Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > 2008 > March > 03
Up to Blog Posts in Intel® vPro™ Expert Center
Previous Next

Intel vPro Expert Center Blog

Currently Being Moderated
William York
7

 

The following information contains the detailed steps used to order a Remote Configuration Client Certificate from GoDaddy. There are many methods that can be used, but this was tested and validated that the certificate worked for both SMS and SCCM SP1 to provide Remote Configuration Provisioning to vPro clients.

 

 

SUMMARY: You will be required to prove that you, or your company, own the rights to the domain for which you are applying for this certificate. In the following example, I first registered my lab domain before ordering my Remote Configuration Certificate. I also needed a Company representative to submit a letter of approval (Company Letterhead) to GoDaddy giving me authority to request this certificate. I also tested the certificate I received from GoDaddy did work with Remote Configuring AMT clients in SMS and SCCM SP1 environment.

 

Key items that are detailed in the steps below that were required to get my certificate:

○ Certificate type must be a Deluxe Assurance SSL certificate

○ Certificate request is for an Organization

○ OU = Intel(R) Client Setup Certificate

○ CN = ServerName.domain.com (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)

○ Organization = The legal name of your organization that can approve your certificate request

○ Required Documentation to be submitted (Driver's License, Bank Statement, and Approval Letter on Company Letterhead)

 

 

STEPS TO PURCHASE THE REMOTE CONFIGURATION CERTIFICATE

1. Go to GoDaddy Web site: www.godaddy.com

2. Select the SSL Certificate link: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979

 

 

 

 

3. From the SSL Certificate page, choose the Deluxe SSL certificate and click ADD

a. select Single (your choice of 1, 2, or 3 years) for a single Domain environment

b. Unlimited Subdomains - wild cards are support for version of AMT 2.6 / 3.2 and higher

4. In the next screen, you will be prompted to customize your order. No additional items are necessary on this screen, select Continue

5. At the Checkout Now screen, you should see the Deluxe Assurance SSL certificate (other options may vary if you selected additional items to purchase)

 

 

6. In the Billing information Window, make sure to include your valid company name. You will be required to have someone from your company submit an approval letter for this certificate request on company letterhead (more detailed steps to follow).

7. After you fill out your billing information, you will need to login to your account to configure the certificate you have just purchased.

8. After logging in to your account, select Manage SSL Certificates.

9. You will see you have an available credit in the Secure Certificates, Click Set up Certificate link and Click Activate Account

a. You may need to Login in to your account or Create a new Certificate account - this is different than your GoDaddy Account

 

 

10. Select the Deluxe High-Assurance SSL Certificate and Click Request Certificate

 

 

 

 

11. Select Corporate option in Step 1

Fill out Personal Information in Step 2, including your company name

Generate you CSR and paste text in the box provided in Step 3 (make sure to indicate the type of server used to produce CSR)

They provide a link in Step 3 on How to generate a CSR (follow these steps).

 

 

The CSR MUST include the following fields to be a valid vPro Remote Configuration Certificate and approved by GoDaddy:

 

  • OU = Intel(R) Client Setup Certificate

  • CN = ServerName.domain.com (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)

  • Organization = The legal name of your organization that can approve your certificate request

 

12. After you paste your CSR information and click Submit, your request will be routed to GoDaddy and they will follow up via email for next steps.

13. You will be asked to send them two forms of Identification (Driver License and Bank Statement)

14. Additionally, you will be asked to have someone within your company provide an approval letter on company letterhead stating that you have the authority to request the SSL certificate for this server and domain.

15. After GoDaddy has validated the required documentation, they will send you an email stating that your SSL certificate is available.

16. You can now download your SSL certificate and apply it to your IIS Web Server on your requesting Provisioning Server.

Tags: client_management, vpro, pro, remote_configuration, certificates, godaddy, pki


Add a comment Leave a comment on this blog post.
Mar 8, 2008 11:18 AM Guest Insurance Certificate  says:

I like godaddy very much , we have 1 hosting account and almost 50 domains there.I will like to buy Certificate also from them.This tips really helps us.

Thanks
Reply
Mar 8, 2008 8:06 AM William York William York    says:

I have found an interesting tidbit while setting up SCCM SP1 and remote configuration certificates using GoDaddy.

