匯入 PFX 憑證設定檔Import PFX certificate profiles

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

瞭解如何從外部憑證匯入認證來建立憑證設定檔。Learn how to create a certificate profile by importing credentials from external certificates. 本文將重點放在關於個人資訊交換(PFX)憑證設定檔的特定資訊。This article highlights specific information about personal information exchange (PFX) certificate profiles. 如需有關如何建立及設定這些設定檔的詳細資訊,請參閱憑證設定檔For more information about how to create and configure these profiles, see Certificate profiles.

Configuration Manager 針對不同的裝置和作業系統版本支援不同類型的憑證存放區。Configuration Manager supports different kinds of certificate stores for different devices and OS versions. 例如,Windows 10 和 Windows 10 Mobile。For example, Windows 10 and Windows 10 Mobile. 如需詳細資訊,請參閱憑證設定檔必要條件For more information, see Certificate profile prerequisites.

使用 Configuration Manager 匯入憑證認證,然後將 PFX 檔案布建到裝置。Use Configuration Manager to import certificate credentials and then provision PFX files to devices. 您可以使用這些檔案來產生使用者特定憑證,以支援加密的資料交換。You can use these files to generate user-specific certificates to support encrypted data exchange.

提示

如需此程式的逐步解說,請參閱建立和部署 PFX 憑證設定檔 Configuration Manager 中的 blog 文章。For a step-by-step walk-through of this process, see the blog post How to Create and Deploy PFX Certificate Profiles in Configuration Manager.

建立設定檔Create a profile

  1. 在 Configuration Manager 主控台中,移至 [資產與相容性] 工作區,展開 [相容性設定],展開 [公司資源存取],然後選取 [憑證設定檔]。In the Configuration Manager console, go to the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then select Certificate Profiles.

  2. 在功能區 [常用]**** 索引標籤的 [建立]**** 群組中,選取 [建立憑證設定檔]****。On the Home tab of the ribbon, in the Create group, select Create Certificate Profile.

  3. 在 [建立憑證設定檔] 的 [一般] 頁面上,指定下列資訊:On the General page of the Create Certificate Profile Wizard, specify the following information:

    • 名稱:輸入憑證設定檔的唯一名稱。Name: Enter a unique name for the certificate profile. 您最多可以使用 256 個字元。You can use a maximum of 256 characters.

    • 描述:提供可協助您在 Configuration Manager 主控台中識別憑證設定檔的說明。Description: Provide a description that gives an overview of the certificate profile that helps to identify it in the Configuration Manager console. 您最多可以使用 256 個字元。You can use a maximum of 256 characters.

  4. 選取 [個人資訊交換-PKCS #12 (PFX)設定-匯入]。Select Personal Information Exchange - PKCS #12 (PFX) settings - Import. 此選項會從現有憑證匯入資訊,以建立憑證設定檔。This option imports information from an existing certificate to create a certificate profile.

    注意

    [建立] 選項會代表使用者從已連線的內部部署憑證授權單位單位(CA)要求憑證。The Create option requests a certificate on behalf of a user from a connected on-premises certificate authority (CA). 此程式接著會安全地將憑證以 PFX 檔案形式傳遞給用戶端。This process then securely delivers the certificate to clients as PFX files. 如需詳細資訊,請參閱使用憑證授權單位單位建立 PFX 憑證設定檔For more information, see Create PFX certificate profiles using a certificate authority.

  5. 在 [建立憑證設定檔] 的 [ PFX 憑證] 頁面上,指定裝置金鑰儲存提供者(KSP):On the PFX Certificate page of the Create Certificate Profile Wizard, specify the device key storage provider (KSP):

    • 安裝至信賴平台模組 (TPM) (若存在)Install to Trusted Platform Module (TPM) if present
    • 安裝至信賴平臺模組(TPM)否則會失敗Install to Trusted Platform Module (TPM) otherwise fail
    • 安裝至 Windows Hello 企業版否則會失敗Install to Windows Hello for Business otherwise fail
    • 安裝至軟體金鑰儲存提供者Install to Software Key Storage Provider
  6. 在 [支援的平臺] 頁面上,選擇支援的裝置平臺。On the Supported Platforms page, choose the supported device platforms.

  7. 完成精靈。Complete the wizard.

部署設定檔Deploy the profile

建立並布建憑證設定檔之後,它現在會出現在 [憑證設定檔] 節點中。After you create and provision a certificate profile, it's now available in the Certificate Profiles node. 如需有關如何部署它的詳細資訊,請參閱部署資源存取設定檔For more information on how to deploy it, see Deploy resource access profiles.

指派主要使用者Assign primary users

在您需要安裝 PFX 憑證的 Windows 10 裝置上,將目標使用者指派為主要使用者。Assign the target users as primary users on the Windows 10 devices where you need to install the PFX certificates. 如需詳細資訊,請參閱使用者裝置親和性For more information, see user device affinity.

布建建立 PFX 腳本Provision a create PFX script

若要匯入 PFX 憑證,請使用下列 Configuration Manager PowerShell Cmdlet 來布建「建立 PFX」腳本:To import a PFX certificate, use the following Configuration Manager PowerShell cmdlets to provision a Create PFX script:

範例指令碼Example script

若要將 PFX 檔案布建到使用者的憑證設定檔,請在具有 Configuration Manager 主控台的電腦上開啟 PowerShell。To provision a PFX file to a certificate profile for a user, open PowerShell on a computer with the Configuration Manager console. 使用您環境中的值來變更變數。Change the variables with values from your environment.

# The display name of your PFX Import certificate profile
$PfxProfileDisplayName = "ImportPFX"

# The password you used to protect/encrypt the external PFX file that was created/exported from your certificate storage provider
# If you omit this password, PowerShell will securely prompt you for it. You can specify it as a parameter for process automation.
$password = ""

# The username of the user who will receive this PFX certificate on their device
$user = "Melissa"

# The full path to the PFX file you exported from the certificate store
$pfxfile = "c:\p1.pfx"

# If the target user isn't in the same domain as the user running this script, specify a different domain
Import-CMClientCertificatePfx -UserName "$env:USERDOMAIN\$user" -Password (ConvertTo-SecureString -String $password -AsPlainText -Force) -CertificateProfilePfx (Get-CMCertificateProfilePfx -Fast -Name $PfxProfileDisplayName) -Path $pfxfile

另請參閱See also

建立新的憑證設定檔Create a new certificate profile

使用憑證授權單位建立 PFX 憑證設定檔Create PFX certificate profiles using a certificate authority

部署 Wi-Fi、VPN、電子郵件和憑證設定檔Deploy Wi-Fi, VPN, email, and certificate profiles