1 Reply Latest reply on Aug 30, 2016 6:11 AM by dariusz.wittek@intel.com

    Need help: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable

    gmadine

      We need some help. We are receiving an SSL error when attempting to remote configure our Dell notebooks

      We have a Go Daddy CA for provisioning our Dell notebooks. However, we are still unable to remote configure our vPro equipped systems.

       

      Lan Setup:

      Our Active Directory suffix is mycompany.corp (.corp is our AD Zone)

      Our DHCP option 14 issues a suffix of pb.mycompany.com (.com is our Unix based zone)

      Our Go Daddy CA is pb.mycompany.com

      Our RCS server is pbvproap01.pb.mycompany.com

       

      Error message from one of our notebooks:

      Operation:  Configuration
      Date and Time: 8/22/2016 11:13:55 AM
      Error Code: 3221246495
      Severity: Failure
      UUID: 4C4C4544-0030-3810-8047-C2C04F565931
      Intel AMT FQDN: Notebook1.pb.mycompany.com
      Intel AMT IPv4: 192.168.164.5                      
      Server Name: pbvproap01.mycompany.corp
      Description: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.
      Failed while calling
      WS-Management call
      GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error
      0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.
      Valid certificate for PKI configuration not found.

        • 1. Re: Need help: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable
          dariusz.wittek@intel.com

          Please check your GoDaddy certificate:

          1. Is it installed in certificate store of user running RCS Service (if RCS is run as Network Service it will be Computer certificate store)
          2. Is it Intel AMT Provisionig certificate?It should contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3) in EKU if possible. It must contain the “SSL Server” OID (an IANA pre-defined OID). (this is what GoDaddy inserts into EKU when you select "certificate for Intel vPro"
            — OR —
            The OU value in the Subject field must be “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly (without quotation marks). (this is used by other Root CAs)

          3. If it was issued recenly it is SHA256 certificate for sure. SHA256 certificates are supported by Intel AMT FW 6.0x or newer only.
          4. Does its trust chain start with  Go Daddy Class 2 CA with SHA1 Fingerprint: 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4?
            Newer Go Daddy Root CA-G2 is supported by Intel AMT 11, and updated/recent versions of AMT FW 8,9.x,10. Those updated versions may be not made available by Dell for your HW.
            You may need to install GoDaddy G1 to G2 Cross Certificate  gdroot-g2_cross.crt to rebuild trust chain to Go Daddy Class 2 CA (and Restart RCS).

           


          Dariusz Wittek
          Intel  EMEA Biz Client Solution Architect