TPM 金鑰證明TPM Key Attestation

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

作者: Justin Turner 資深支援工程師視窗群組Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

注意

本文由 Microsoft 客戶支援工程師撰寫,以及適用於系統管理員經驗和系統設計師超過參考 TechNet 上的主題通常會提供深入的技術解釋的功能與 Windows Server 2012 R2 方案正在尋找。This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. 不過,尚未經歷相同編輯行程,以便某些語言的似乎比哪些通常位於 TechNet 較少的外觀。However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

概觀Overview

同時支援的 TPM 受鍵已經有 Windows 8,因為發生不 Ca 密碼編譯證明憑證的申請者私密金鑰確實由信賴平台模組」(TPM) 受保護的機制。While support for TPM-protected keys has existed since Windows 8, there were no mechanisms for CAs to cryptographically attest that the certificate requester private key is actually protected by a Trusted Platform Module (TPM). 此更新讓 CA 和反映在發行的憑證,證明執行該證明。This update enables a CA to perform that attestation and to reflect that attestation in the issued certificate.

注意

這篇文章假設讀取器熟悉憑證範本概念 (如需參考資料,請查看憑證範本)。This article assumes that the reader is familiar with certificate template concept (for reference, see Certificate Templates). 它也假設讀取器熟悉如何設定企業 Ca 憑證範本憑證的問題 (如需參考資料,檢查清單︰ 設定的 Ca 管理憑證問題與)。It also assumes that the reader is familiar with how to configure enterprise CAs to issue certificates based on certificate templates (for reference, see Checklist: Configure CAs to Issue and Manage Certificates).

詞彙Terminology

詞彙Term 解析度Definition
EKEK 簽署金鑰。Endorsement Key. 這是 TPM(製造的時間在插入)中所包含的非對稱式鍵。This is an asymmetric key contained inside the TPM (injected at manufacturing time). EK 是唯一的每個 TPM,以及找出。The EK is unique for every TPM and can identify it. EK 無法變更或移除。The EK cannot be changed or removed.
EKpubEKpub 指的是公用 EK 金鑰。Refers to public key of the EK.
EKPrivEKPriv 指向私密金鑰 EK。Refers to private key of the EK.
EKCertEKCert EK 憑證。EK Certificate. TPM 製造商發行憑證的 EKPub。A TPM manufacturer-issued certificate for EKPub. 並非所有的 Tpm 擁有 EKCert。Not all TPMs have EKCert.
TPMTPM 信賴平台模組。Trusted Platform Module. TPM 設計目的是提供硬體式的安全性相關功能。A TPM is designed to provide hardware-based security-related functions. TPM 晶片都是安全的密碼編譯-處理器是設計用來執行密碼編譯作業。A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. 晶片包括多個實體的安全機制,讓您竄改上,而無法竄改安全性功能的 TPM 惡意軟體。The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.

背景Background

開始使用 Windows 8,信賴平台模組 (TPM) 可用於安全性憑證中的私密金鑰。Beginning with Windows 8, a Trusted Platform Module (TPM) can be used to secure a certificate's private key. Microsoft 平台密碼編譯提供者金鑰儲存提供者 (KSP) 可讓這個功能。The Microsoft Platform Crypto Provider Key Storage Provider (KSP) enables this feature. 發生實作兩個問題:There were two concerns with the implementation:

  • 發生的按鍵確實受到(其他人輕鬆,欺騙軟體 KSP 為使用本機系統管理員認證 TPM KSP)TPM 不保證。There was no guarantee that a key is actually protected by a TPM (someone can easily spoof a software KSP as a TPM KSP with local administrator credentials).

  • 無法限制 Tpm 可保護企業(的系統管理員 PKI 想要控制類型的裝置,可以用來取得環境中的憑證)發行憑證的清單。It was not possible to limit the list of TPMs that are allowed to protect enterprise issued certificates (in the event that the PKI Administrator wants to control the types of devices that can be used to obtain certificates in the environment).

TPM 金鑰證明TPM key attestation

TPM 金鑰證明是要求憑證實體的密碼編譯證明 CA 憑證要求 RSA 鍵受到」」或「」TPM CA 信任的能力。TPM key attestation is the ability of the entity requesting a certificate to cryptographically prove to a CA that the RSA key in the certificate request is protected by either "a" or "the" TPM that the CA trusts. TPM 信任模式中更多討論部署概觀之後本主題中的區段。The TPM trust model is discussed more in the Deployment overview section later in this topic.

