When creating an Intel AMT Configuration profile with Transport Layer Security (TLS), a target Microsoft Certificate Authority (CA) and certificate template must be specified.  When using TLS with Intel AMT, a Server Authentication certificate must be defined and applied into the firmware of each system.   The easiest choice is the WebServer certificate template.   In some environments, this template might be disabled or removed due to security policies.

 

The following steps summarize the required steps.

 

First - if a valid Server Authentication certificate template has not be published, a screen similar to the following will occur.   The certificate template field is blank with no available options

 

pic1.png

Within the Microsoft Enterprise CA, duplicate the WebServer certificate template.  When prompted, select the default option for "Windows 2003 Server, Enterprise Edition"

pic2.png

Provide the details for the certificate template.   Shown below the certificate template name is "Intel AMT TLS Cert".

pic3.png

On the security tab, provide access to the template for the logon account of RCSserver.   In this example, RCSserver is running under the Network Service Account of a system with hostname SCS8, thus the select "SCS8$".   Grant the "Read" and "Enroll" permissions

pic4.png

Next, issue the certificate template.   Right click on Certificate Templates under the target Microsoft CA (Note: Required only for Microsoft Enterprise CA to issue certificate templates to the Microsoft Active Directory.   Microsoft Standalone CA implementations do not include this option.)

pic5.png

With the certificate template issued...

pic6.png

... in the Intel SCS console, select "Refresh CAs &Templates".   Via the pull down list, select the target certificate template.

pic7.png

Two final reminders - ensure the logon account for RCSserver (the server component of the Intel SCS installation) has rights to "Issue and Manage Certificates" along with "Request Certificates" as required for the Web Enrollment process.

pic8.png

And ensure the Policy Module setting allows for automatically issuing certificates

pic9.png

 

The above information is provided in the Intel SCS User Guide.   This article provides a summary and reminder