Last year there were some changes to the vPro VeriSign provisioning cert.

This change caused some confusion and a lot of users still have questions about it today!

 

Prior to May 17th2009, if you were ordering a “Standard SSL” vPro Provisioning certificate from VeriSign, you would get a cert signed by the G1 Root CA (742c3192e607e424eb4549542be1bbc53e6174e2).

The G1 root CA was a valid VeriSign hash in the ME firmware.

You would buy the G1 VeriSign cert and it would match the firmware and everything was fine!

You could also purchase the “Premium SSL Certificate” and you would get a cert signed by the same G1 Root CA (742c3192e607e424eb4549542be1bbc53e6174e2 ), again everything worked fine!

 

After May 17th, VeriSign made a few changes and the “Standard SSL” vPro Provisioning cert is now being signed with the G2 Root CA (85371ca6e550143dce2803471bde3a09e8f8770f).

The G2 hash was just recently added to our firmware. Here is a table showing the versions and which VeriSign cert they support:

 

Platform

VeriSign

G1 Support

VeriSign

G1+G2 Support

Averill< 2.2.202.2.20 +
Santa Rosa< 2.6.202.6.20 +
Weybridge< 3.2.103.2.10 +
Montevina< 4.2.204.2.20 +
McCreary< 5.1.105.1.10 +

 

So make sure you have at least this version of Firmware if you are planning on using the “Standard SSL” (G2) vPro Provisioning cert from VeriSign!

 

Not all OEMs have released the latest version of firmware, and if your OEM does not have the latest “G2” supported firmware released, you can still purchase the “Premium SSL Certificate” which is signed by the G1 Root CA.

 

Here is a complete list of supported Hashes:

 

VeriSign Class 3 Public Primary CA – G1

74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

 

VeriSign Class 3 Public Primary CA – G2 (See the table above)

85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f

 

VeriSign Class 3 Public Primary CA – G3

13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6

 

Go Daddy Class 2 CA

27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

 

Comodo AAA CA

d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

 

Starfield Class 2 CA

ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a

 

VeriSign has also updated their Knowledgebase:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO10703&actp=search&viewlocale=en_US

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146&actp=LIST

http://www.verisign.com/ssl/intel-vpro-technology/index.html

 

There are also a few expert center posts from last year that highlight the changes:

http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro#comment-4202

http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/12/02/updated-verisign-root-certificate-for-vpro-provisioning

 

Let me know if you have any questions!

Josh