為何很重要的 TPM 金鑰證明?Why is TPM key attestation important?

TPM attested 金鑰憑證使用者提供更高的安全性保證備份非匯出性、反 hammering 和隔離的 TPM 所提供的按鍵。A user certificate with a TPM-attested key provides higher security assurance, backed up by non-exportability, anti-hammering, and isolation of keys provided by the TPM.

TPM 金鑰證明,以新的管理模式可現在:系統管理員可以定義的使用者可以使用公司的資源(例如,VPN 或 wireless 存取點)的存取,並讓裝置設定穩固保證任何其他裝置,可以用於存取它們。With TPM key attestation, a new management paradigm is now possible: An administrator can define the set of devices that users can use to access corporate resources (for example, VPN or wireless access point) and have strong guarantees that no other devices can be used to access them. 這個新存取控制範例穩固因為它與硬體繫結使用者的身分,這是威力軟體認證。This new access control paradigm is strong because it is tied to a hardware-bound user identity, which is stronger than a software-based credential.

TPM 金鑰證明如何運作?How does TPM key attestation work?

一般而言,TPM 金鑰證明根據下列柱:In general, TPM key attestation is based on the following pillars:

  1. 每個 TPM 隨附獨特的非對稱式金鑰,稱為簽署金鑰(EK),燒錄製造商。Every TPM ships with a unique asymmetric key, called the Endorsement Key (EK), burned by the manufacturer. 我們會將此鍵做為公開部分EKPub及相關的私密金鑰為EKPrivWe refer to the public portion of this key as EKPub and the associated private key as EKPriv. 某些 TPM 晶片也會有核發給製造商 EKPub EK 憑證。Some TPM chips also have an EK certificate that is issued by the manufacturer for the EKPub. 我們會將此憑證,以EKCertWe refer to this cert as EKCert.

  2. CA 建立信任透過 EKPub 或 EKCert 的 TPM 中。A CA establishes trust in the TPM either via EKPub or EKCert.

  3. 密碼編譯 EKPub 相關所要求的認證 RSA 金鑰和使用者擁有 EKpriv ca 證明使用者。A user proves to the CA that the RSA key for which the certificate is being requested is cryptographically related to the EKPub and that the user owns the EKpriv.

  4. CA 憑證問題 OID 代表按鍵會立即 attested 至受保護的 TPM 特殊 \ [發行原則。The CA issues a certificate with a special issuance policy OID to denote that the key is now attested to be protected by a TPM.

部署概觀Deployment overview

部署,被假設 Windows Server 2012 R2 企業 CA 設定。In this deployment, it is assumed that a Windows Server 2012 R2 enterprise CA is set up. 此外,針對企業 CA 使用註冊設定 (Windows 8.1) 戶端憑證範本。Also, clients (Windows 8.1) are configured to enroll against that enterprise CA using certificate templates.

有三個步驟,以部署 TPM 金鑰證明:There are three steps to deploying TPM key attestation:

  1. 規劃 TPM 信任模式:第一個步驟是可以選擇要使用的 TPM 信任模型。Plan the TPM trust model: The first step is to decide which TPM trust model to use. 有 3 個支援的方式執行此動作:There are 3 supported ways for doing this:

    • 信任根據使用者認證:企業 CA 信任使用者提供 EKPub 憑證要求的一部分,並不會執行驗證以外的使用者網域認證。Trust based on user credential: The enterprise CA trusts the user-provided EKPub as part of the certificate request and no validation is performed other than the user's domain credentials.

    • 信任根據 EKCert:企業 CA 驗證憑證要求的一部分提供系統管理員管理清單針對 EKCert 鏈結可接受 EK 憑證鏈結Trust based on EKCert: The enterprise CA validates the EKCert chain that is provided as part of the certificate request against an administrator-managed list of acceptable EK cert chains. 可接受鏈結定義的每個製造商,以在 CA(一個市集中繼),另一個用於 ca 憑證表示透過兩個自訂憑證存放區。The acceptable chains are defined per-manufacturer and are expressed via two custom certificate stores on the issuing CA (one store for the intermediate and one for root CA certificates). 此信任」模式代表的所有指定製造商的 Tpm 所信賴。This trust mode means that all TPMs from a given manufacturer are trusted. 請注意,此模式下,在 Tpm 使用中的環境中必須包含 EKCerts。Note that in this mode, TPMs in use in the environment must contain EKCerts.

