I’d Like to Tell YOU where to Stick that Certificate

Gareth Bevan — Fri, 05 Oct 2007 22:39:00 GMT

Well, it probably won’t work if you stick it there, but the
truth is that there are a lot of certificates used in AMT, and knowing where to
put those certificates and their private keys can save a lot of hair pulling
down the line.

AMT Certificates

Let’s start with the AMT system itself.

TLS Certificate

If the SCS profile calls for TLS to be enabled then a
private key and certificate are generated at the SCS and then installed on the
Amt device as part of the provisioning process. This certificate and key are
then used in future communications between the SCS and the AMT device and the
Management Console and the AMT device. I’m going to use the SMS Add-on as an
example of the management console because it uses gSOAP libraries which have
addition certificate storage requirements.

802.1x Certificate

If the SCS profile calls for and 802.1x certificate then a
private key and certificate are generated at the SCS and installed on the AMT
device as part of the provisioning process. This certificate and key are used
to allow the AMT device to connect to an 802.1x protected network without the
host operating system being available.

Mutual Authentication Root Certificate (MTLS Root)

The MTLS root certificate is used by the AMT device to
validate the mutual authentication certificate provided by the SCS or
management console after provisioning has completed. (Assuming of course that
the SCS profile used for provisioning configures MTLS). This certificate is
installed during the provisioning process. Note only the certificate is
installed – there is no private key installed for this certificate.

h1. Remote Configuration

The remaining two certificates on the AMT device are used
for Remote Configuration. This feature is available in AMT 2.2, 2.6 and 3.0.
(Note that does not include 2.5).

Remote Configuration Root Certificate (RCFG Root)

Actually this is not a whole certificate. It’s just the
certificate thumbnail, referred to as a hash. The certificate hashes can come
from a couple of places:

·{font:'Times New Roman'}
The AMT systems come with default certificate
hashes from VeriSign, GoDaddy and Comodo.

·{font:'Times New Roman'}
Your OEM can place a certificate hash of your
choosing on to the AMT devices you buy as part of their manufacturing process.
E.g. if you have your own PKI and wish to use your own root certificate.

{font:Symbol}·{font:'Times New Roman'}

You can
manually enter the certificate hash into the MEBx screen.

The advantages and disadvantages of each of these methods
are best left for another discussion.

This certificate is used to validate the remote
configuration certificate provided to the AMT device by the SCS service that is
trying to provision the AMT device. The details of this validation are somewhat
complicated and also best left to another discussion.

Remote Configuration Self Signed Certificate

Finally the remote
configuration processes requires the AMT device to generated its own self
signed (i.e. there is no certificate authority involved – and hence no trust
established) certificate to serve as a TLS/SSL certificate in place of the Pre
Shared Key (PSK) that was used to protect provision in earlier version of AMT.
Both the certificate and the key are generated locally on the AMT system.

SCS Certificates

Once we get to the server side, certificates become more
interesting as we have to know which Windows certificate store to put the
certificate and private key.

The SCS requires four certificates.

SSL Certificate

The SCS service runs as a web service within IIS.
Connections to the service can be carried out by the SCS console or by an ISV
supplied UI. To secure this traffic the SCS service requires that these web
services be protected by TLS/SSL. The SSL certificate is the same type used to
secure other web servers like amazon.com or eBay.

This certificate is installed in the Windows certificate
store of the service account used to run IIS. If you use the IIS “Server
Certificate” this is a two step process. First the IIS server generates the
private key and a certificate request. The private key is stored in the IIS
service account key store, and the request is stored in a text file. The
certificate request is then sent to the CA who issues the certificate. The
wizard then installs the certificate and matches it up with the private key.

TLS Root

The TLS root certificate is the root certificate from the
certificate chain that issued the TLS certificates to the AMT devices. This may
or may not be the same as your MTLS Root, depending on how you issue your
certs. This certificate is used to validate the TLS certificate provided by the
AMT device when the SCS connects to the device to perform some function after
initial provisioning. This could be re-provisioning or one of the maintenance
tasks that the SCS performs – like setting the AMT system time.

There is no private key associated with this certificate.
The certificate should be stored in the “Trusted Root Certification
Authorities” folder of the SCS service accounts certificate store.

Mutual TLS Authentication Certificate

This certificate is used by the SCS to authenticate itself
to the AMT devices. Both the certificate and the private key should be stored
in the SCS service accounts “Personal” certificate store. The root certificate
of the chain must be installed on the AMT device during provisioning to allow
this authentication mechanism to work correctly.

Remote Configuration Certificate

This is the most interesting of the three SCS service
certificates. This is because the certificate needs to be in two certificate
stores – but the private key only needs to be in one. The SCS service presents
this certificate to the AMT device to start remote provisioning. As this is a
mutually authenticated TLS session, the SCS service must have access to the
private key. So the certificate and private key should be installed in the SCS
service accounts certificate store.

To configure SCS for remote configuration, a utility called
“loadcert.exe” is run. This utility lists the certificates in the local
computer store and you select the one you want the SCS service to use for
remote configuration. The utility then make a registry entry containing the
thumbnail of the certificate. The SCS service looks at this registry entry and
then looks up the selected certificate in the SCS service account certificate
store. Because the loadcert.exe utility reads from the local computer store,
the remote configuration certificate needs to be installed in there. But,
because it is only read by the utility to extract the thumbnail, the private
key does not have to be installed in the local computer store.

SMS (Management Console) Certificates

Certificates for the SMS Add-on are complicated by the use
of the gSOAP libraries. GSOAP is a cross platform, open source web services
development toolkit. Because it is cross platform it does not (obviously) use
the windows certificate store. Instead it uses a file format called PEM (from
the Privacy Enhanced Mail system). PEM files store certificates and keys as
base-64 encoded strings. This makes them easy to manipulate (with things like
notepad) and portable between systems. The following discussion assumes a 3
level PKI hierarchy, with a root CA, policy CA and an issuing CA. If there is
sufficient interest I can talk about PKI hierarchies on a separate thread.

As the SMS is also a windows program, it also needs its
certificates in the windows store.

h2. Mutual Authentication Certificate (MTLS)

If the AMT profile the SCS calls for mutual TLS, then the
management console needs to supply an MTLSS certificate. This certificate, and
its private key, needs to be installed in SMS Add-on Service account
certificate store. This allows the SMS Add-on service to access the key for
operations such as power management. Because
the windows certificate store can “walk certificate chains”, only the MTLS cert
needs to be installed. Windows will work out where to get the rest of the chain
from on its own.

This is not true for the PEM file. In order for the gSOAP
library to have access to the certificate chain, all the chain entries must be
placed in the file (in the right order).

TLS Root Certificate

When a connection to the AMT device is made, it presents its
TLS certificate. In order for the Management console to trust the certificate,
the root certificate the issued the AMT certificate must be installed in the
“Trusted Root Certification Authorities” folder in the SMS Add-on’s certificate
store. . Because the windows certificate
store can “walk certificate chains”, only the TLS root cert needs to be installed.

Again, this is not true for the PEM file. In order for the
gSOAP library to have access to the certificate chain, all the chain entries
must be placed in the file (in the right order).

Intel vPro Expert Center Blog