I know a lot has been posted on vPro Expert Center (VPEC) about all of the PKI certificates that are involved in Intel vPro technology, but I thought it was time to repost some information again specific to SCCM. And much of this applies to the various ISVs that support vPro technology.
I often work with many customers to help them understand the details around certificates and how they apply to Intel vPro technology. So I figured I would post some of this material to help others in the future. I will try to make it very succinct and not write a book in this subject...which is challenging when it comes to certificates. Hopefully, you can reference this material in the future (or point others to it) to help understand and setup the necessary requirements for certificates.
The attached ppt lists the high level certificates requirements in a SCCM vPro environment (note: SCCM requiresTLS to manage vPro systems). The attached foils (see attaced ppt - Certificates for SCCM and vPro.ppt) also list the specifics steps used to configure your Microsoft Enterprise PKI server to support SCCM/vPro. You will note in this slide deck I have inserted several references to Microsoft TechNet article for more in-depth information.
There are two different certificate requirements to “provision” and “manage” Intel vPro systems in a SCCM environment. This assumes that a Microsoft Enterprise CA exists and is already configured in the production environment.
Two Certificates Required in SCCM:
* Intel® AMT Provisioning Certificate
* Intel® AMT TLS Web Server Certificate
1. Intel AMT Provisioning Certificate (Used for Provisioning, aka, Setup and Configuration)
This can be created from a 3rd party or Self Generated from the internal corporate PKI environment
- 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield) http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1
- Self Generated from Internal PKI infrastructure http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
NOTE: If you self generate your own provisioning certificate from your PKI environment, you will be required to touch each system and insert your Root CA hash that was used to generate your provisioning certificate (top level root CA in the chain). See Internal vs External Provisioning Certificates.ppt (attachment).
See TechNet link on the process to generate your own provisioning certificate from your Microsoft Enterprise CA: http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
This provisioning certificate is only used one time during the provisioning process of vPro systems.
2. Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
This certificate is used each time the SCCM console manages vPro systems (used to setup a SSL session between the console and client)
Required to create New Web server Template on the production PKI server
Recommend certificate name: ConfigMgr AMT Web Server Certificate
Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions to this template
TechNet article discussion these steps: http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
Hopefully this gives enough high-level explanation of certificates as it relates to SCCM and Intel vPro, as well as reference links for more in-depth details.