Intermediate certificates act as a proxy for a Root certificate authority (CA) which is traditionally kept behind several layers of security i.e. “offline”, kept in a highly secure environment with limited access to ensure its keys are inaccessible.
Hence the Root CA is not used to directly sign SSL certificates but delegates these tasks to intermediate CA’s. The Root certificate signs the intermediate certificate which in turn is used to sign digitial SSL certificates and maintain the "Chain of Trust."
Traditionally an Intel® AMT system could only use trusted root certificates or a full certificate chain i.e. intermediate, leaf certifcates in it's own certifccate store to authenticate correctly. Intel SCS 12 now has support to enable the use of intermediate certificates to support authentication for any of the features below:
- 802.1x Setups
- Remote Access using a Management Presence Server
- Mutual authentication in Transport Layer Security
You may say "so what" however this capability is becoming increasingly important where, for example the 802.1x network protocol is used to provide an authentication mechanism to devices wishing to connect to a corporate LAN or WLAN. The variety of RADIUS servers available i.e. Microsoft Network Policy Server (NPS), Aruba Clearpass, Cisco Identity Services Engine etc. means authentication is not always performed using a complete certificate chain, rather using an intermediate and leaf.
This feature enhancement should enable Intel AMT to integrate easier into 802.1x environments to support robust network authentication and still be available to support out-of-band services such as KVM (keyboard, video, mouse) or power control when the OS isn't running or the system is powered off/down/hibernate within an enterprise environment.