    • 信任根據 EKPub:企業 CA 驗證的提供系統管理員管理在清單中出現的憑證要求的一部分 EKPub 允許 EKPubs。Trust based on EKPub: The enterprise CA validates that the EKPub provided as part of the certificate request appears in an administrator-managed list of allowed EKPubs. 這份清單以表示的其中此 directory 中每個檔案的名稱是 SHA-2 湊允許 EKPub 的檔案。This list is expressed as a directory of files where the name of each file in this directory is the SHA-2 hash of the allowed EKPub. 這個選項會提供最高的保證層級,但是需要更多系統管理工作,因為排列可每個裝置。This option offers the highest assurance level but requires more administrative effort, because each device is individually identified. 在這個信任模式,已新增到允許清單中 EKPubs 他們 TPM 的 EKPub 的裝置允許註冊 TPM attested 憑證。In this trust model, only the devices that have had their TPM's EKPub added to the allowed list of EKPubs are permitted to enroll for a TPM-attested certificate.

    根據使用哪一種方法,CA 套用不同 \ [發行原則 OID 發行的憑證。Depending on which method is used, the CA will apply a different issuance policy OID to the issued certificate. \ [發行原則 Oid 有關更多詳細資料,會看到的 \ [發行原則 Oid 表格設定的憑證範本本主題中的區段。For more details about issuance policy OIDs, see the Issuance Policy OIDs table in the Configure a certificate template section in this topic.

    請注意,可以選擇 TPM 信任型號的組合。Note that it is possible to choose a combination of TPM trust models. 若是如此,CA 將接受任何證明方法,以及 Oid 會反映成功的所有證明方法將發行原則。In this case, the CA will accept any of the attestation methods, and the issuance policy OIDs will reflect all attestation methods that succeed.

  2. 設定憑證範本:中所述設定憑證範本部署的詳細資料一節中本主題。Configure the certificate template: Configuring the certificate template is described in the Deployment details section in this topic. 本文章不會如何此憑證範本已指派給企業 CA 實體鍵盤保護蓋或如何註冊存取提供給使用者的群組。This article does not cover how this certificate template is assigned to the enterprise CA or how enroll access is given to a group of users. 如需詳細資訊,請查看檢查清單︰ 設定的 Ca 管理憑證問題與For more information, see Checklist: Configure CAs to Issue and Manage Certificates.

  3. 設定 CA TPM 信任模型Configure the CA for the TPM trust model

    1. 信任根據使用者認證:不需要任何特定的設定。Trust based on user credential: No specific configuration is required.

    2. 信任根據 EKCert:系統管理員必須取得 EKCert 憑證鏈結 TPM 製造商,以及它們匯入到兩個新的憑證存放區,建立的系統管理員身分執行 TPM 金鑰證明憑證授權單位上。Trust based on EKCert: The administrator must obtain the EKCert chain certificates from TPM manufacturers, and import them to two new certificate stores, created by the administrator, on the CA that perform TPM key attestation. 如需詳細資訊,請查看CA 設定本主題中的區段。For more information, see the CA configuration section in this topic.

    3. 信任根據 EKPub:系統管理員必須取得 EKPub 每個裝置將需要 TPM attested 憑證,並將他們新增到允許 EKPubs 的清單。Trust based on EKPub: The administrator must obtain the EKPub for each device that will need TPM-attested certificates and add them to the list of allowed EKPubs. 如需詳細資訊,請查看CA 設定本主題中的區段。For more information, see the CA configuration section in this topic.

    注意

    • 這項功能會需要 Windows 8.1 / Windows Server 2012 R2。This feature requires Windows 8.1/Windows Server 2012 R2.
    • 不支援的第三方智慧卡 KSPs TPM 金鑰證明。TPM key attestation for third-party smart card KSPs is not supported. Microsoft 平台密碼編譯提供者 KSP 必須使用。Microsoft Platform Crypto Provider KSP must be used.
    • TPM 金鑰證明只適用於 RSA 按鍵。TPM key attestation only works for RSA keys.
    • 不支援的獨立 CA TPM 金鑰證明。TPM key attestation is not supported for a standalone CA.
    • TPM 金鑰證明不支援非持續憑證處理TPM key attestation does not support non-persistent certificate processing.

