Provisioning and TLS Management Traffic Certificate Considerations

Version 3

    ·      When setting up a PKI for TLS encryption of management traffic for AMT devices, what must I take into consideration?

    1.    All certificates in the PKI chain must have a public key encryption length of 2048 bits or less. For example, if your environment has a Root Certificate Authority, Policy Certificate Authority, and an Issuing Certificate Authority, each of these certificate lengths (also including the certificate issued to the AMT device) must be 2048 bits or less.

    The following example works:

    Root CA: 2048 bits

    æ Policy CA: 2048 bits

    æ Issuing CA: 2048 bits

    æ AMT Certificate: 2048 bits



    The following example does NOT work:

    Root CA: 4096 bits

    æ Policy CA: 2048 bits

    æ Issuing CA: 2048 bits

    æ AMT Certificate: 2048 bits


    You may check the certificates from any server that has been issued a certificate from the PKI you plan to utilize. Here is an example of a simple certificate chain that which only has a Root CA that also performs as the Issuing CA. No matter the number of intermediate CA certificates in the chain, please check the public key encryption length of each certificate to determine if your existing infrastructure will suffice.


      Certificate.jpg   Certificate Size.jpg


    ·      What should I do if my PKI certificate chain includes a certificate with a public key encryption length greater than 2048 bits?


    You essentially have two options:

    1.    Modify the appropriate CA(s) to issue certificates with a public key encryption length of 2048 bits or less. This is much easier said than done in instances where the certificate for a specific certificate authority in the chain is the one needing a new certificate. The higher up the hierarchy, the greater the impact of this infrastructure change will be. If a certificate authority’s certificate must be reissued, then each certificate lower in the hierarchy will become invalid and must be reissued.


    This option typically only works in environments where few certificates have been issued or in situations where the PKI is not yet in a production mode. This is the least expensive option in terms of licensing because it does not require another PKI to be set up.


    2.    Stand up another root certificate authority that will double as an issuing CA strictly for AMT TLS certificates. This solution is simple, complete, and quick, but does require another license and instance of an operating system that will serve it. With an enterprise certificate authority using this method it is especially important to eliminate all certificate templates that it will issue except for the single AMT TLS certificate template as is shown below.



    Certificate Template in CA.jpg