證授權單位 (CA)。An existing Enterprise Certification Authority (CA) configured.

    如需安裝和設定 Active Directory 憑證服務 (AD CS) 的詳細資訊,請參閱 Active Directory 憑證服務逐步指南For more information on installing and configuring Active Directory Certificate Services (AD CS), see Active Directory Certificate Services Step-by-Step Guide.

    警告

    Intune 需要您搭配企業憑證授權單位 (CA) 執行 AD CS,而非獨立 CA。Intune requires you to run AD CS with an Enterprise Certification Authority (CA), not a Standalone CA.

  • 具有連線至企業 CA 之能力的用戶端。A client that has connectivity to the Enterprise CA.

  • 從您的企業 CA 匯出的根憑證複本。An exported copy of your root certificate from your Enterprise CA.

  • 從您的 Intune 入口網站下載的 Microsoft Intune 憑證連接器 (NDESConnectorSetup.exe)。The Microsoft Intune Certificate Connector (NDESConnectorSetup.exe) downloaded from your Intune portal.

  • 裝載 Microsoft Intune 憑證連接器 (NDESConnectorSetup.exe) 的 Windows 伺服器。A Windows Server to host the Microsoft Intune Certificate Connector (NDESConnectorSetup.exe).

從企業 CA 匯出根憑證Export the root certificate from the Enterprise CA

若要向 VPN、WiFi 和其他資源進行驗證,在每部裝置上都需要根憑證或中繼 CA 憑證。To authenticate with VPN, WiFi, and other resources, a root or intermediate CA certificate is needed on each device. 下列步驟說明如何從您的企業 CA 取得所需的憑證。The following steps explain how to get the required certificate from your Enterprise CA.

  1. 使用具有系統管理權限的帳戶登入您的企業 CA。Sign in to your Enterprise CA with an account that has administrative privileges.

  2. 以系統管理員身分開啟命令提示字元。Open a command prompt as an administrator.

  3. 將根 CA 憑證 (.cer) 匯出到您稍後可以加以存取的位置。Export the Root CA Certificate (.cer) to a location where you can access it later.

    例如:For example:

  4. 在精靈完成後,但在關閉精靈之前,按一下 [啟動 Certificate Connector UI] 。After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

    certutil -ca.cert certnew.cer

    如需詳細資訊,請參閱管理憑證的 Certutil 工作For more information, see Certutil tasks for managing certificates.

設定憑證授權單位上的憑證範本Configure certificate templates on the certification authority

  1. 使用具有系統管理權限的帳戶登入您的企業 CA。Sign in to your Enterprise CA with an account that has administrative privileges.

  2. 開啟 [憑證授權單位] 主控台、以滑鼠右鍵按一下 [憑證範本],然後選取 [管理]。Open the Certification Authority console, right-click Certificate Templates, and select Manage.

  3. 找出 [使用者] 憑證範本、以滑鼠右鍵按一下它,然後選擇 [複製範本]。Locate the User certificate template, right-click it, and choose Duplicate Template. [新範本的內容] 隨即開啟。Properties of New Template opens.

  4. 在 [相容性] 索引標籤上:On the Compatibility tab:

    • 將 [憑證授權單位] 設為 [Windows Server 2008 R2]Set Certification Authority to Windows Server 2008 R2
    • 將 [憑證接收者] 設為 [Windows 7 / Server 2008 R2]Set Certificate recipient to Windows 7 / Server 2008 R2
  5. 在 [一般] 索引標籤上:On the General tab:

    • 將 [範本顯示名稱] 設為對您有意義的名稱。Set Template display name to something meaningful to you.

    警告

    [範本名稱] 預設會與 [範本顯示名稱] 相同,但沒有空格Template name by default is the same as Template display name with no spaces. 請記下範本名稱,您之後會需要它。Note the template name, you need it later.

  6. 在 [要求處理] 索引標籤中,選取 [允許匯出私密金鑰]。In Request Handling, select Allow private key to be exported.

  7. 在 [密碼編譯] 中,確認 [最小金鑰大小] 已設為 2048。In Cryptography, confirm that the Minimum key size is set to 2048.

  8. 在 [主體名稱] 中,選擇 [在要求中提供]。In Subject Name, choose Supply in the request.

  9. 在 [延伸模組] 中,確認您在 [應用程式原則] 下看到「加密檔案系統」、「安全電子郵件」和「用戶端驗證」。In Extensions, confirm that you see Encrypting File System, Secure Email, and Client Authentication under Application Policies.