部署的詳細資料Deployment details

設定的憑證範本Configure a certificate template

若要設定的 TPM 金鑰證明憑證範本,執行下列設定步驟:To configure the certificate template for TPM key attestation, do the following configuration steps:

  1. 相容性的索引標籤Compatibility tab

    相容性設定區段:In the Compatibility Settings section:

    • 確認Windows Server 2012 R2選取憑證授權單位Ensure Windows Server 2012 R2 is selected for the Certification Authority.

    • 確認Windows 8.1 / Windows Server 2012 R2選取憑證收件者Ensure Windows 8.1 / Windows Server 2012 R2 is selected for the Certificate recipient.

    TPM 金鑰證明

  2. 密碼編譯的索引標籤Cryptography tab

    確認金鑰儲存提供者已選取的提供者分類RSA選取演算法名稱Ensure Key Storage Provider is selected for the Provider Category and RSA is selected for the Algorithm name. 確認要求必須使用其中一項下列提供者選取和Microsoft 的平台密碼編譯提供者底下選取選項提供者Ensure Requests must use one of the following providers is selected and the Microsoft Platform Crypto Provider option is selected under Providers.

    TPM 金鑰證明

  3. 金鑰證明的索引標籤Key Attestation tab

    這是針對 Windows Server 2012 R2 的新索引標籤:This is a new tab for Windows Server 2012 R2:

    TPM 金鑰證明

    從三個方式可以選擇證明模式。Choose an attestation mode from the three possible options.

    TPM 金鑰證明

    • 無:表示金鑰證明不必須使用None: Implies that key attestation must not be used

    • 如果 client 需要:允許使用者在 TPM 不支援的裝置上金鑰證明繼續註冊憑證。Required, if client is capable: Allows users on a device that does not support TPM key attestation to continue enrolling for that certificate. 使用者可以執行證明將進行區分與 OID 特殊 \ [發行原則。Users who can perform attestation will be distinguished with a special issuance policy OID. 部分裝置可能無法執行證明,而舊 TPM 不支援金鑰證明或不需要 TPM 在所有裝置。Some devices might not be able to perform attestation because of an old TPM that does not support key attestation, or the device not having a TPM at all.

    • 所需的: Client必須執行 TPM 金鑰證明,否則將會失敗憑證要求。Required: Client must perform TPM key attestation, otherwise the certificate request will fail.

    接下來的 TPM 信任模式。Then choose the TPM trust model. 再試一次選項共有三種:There are again three options:

    TPM 金鑰證明

    • 使用者的認證:允許驗證有效的 TPM 保證來指定憑證網域中的使用者。User credentials: Allow an authenticating user to vouch for a valid TPM by specifying their domain credentials.

    • 簽署的憑證:裝置的 EKCert 必須驗證透過管理員管理 TPM 中繼 CA 憑證管理員管理 ca 憑證。Endorsement certificate: The EKCert of the device must validate through administrator-managed TPM intermediate CA certificates to an administrator-managed root CA certificate. 如果您選擇此選項,您必須設定 EKCA 和 EKRoot 憑證存放區上 CA 中所述CA 設定本主題中的區段。If you choose this option, you must set up EKCA and EKRoot certificate stores on the issuing CA as described in the CA configuration section in this topic.

    • 簽署金鑰:裝置的 EKPub 必須 PKI 管理員管理清單中出現。Endorsement Key: The EKPub of the device must appear in the PKI administrator-managed list. 這個選項會提供的最高保證層級,但是需要更多系統努力。This option offers the highest assurance level but requires more administrative effort. 如果您選擇此選項,您必須設定 CA EKPub 清單中所述CA 設定本主題中的區段。If you choose this option, you must set up an EKPub list on the issuing CA as described in the CA configuration section in this topic.

    最後,選擇要顯示在發行的憑證的發行原則。Finally, decide which issuance policy to show in the issued certificate. 根據預設,每個執法類型都有它在下表中所述通過該執法類型,如果將插入憑證相關的物件識別碼 (OID)。By default, each enforcement type has an associated object identifier (OID) that will be inserted into the certificate if it passes that enforcement type, as described in the following table. 請注意,可以選擇組合執法方法。Note that it is possible to choose a combination of enforcement methods. 若是如此,CA 將接受任一證明種方法,且將發行原則 OID 會反映出成功的所有證明方法。In this case, the CA will accept any of the attestation methods, and the issuance policy OID will reflect all attestation methods that succeeded.

