1 Reply Latest reply on Feb 9, 2010 9:29 AM by

    AMT Cert Clarification

      Hi, Long time lurker, first time poster.

      I'm confused over cert generation after reading different posts, and I'm so close to getting this working.  The infrastructure I support uses a root 4096 key length so I've been following some examples for requesting Certs from External CA's like Godaddy and Verisign (I'm forced to use Entrust due to circumstances out of my control).  Some examples say to generate the 3rd party cert from the Member/Webserver server but then the Technet documentation indicates it's done from the Domain's CA. This is were I'm geting lost and here is what I've done so far;

      I got the Domain admins to generate a 2048bit cert using the internal CA for the "AMT Provisioning" cert template (however, it's root cert is 4096bit).  Upon reading this is not compatibe, I then generated a CSR from the SCCM server and got the 2048bit Entrust cert issued and imported on the webserver (and imported the Entrust Root cross cert).  However I notice in SCCM>component config>OOBM, I only have the option to choose the Internal CA's template from above (that has the 4096 length root), I can't reference the Entrust cert for the AMT Certificate Config Diag box but I figured ok, lets try it anyway.
      So on the workstations, I've imported the Entrust Root hashes and needless to say, in the log files I get a handshake but it appears there is a cert issue based on the errors.  I got a feeling that the 3rd party cert must be generated and applied on the domain CA, not the member server as per the Technet article "http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning" , is this correct?

        • 1. Re: AMT Cert Clarification

          The standard domain-only validation SSL certificates from the GoDaddy Certificate Authority are not suitable for Intel AMT remote configuration. These types of certificates do not contain the OU information required by the firmware to accept them.


          If GoDaddy is used as the CA, then request a High-Assurance SSL certificate, which should include the OU information required by the Intel AMT client.


          For more information, see the Intel AMT SCS Installation and User Manual\, Chapter 3, section “Preparing Intel AMT for Future Configuration.”