    重要

    若為 iOS 憑證範本,請移至 [延伸模組] 索引標籤、更新 [金鑰使用方法],並確認未選取 [簽章是原件證明]。For iOS certificate templates, go to the Extensions tab, update Key Usage, and confirm that Signature is proof of origin isn't selected.

  10. 在 [安全性] 中,新增您安裝 Microsoft Intune 憑證連接器之伺服器的電腦帳戶。In Security, add the Computer Account for the server where you install the Microsoft Intune Certificate Connector.

    • 允許此帳戶的 [讀取] 和 [註冊] 權限。Allow this account Read and Enroll permissions.
  11. 依序選取 [套用]和 [確定],儲存憑證範本。Select Apply, then OK to save the certificate template.

  12. 關閉 [憑證範本主控台] 。Close the Certificate Templates Console.

  13. 從 [憑證授權單位] 主控台,以滑鼠右鍵按一下 [憑證範本],[新增],[要發出的憑證範本]。From the Certification Authority console, right-click Certificate Templates, New, Certificate Template to Issue.

    • 選擇您在前述步驟中建立的範本,然後選取 [確定]。Choose the template that you created in the preceding steps, and select OK.
  14. 若要讓伺服器代表已在 Intune 註冊的裝置及使用者來管理憑證,請遵循這些步驟:For the server to manage certificates on behalf of Intune enrolled devices and users, follow these steps:

    a.a. 以滑鼠右鍵按一下憑證授權單位,選擇 [內容]。Right-click the Certification Authority, choose Properties.

    b.b. 在 [安全性] 索引標籤上,新增您執行 Microsoft Intune 憑證連接器之伺服器的電腦帳戶。On the security tab, add the Computer account of the server where you run the Microsoft Intune Certificate Connector.

    • 將 [發行及管理憑證] 和 [要求憑證] 的「允許」權限授與該電腦帳戶。Grant Issue and Manage Certificates and Request Certificates Allow permissions to the computer account.
  15. 登出企業 CA。Sign out of the Enterprise CA.

下載、安裝和設定 Microsoft Intune 憑證連接器Download install and configure the Microsoft Intune Certificate Connector

ConnectorDownloadConnectorDownload

  1. Azure 入口網站中,選取 [All services] (所有服務),並篩選 IntuneIn the Azure portal, select All services, and filter for Intune. 依序選取 [Microsoft Intune] 和 [裝置設定]。Select Microsoft Intune, and then select Device Configuration.

  2. 依序選取 [憑證授權單位] 和 [新增],然後選取 [下載連接器檔案]。Select Certification Authority, select Add, and then select Download the Connector file. 將下載項目儲存到可從將安裝它之伺服器存取的位置。Save the download to a location where you can access it from the server where it will be installed.

  3. 登入這部伺服器,並執行安裝程式:Sign in to this server, and run the installer:

    1. 接受預設位置。Accept the default location. 它會將連接器安裝到 \Program Files\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exeIt installs the connector to \Program Files\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.
    2. 在 [安裝程式選項] 中,選取 [PFX 散發],然後選取 [下一步]。In Installer Options, select PFX Distribution, and select Next.
    3. 按一下 [安裝],然後等候安裝完成。Install, and wait for installation to complete.
    4. 完成之後,核取 [啟動 Intune 連接器],然後按一下 [完成]。When it completes, check Launch Intune Connector, and then Finish.
  4. [NDES 連接器] 視窗應該會開啟至 [註冊] 索引標籤。若要連線到 Intune,請選取 [登入] 並輸入具有全域系統管理權限的帳戶。The NDES Connector window should open to the Enrollment tab. To enable the connection to Intune, select Sign In, and enter an account with global administrative permissions.

  5. 在 [進階] 索引標籤上,保持選取 [使用此電腦的 SYSTEM 帳戶 (預設)]。On the Advanced tab, leave Use this computer's SYSTEM account (default) selected.

  6. 按一下 [套用],然後按一下 [關閉]。Apply, and then Close.

  7. 返回 Azure 入口網站 ([Intune] > [裝置設定] > [憑證授權單位])。Go back to the Azure portal (Intune > Device Configuration > Certification Authority). 在幾分鐘後會顯示綠色的核取記號,而 [連線狀態] 為 [使用中]。After a few minutes, a green check mark displays, and the Connection status is Active. 連接器伺服器現在可以與 Intune 通訊。Your connector server can now communicate with Intune.

