Have you wondered what root certificate hashes are on a system, and wanted to validate without entering the MEBx?

 

Try the ztclocalagent.exe utility with a -discovery option.   ZTClocalagent is available with the Intel AMT SDK - http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/.   Look in the subdirectory \Windows\Intel_Manageability_Configuration\Bin  (source code also available in the download)

 

If you've decided to apply custom root hashes in your environment - this could help to quickly determine whether a custom hash is loaded.

 

If you're unsure whether the latest VeriSign, GoDaddy, or other root hash is on a platform - or the specific AMT version - this approach could help.   (for background data on the root certificate hashes - see http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/12/verisign-provisioning-certs)

 

Also - if you're using the latest vPro Activator (version 5.1.x or higher), you will also see the root certificate hashes

 

There is an improved local AMT discovery capability coming - but if you need a solution today, try this out

 

Here's an example of the output as shown from one of my systems.   Note that all of the root certificate hashes are listed below

 

The following was obtained by running ztclocalagent -discovery

 

You will need to run with local administrator rights and the HECI driver must be loaded for this to work.   I've seen situations with Win7 64-bit where a command prompt must be opened with "run as administrator" for this to work.

 

******************************

Intel ZTCLocalAgent Version: 3.0.0.1

 

 

BIOS Version:            6IET57H1 (1.17 )

 

 

Intel AMT code versions:

        Flash:                                            6.1.0

        Netstack:                                     6.1.0

        AMTApps:                                   6.1.0

        AMT:                                             6.1.0

        Sku:                                               24584

        VendorID:                                   8086

        Build Number:                           1042

        Recovery Version:                   6.1.0

        Recovery Build Num:              1042

        Legacy Mode:                            False

 

 

Setup and Configuration:

Not started

 

Found 8 certificate hashes in following Handles:

0,1,2,3,4,5,6,7,

 

Certificate hash entry:

 

Friendly Name = VeriSign Class 3 Primary CA-G1

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

74 2C 31 92 E6

07 E4 24 EB 45

49 54 2B E1 BB

C5 3E 61 74 E2

 

Certificate hash entry:

 

Friendly Name = VeriSign Class 3 Primary CA-G3

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

13 2D 0D 45 53

4B 69 97 CD B2

D5 C3 39 E2 55

76 60 9B 5C C6

 

Certificate hash entry:

 

Friendly Name = Go Daddy Class 2 CA

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

27 96 BA E6 3F

18 01 E2 77 26

1B A0 D7 77 70

02 8F 20 EE E4

 

Certificate hash entry:

 

Friendly Name = Comodo AAA CA

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

D1 EB 23 A4 6D

17 D6 8F D9 25

64 C2 F1 F1 60

17 64 D8 E3 49

 

Certificate hash entry:

 

Friendly Name = Starfield Class 2 CA

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

AD 7E 1C 28 B0

64 EF 8F 60 03

40 20 14 C3 D0

E3 37 0E B5 8A

 

Certificate hash entry:

 

Friendly Name = VeriSign Class 3 Primary CA-G2

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

85 37 1C A6 E5

50 14 3D CE 28

03 47 1B DE 3A

09 E8 F8 77 0F

 

Certificate hash entry:

 

Friendly Name = VeriSign Class 3 Primary CA-G1.5

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

A1 DB 63 93 91

6F 17 E4 18 55

09 40 04 15 C7

02 40 B0 AE 6B

 

Certificate hash entry:

 

Friendly Name = VeriSign Class 3 Primary CA-G5

Default = true

Active = true

Hash Algorithm = SHA1

 

Certificate Hash:

4E B6 D5 78 49

9B 1C CF 5F 58

1E AD 56 BE 3D

9B 67 44 A5 E5