 

If you follow the help file in SCCM SP1 on how to setup Remote Configuration Provisioning in SCCM SP1, you will see the steps they document to generate the provisioning certificate server request (CSR) to send to your CA vendor (i.e. GoDaddy, VeriSign, Starfield, etc).

 

However, Microsoft's steps tell you to use the specific OID (Object Identifier) in this request. It does not have the steps to use the Intel(R) Client Setup Certificate for the OU, as I documented in this original posting. When I followed these steps and submitted my CSR to GoDaddy, which included this OID as outlined and not the OU field, GoDaddy issued my certificate and I found the OID was not in the issued certificate.

 

Therefore, this certificate will not work for provisioning.

 

I contacted GoDaddy and they told me they do not support modifying these attributes (OID). SO, if you are following SCCM SP1 directions and plan to submit to GoDaddy, make sure you use the OU = Intel(R) Client Setup Certificate and not the OID they mention.

 

Let me know if you need help with this process. It varies depnding on what ISV you are setting up and what Certificate Authority you are submitting to for this certificate.
Reply
Oct 8, 2008 11:10 AM Guest Brian Hicks  says in response to William York:

FYI on our certificate purchase through Go Daddy. Although we have an account with Verisign we chose to move forward with Go Daddy due to the drastic difference in cost. Unfortunately we found out why it was so much cheaper, difficult support.

We began the SSL certificate purchase process on 9/29. Go Daddy required that we submit documentation showing proof of right through one of these forms:

 

1)Articles of Incorporation

2)Business License

3)Tax Certificate

4)"Doing Business As"

 

We are a non-profit organization so we do not have numbers 1,2, or 4. However, we do have a tax exempt document that we keep on-hand to submit for these type of requests. This form was submitted to Go Daddy on 9/29 with the required payment and CSR. We continued to watch the process through their website as it was approved at each level. After it had remained at the reviewing documentation step for multiple days, we called Go Daddy on 10/6 directly and waited for approximately 45 minutes before we spoke with anyone. They informed us that the document provided was not sufficient as it did not have the State Seal along with the proper company information (this was never reflected on the website and we never received contact from them regarding this, we would have never known if we had not called). We returned to our Financials Department to look for additional documentation but the tax exempt document was the only one that fit their criteria.

We went back to Go Daddy support (after waiting on hold for 30 minutes) and reiterated the fact that we were a non-profit organization that does not pay taxes. We also covered the fact that the document we supplied had the State Seal with our organization's information and license number. Go Daddy support went back to their auditors to request this once again, and it was denied a second time.

At this point we've stopped this process with Go Daddy and are working with our management team on budget allocation to purchase the much more expensive certificate through Verisign. Although the price was great with Go Daddy, their support was extremely difficult. We highly recommend that if you run across other non-profit organizations, do not waste their time with Go Daddy.

Hope this helps in the future, thanks!
Reply
Nov 18, 2008 7:18 PM Alireza Mikailli Alireza Mikailli    says:

When you order certificate from Godaddy using the instruction described in Bill York's blog, you will receive a certificate bundle similar to the one listed below:

 

http://www.valicet.com/

Go Daddy Class 2 Certification Authority

Go Daddy Secure Certification Authority

"yourserver_FQDN" (e.g. server.domain1.com"

 

If you load (import)the above certificates to your server according to Godaddy's instruction, it won't work with vPro provisioning as the SSL provisioning certificate (e.g. server.domain1.com) is chained to an incorrect root CA (http://www.valicet.com/)for vPro provisioning.

 

In order to correct the problem, you need to install the GoDaddy Root and Intermediate CA and then re-export the certificate (e.g. server.domain1.com). It should chain up correctly. Make sure you remove the valicert Intermediate and root prior to doing it.

 

• Go Daddy Class 2 Certification Authority Root Certificate: Download from https://certs.godaddy.com/repository/gd-class2-root.crt

gd-class2-root.crt:

Certificate Thumbprint Algorithm: sha1

Certificate Thumbprint: 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

• Go Daddy Secure Server Certificate (Intermediate Certificate. Download from: https://certs.godaddy.com/repository/gd_intermediate.crt

gd_intermediate.crt

Certificate Thumbprint Algorithm: sha1

Certificate Thumbprint: 7C 46 56 C3 06 1F 7F 4C 0D 67 B3 19 A8 55 F6 0E BC 11 FC 44

 

Thanks to Matt Royer for sharing this information.
Reply
Nov 20, 2008 2:37 AM kobile kobile    says in response to William York:

Hi William,

 

I'm having some problems:

 

1. do i need to follow Microsoft instruction to create the certificate from GoDaddy ?

http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1

 

2. i cant understand where to put the "Intel(R) Client Setup Certificate for the OU" in the CSR.

to create the CSR i'm usuing IIS Console to request a certificate and then submit it to GoDaddy.

after i'm getting the certificate from them, i cant import it to SCCM OOB.

