There are a few documents and resources posted regarding remote certificates. For an overview, the following may be of interest - http://communities.intel.com/docs/DOC-1490

The process noted in Sunny's document above uses Microsoft IIS to generate the CSR and so forth. OpenSSL methods are also supported, thus allowing the certificate request to be handled outside a Microsoft IIS server. However, since Intel SCS requires Microsoft IIS, many have chosen to keep the setup as simple as possible. Similarly - the request can be made on a system that is not the final destination of the certificate - the key is that the certificate request must be authorized by the certificate authority (i.e. VeriSign), meaning that in addition to the CSR, you'll likely need to provide business ownership or domain ownership documentation for an audit trail and so forth.

The define OU must be used - this is for remote configuration authentication purposes. Key items must match up between the provisionserver and the Intel AMT client

• Root certificate hash match
• OU match is preferred; in some solutions (SMS not included), the certificate OID must be correct
• DNS suffix match (client's DHCP option 15 to certificate's DNS suffix in canonical name)

If you obtain a remote configuration certificate can it be used on more than one server? Yes. Thus it is important that you secure the certificate issued to you. As a comparison - anyone can use the keys to your home or car, the important part is controlling who has access to those keys.