    \ [發行原則 OidIssuance Policy OIDs

    OIDOID 金鑰證明類型Key attestation type 描述Description 保證層級Assurance level
    1.3.6.1.4.1.311.21.301.3.6.1.4.1.311.21.30 EKEK 「EK 確認」: 的系統管理員管理 EK 清單"EK Verified": For administrator-managed list of EK High
    1.3.6.1.4.1.311.21.311.3.6.1.4.1.311.21.31 簽署的憑證Endorsement certificate 「EK 憑證確認」: EK 憑證鏈結驗證時"EK Certificate Verified": When EK certificate chain is validated 媒體Medium
    1.3.6.1.4.1.311.21.321.3.6.1.4.1.311.21.32 使用者的認證User credentials 「EK 信任上使用「: 的使用者 attested EK"EK Trusted on Use": For user-attested EK Low

    如果,將在發行憑證插入 Oid包含 \ [發行原則已選取(的預設設定)。The OIDs will be inserted into the issued certificate if Include Issuance Policies is selected (the default configuration).

    TPM 金鑰證明

    提示

    可能使用的憑證中的 OID 是限制存取 VPN 或無線網路某些裝置。One potential use of having the OID present in the certificate is to limit access to VPN or wireless networking to certain devices. 例如,存取原則可能會允許連接(或存取不同的 VLAN)OID 1.3.6.1.4.1.311.21.30 是否出現在憑證。For example, your access policy might allow connection (or access to a different VLAN) if OID 1.3.6.1.4.1.311.21.30 is present in the certificate. 這可讓您存取裝置的 TPM EK 存在於 EKPUB 清單中的限制。This allows you to limit access to devices whose TPM EK is present in the EKPUB list.

CA 設定CA configuration

  1. 設定 EKCA 和 EKROOT 憑證存放區上 CASetup EKCA and EKROOT certificate stores on an issuing CA

    如果您選擇 [簽署的憑證範本設定中,進行下列設定步驟:If you chose Endorsement Certificate for the template settings, do the following configuration steps:

    1. 使用 Windows PowerShell 來建立兩個新的憑證存放區上的憑證授權單位伺服器會執行 TPM 金鑰證明。Use Windows PowerShell to create two new certificate stores on the certification authority (CA) server that will perform TPM key attestation.

    2. 取得中繼和根 CA 憑證製造商您想要讓您的企業環境中。Obtain the intermediate and root CA certificate(s) from manufacturer(s) that you want to allow in your enterprise environment. 這些憑證必須匯入之前已建立憑證存放區(EKCA 和 EKROOT)視。Those certificates must be imported into the previously-created certificate stores (EKCA and EKROOT) as appropriate.

    下列 Windows PowerShell 指令碼執行兩個步驟。The following Windows PowerShell script performs both of these steps. 下列範例中,在 Fabrikam TPM 製造商已提供根憑證FabrikamRoot.cer發行 CA 憑證和Fabrikamca.cerIn the following example, the TPM manufacturer Fabrikam has provided a root certificate FabrikamRoot.cer and an issuing CA certificate Fabrikamca.cer.

    PS C:>\cd cert:  
    PS Cert:\>cd .\\LocalMachine  
    PS Cert:\LocalMachine> new-item EKROOT  
    PS Cert:\ LocalMachine> new-item EKCA  
    PS Cert:\EKCA\copy FabrikamCa.cer .\EKCA  
    PS Cert:\EKROOT\copy FabrikamRoot.cer .\EKROOT  
    
  2. 如果使用 EK 證明類型,設定 EKPUB 清單Setup EKPUB List if using EK attestation type

    如果您選擇 [簽署金鑰在範本設定中的下一步的設定步驟建立並設定在 CA,包含 0 位元組檔案的資料夾的允許 EK SHA-2 湊的每一個名為。If you chose Endorsement Key in the template settings, the next configuration steps are to create and configure a folder on the issuing CA, containing 0-byte files, each named for the SHA-2 hash of an allowed EK. 此資料夾做為 [允許清單中」的裝置,以取得 TPM 鍵 attested 憑證。This folder serves as an "allow list" of devices that are permitted to obtain TPM key-attested certificates. 您必須手動新增的每個裝置需要 attested 的憑證 EKPUB,因為它提供企業版的裝置,以取得 TPM attested 的憑證授權保證。Because you must manually add the EKPUB for each and every device that requires an attested certificate, it provides the enterprise with a guarantee of the devices that are authorized to obtain TPM key attested certificates. 設定此模式 CA 需要兩步驟:Configuring a CA for this mode requires two steps:

    1. 建立 EndorsementKeyListDirectories 登錄項目:使用 Certutil 命令列工具來設定下列表格中所述的受信任的 EKpubs 定義位置的資料夾位置的位置。Create the EndorsementKeyListDirectories registry entry: Use the Certutil command-line tool to configure the folder locations where trusted EKpubs are defined as described in the following table.

      操作Operation 命令語法Command syntax
      新增資料夾位置Add folder locations Certutil.exe-setreg CA\EndorsementKeyListDirectories +]certutil.exe -setreg CA\EndorsementKeyListDirectories +""
      移除資料夾位置Remove folder locations Certutil.exe-setreg CA\EndorsementKeyListDirectories-]certutil.exe -setreg CA\EndorsementKeyListDirectories -""

      Certutil 命令中的 EndorsementKeyListDirectories 是登錄設定為下列表格中所述。The EndorsementKeyListDirectories in certutil command is a registry setting as described in the following table.

      值名稱Value name 輸入Type 資料Data
      EndorsementKeyListDirectoriesEndorsementKeyListDirectories REG_MULTI_SZREG_MULTI_SZ < 本機或 UNC EKPUB 路徑允許清單 ><LOCAL or UNC path to EKPUB allow list(s)>

      範例:Example:

      \\blueCA.contoso.com\ekpub\\blueCA.contoso.com\ekpub

      \\bluecluster1.contoso.com\ekpub\\bluecluster1.contoso.com\ekpub

      D:\ekpubD:\ekpub

      HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\

      EndorsementKeyListDirectories會包含每個資料夾的 CA 讀取指向 UNC 或本機檔案系統路徑的清單。EndorsementKeyListDirectories will contain a list of UNC or local file system paths, each pointing to a folder that the CA has Read access to. 每個資料夾可能包含零或更多允許清單項目,其中每個項目是檔案名稱的 SHA-2 hash 的受信任的 EKpub,不副檔名。Each folder may contain zero or more allow list entries, where each entry is a file with a name that is the SHA-2 hash of a trusted EKpub, with no file extension. 建立或編輯此登錄按鍵設定需要重新開機,就像現有 CA 登錄設定 CA。Creating or editing this registry key configuration requires a restart of the CA, just like existing CA registry configuration settings. 不過,編輯設定立即才會生效,不需要將重新 CA。However, edits to the configuration setting will take effect immediately and will not require the CA to be restarted.

      重要

      安全遭到竄改清單中的資料夾和未經授權的存取,來設定,以便僅授權系統管理員的權限有讀取和寫入存取。Secure the folders in the list from tampering and unauthorized access by configuring permissions so that only authorized administrators have Read and Write access. 電腦的 CA 需要唯讀的權限。The computer account of the CA requires Read access only.

    2. 填入 EKPUB 清單:使用下列的 Windows PowerShell cmdlet 每個裝置上使用 Windows PowerShell 來取得公開金鑰的 TPM EK 湊和再傳送此公用鍵 ca hash,並將它儲存 EKPubList 資料夾。Populate the EKPUB list: Use the following Windows PowerShell cmdlet to obtain the public key hash of the TPM EK by using Windows PowerShell on each device and then send this public key hash to the CA and store it on the EKPubList folder.

      PS C:>\$a=Get-TpmEndorsementKeyInfo -hashalgorithm sha256  
      PS C:>$b=new-item $a.PublickKeyHash -ItemType file  
      

疑難排解Troubleshooting

金鑰證明欄位並不適用於憑證範本Key attestation fields are unavailable on a certificate template

金鑰證明欄位如果則無法使用範本設定不符合證明的需求。The Key Attestation fields are not available if the template settings do not meet the requirements for attestation. 常見的原因如下:Common reasons are:

  1. 相容性設定不正確設定。The compatibility settings are not configured correctly. 請務必設定方式如下:Make sure that they are configured as follows:

    1. 憑證授權單位: Windows Server 2012 R2Certification Authority: Windows Server 2012 R2

    2. 憑證收件者: Windows 8.1 / Windows Server 2012 R2Certificate Recipient: Windows 8.1/Windows Server 2012 R2

  2. 密碼編譯未設定正確。The cryptography settings are not configured correctly. 請務必設定方式如下:Make sure that they are configured as follows:

    1. 提供者分類:金鑰儲存提供者Provider Category: Key Storage Provider

    2. 演算法名稱: RSAAlgorithm Name: RSA

    3. 提供者: Microsoft 平台密碼編譯提供者Providers: Microsoft Platform Crypto Provider

  3. 要求處理設定不正確設定。The request handling settings are not configured correctly. 請務必設定方式如下:Make sure that they are configured as follows:

    1. 允許私密金鑰匯出必須未選取選項。The Allow private key to be exported option must not be selected.

    2. 保存主體加密私密金鑰必須未選取選項。The Archive subject's encryption private key option must not be selected.

TPM 證明裝置的驗證Verification of TPM device for attestation

使用 Windows PowerShell cmdlet、確認-CAEndorsementKeyInfo,以確認特定 TPM 裝置 Ca 信任的證明。Use the Windows PowerShell cmdlet, Confirm-CAEndorsementKeyInfo, to verify that a specific TPM device is trusted for attestation by CAs. 有兩個選項:一個用於驗證 EKCert,並確認 EKPub 其他。There are two options: one for verifying the EKCert, and the other for verifying an EKPub. Cmdlet 可以執行本機加拿大或遠端 Ca 使用 Windows PowerShell 遠端。The cmdlet is either run locally on a CA, or on remote CAs by using Windows PowerShell remoting.

  1. 適用於驗證信任 EKPub 上的,執行下列兩個步驟:For verifying trust on an EKPub, do the following two steps:

    1. 從 client 電腦解壓縮 EKPub: EKPub 可從電腦透過 client 擷取TpmEndorsementKeyInfo 取得Extract the EKPub from the client computer: The EKPub can be extracted from a client computer via Get-TpmEndorsementKeyInfo. 從提升權限的命令提示字元中,執行下列動作:From an elevated command prompt, run the following:

      PS C:>\$a=Get-TpmEndorsementKeyInfo -hashalgorithm sha256  
      
    2. 請確認 EKCert CA 的電腦上信任:複製解壓縮的字串(SHA-2 湊 EKPub 的)伺服器(例如,透過電子郵件),並將它傳遞給確認-CAEndorsementKeyInfo cmdlet。Verify trust on an EKCert on a CA computer: Copy the extracted string (the SHA-2 hash of the EKPub) to the server (for example, via email) and pass it to the Confirm-CAEndorsementKeyInfo cmdlet. 請注意,此參數必須 64 個字元。Note that this parameter must be 64 characters.

      Confirm-CAEndorsementKeyInfo [-PublicKeyHash] <string>  
      
  2. 適用於驗證信任 EKCert 上的,執行下列兩個步驟:For verifying trust on an EKCert, do the following two steps:

    1. 從 client 電腦解壓縮 EKCert: EKCert 可從電腦透過 client 擷取TpmEndorsementKeyInfo 取得Extract the EKCert from the client computer: The EKCert can be extracted from a client computer via Get-TpmEndorsementKeyInfo. 從提升權限的命令提示字元中,執行下列動作:From an elevated command prompt, run the following:

      PS C:>\$a= Get- TpmEndorsementKeyInfo  
      PS C:>\$a.manufacturerCertificates|Export-Certificate c:\myEkcert.cer  
      
    2. 請確認 KCert CA 的電腦上信任:複製解壓縮的 EKCert (EkCert.cer) ca(例如,透過電子郵件或 xcopy)。Verify trust on an KCert on a CA computer: Copy the extracted EKCert (EkCert.cer) to the CA (for example, via email or xcopy). 例如,如果您要複製 CA 伺服器上的憑證檔案的「c:\diagnose] 資料夾,執行完成驗證:As an example, if you copy the certificate file the "c:\diagnose" folder on the CA server, run the following to finish verification:

      PS C:>new-object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\diagnose\myEKcert.cer" | Confirm-CAEndorsementKeyInfo  
      

也了See Also

信賴平台模組技術概觀Trusted Platform Module Technology Overview
外部資源:信賴平台模組External Resource: Trusted Platform Module