 

can you clear it out for me please,

 

thanks,

 

kobile
Reply
Dec 7, 2008 8:35 AM kobile kobile    says in response to kobile:

Hi,

 

I'm Still can't get it work !!!

 

1. I don't have Enterprise Windows 2003 server for Ent. Certificate Authority .

2. After getting the certificate from go daddy, in OOB Properties i need to specify a Certificate template...

Do I need to install an internal ca for this purpose ?

 

It seems that Microsoft docs and Intel instructions are not clear enough.
Reply
Sep 15, 2009 7:25 PM Guest nOOB  says:

I also encountered many bumps in the road when configuring the Enterprise CA and obtaining the cert from GoDaddy AND getting it in the right format.

 

I offer the following:

 

  1. Read ALL of the directions from the TechNet site.
  2. If you are to modify the certificate templates, you MUST have Windows 2003 Enterprise - not Standard
  3. When configuring the Enterpise CA to issue the modified certificate, if the certificate template that you created (e.g. ConfigMgr AMT Provisioning) is not being displayed in the 'Certificate Template' Drop-down list (http://enterpriseCA/certsrv), ensure that the Active Directory 'ConfigMgr Out of Band Service Points' group (or the actual OOB Service Point server) is listed in the LOCAL COMPUTER's (Local Users and Groups\Groups) group named 'CERTSVC_DCOM_ACCESS'.  Otherwise, the server won't have the permissions to see the item in the list.
  4. For creating the Cert Request, ensure that:
    The Key Size is set to 2048 or higher;
    The 'Mark keys as exportable' is checked;
    The 'Export keys to file' is checked;
    Select the 'PKCS10' as your Request Format (with SHA-1);
    Check the 'Save Request to a File' - you will open it in Notepad and copy the contents to paste in the GoDaddy Cert Request
  5. GoDaddy Request:
    Ensure you shoose the 'Deluxe High Assurance SSL' certificate;
    There is now a checkbox for the 'Intel Client Setup Certificate' when you submit your request - this will add the proper text to the OU (in lieu of or addition to the OID that was setup in the Cert Template);
    Have all your information ready - they check with your Secretary of State for business verification as well as ensuring your EXACT business name is listed in various public phone books for phone number validation (ours was not EXACT in many registries - they finally found an accepted registry that matched)
    BE PERSISTENT with them to get your SSL Cert - they don't tell you exactly what the hold up is and what you are wating for - CALL THEM if you really need to process your Cert and keep it moving along.
  6. Once you have your Cert, load it into the Server's local computer certificate store.  INSTALL the intermidiary certificate as well.
  7. Certs are delivered in the '.crt' format.
  8. At one point in SCCM, you will need to import the certificate from a '.pfx' format.  GoDaddy will not provide it.
    To convert the certificate, you will need:
        a.  The .crt file issued from GoDaddy
        b.  The .pfk (Private Key') file that was created when you made your certificate request
        c.  Download from Microsoft the PVKIMPRT.EXE utility. 

        EASY to run [e.g.  pvkimprt.exe -PFX certfromgodaddy.crt yourprivatekeyfile.pvk <ENTER> you will then be prompted with a PrivateKey password window - this is the password of your 'yourprivatekeyvile.pvk' when it was created - enter the password and click OK - this will start the Certificate Export Wizard. 

    You can Export the private key again and then ensure the 'Personal Information Exchange - PKCS #12(.PFX)' is selected (probably the only option) and then select 'Include all certificates in the certification path if possible' AND 'Enable strong protection...' - add your new private key password (or re-use the original), select the location, click finish and then you are done. 

    You may now upload your .pfx certificate (Whew!)

 

I hope this helps others that may encounter the same issues that I did.
Reply

Actions

Popular Blog Posts