建立裝置組態設定檔Create a device configuration profile

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 移至 [Intune]、[裝置設定]、[設定檔],然後選取 [建立設定檔]。Go to Intune, Device configuration, Profiles, and select Create profile.

    NavigateIntuneNavigateIntune

  3. 輸入下列內容:Enter the following properties:

    • 設定檔的 [名稱]Name for the profile
    • 可選擇性地設定說明Optionally set a description
    • 要部署設定檔的目標 [平台]Platform to deploy the profile to
    • 將 [設定檔類型] 設為 [信任的憑證]Set Profile type to Trusted certificate
  4. 移至 [設定],並輸入先前匯出的根 CA 憑證 .cer 檔案。Go to Settings, and enter the .cer file Root CA Certificate you previously exported.

    注意

    視您在步驟 3 中選擇的平台而定,您可能會有選擇憑證 [目的地存放區] 的選項。Depending on the platform you chose in Step 3, you may or may not have an option to choose the Destination store for the certificate.

    ProfileSettingsProfileSettings

  5. 選取 [確定],然後選取 [建立] 以儲存您的設定檔。Select OK, and then Create to save your profile.

  6. 若要將新的設定檔指派給一或多部裝置,請參閱如何指派 Microsoft Intune 裝置設定檔To assign the new profile to one or more devices, see How to assign Microsoft Intune device profiles.

建立 PKCS 憑證設定檔Create a PKCS Certificate profile

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 移至 [Intune]、[裝置設定]、[設定檔],然後選取 [建立設定檔]。Go to Intune, Device configuration, Profiles, and select Create profile.

  3. 輸入下列內容:Enter the following properties:

    • 設定檔的 [名稱]Name for the profile
    • 可選擇性地設定說明Optionally set a description
    • 要部署設定檔的目標 [平台]Platform to deploy the profile to
    • 將 [設定檔類型] 設為 [PKCS 憑證]Set Profile type to PKCS Certificate
  4. 移至 [設定] 索引標籤,然後輸入下列內容:Go to Settings, and enter the following properties:

    • 更新閾值 (%):建議為 20%。Renewal threshold (%) - Recommended is 20%.
    • 憑證有效期間 - 如果您沒有變更憑證範本,此選項可設定為一年。Certificate validity period - If you didn't change the certificate template, this option may be set to one year.
    • 憑證授權單位 - 顯示您企業 CA 的內部完整網域名稱 (FQDN)。Certification authority - Displays the internal fully qualified domain name (FQDN) of your Enterprise CA.
    • 憑證授權單位名稱 - 列出您企業 CA 的名稱,且可能與前一項目不同。Certification authority name - Lists the name of your Enterprise CA, and it may be different than the previous item.
    • 憑證範本名稱 - 稍早建立之範本的名稱。Certificate template name - The name of the template created earlier. 請記住,[範本名稱] 預設會與 [範本顯示名稱] 相同,但沒有空格Remember Template name by default is the same as Template display name with no spaces.
    • 主體名稱格式:除非另有需要,否則請將此選項設為 [一般名稱]。Subject name format - Set this option to Common name unless otherwise required.
    • 主體替代名稱:除非另有需要,否則請將此選項設為 [使用者主體名稱 (UPN)]。Subject alternative name - Set this option to User principal name (UPN) unless otherwise required.
    • 擴充金鑰使用方法 - 只要您在憑證授權單位上的憑證範本一節 (在本文中) 的步驟 10 中使用預設的設定,請從選項新增下列 [預先定義的值]:Extended key usage - As long as you used the default settings in Step 10 in the Configure certificate templates on the certification authority section (in this article), add the following Predefined values from the selection:
      • 任何目的Any Purpose
      • 用戶端驗證Client Authentication
      • 安全電子郵件Secure Email
    • 根憑證(針對 Android 設定檔) 列出在從企業 CA 匯出根憑證一節 (在本文中) 的步驟 3 中所匯出的 .cer 檔案。Root Certificate - (For Android Profiles) Lists the .cer file exported in Step 3 in the Export the root certificate from the Enterprise CA section (in this article).
  5. 選取 [確定],然後選取 [建立] 以儲存您的設定檔。Select OK, then Create to save your profile.

  6. 若要將新的設定檔指派給一或多個裝置,請參閱如何指派 Microsoft Intune 裝置設定檔一文。To assign the new profile to one or more devices, see the article How to assign Microsoft Intune device profiles.