If you need to obtain a digital certificate suitable for use with remote configuration of Intel AMT clients, the following instructions can be used in conjunction with freely available OpenSSL tools to generate a certificate signing request (CSR) suitable for submission to a CA and to construct a complete certificate suitable for use with Microsoft Windows MMC certificates snap-in. These instructions have been proven with GoDaddy and Verisign Certificate Authorities (CA). Please also see the notes at the end of this post which contain information on GoDaddy certificates and the critiera you will need to satisfy for most CA's to issue you a certificate.
OpenSSL tools for Microsoft Windows are available using the link http://www.openssl.org/related/binaries.html
The two batch files and the ZTC.CFG configuration file referenced in the instructions below are reproduced at the end of this posting
Copy the OpenSSL tools for Microsoft Windows into a folder on a Windows client
Copy the two batch files and the configuration file at the end of this posting into the same folder
Edit the configuration file ZTC.CFG, locate the section [req_distinguished_name] and set the C, ST, L, O and CN fields to the appropriate country, state or province, location, company name and provision server FQDN. The company information must match the government or commercial company registration information and the CN field should match the hostname and domain name of the provision server. Do not change the OU field which is set for use with Intel AMT. Save the edited file
Run the batch file MAKECSR which will generate public and private keys and a CSR file called ZTCREQ.PEM
Request a SSL certificate from your CA. When prompted for the CSR by the CA website, cut and paste all the contents of ZTCREQ.PEM into the CA website dialog box. If you are asked what type of software you are using the certificate with, use 'Other'
Once you have completed the procedural steps required by the CA (see notes later in this posting) for them to issue the certificate, you should receive a signed certificate from the CA which needs to be merged with your private key so you can load it into the Provision Server's Local Machine certificate repository. To carry out this merging process proceed as follows :-
Copy the signed certificate from the CA into a file called ZTCCERT.PEM. The file should have a format which starts with the string '--
-BEGIN CERTIFICATE -' and ends ' -END CERTIFICATE---'. Make sure this file is in the same directory as you used to make the CSR
Run the batch file MAKEPFX which will merge the signed certificate from the CA with the private key and produce a file ZTCCERT.PFX which you can import into the Provision Server's Local Machine certificate repository (in the personal certificate folder) using the Windows MMC certificates snap-in. The password protecting the private key is P@ssw0rd
At this point, you should have a digital certificate suitable for use with Intel AMT and remote configuration and it should be in a format suitable for you to load into the certificate store of your Microsoft Windows based provision server
When the certificate is issued by the CA, you should also receive information describing how to download the Root and any Intermediate certificates from the CA's signing chain. You need to download all of these certificates and load them into the Provision Server's Local Machine certificate repository in the Root and Intermediate folders.
After loading all of the certificates into the Provision Server's Local Machine certificate repository, run the LOADCERT utility which comes with the Intel Setup and Configuration Service (SCS) and select the RCFG certificate as the remote configuration certificate. Use the <View> option and the Certificate Path tab to view the full certificate path and check it is valid before ckicking <OK> to complete the process
When using GoDaddy as the CA, you cannot use Standard SSL certificates, you must use High Assurance certificates for the necessary OU information required by Intel AMT to be included in the certificate
When requesting a certificate from a CA, you will need to provide proof of domain ownership and proof of organisational details which may include providing commercial documents. You may also be telephoned by the CA to verify commercial contact details. The CA should provide clear information on their website indicating what criteria needs to be satisfied before certificates can be issued
openssl req -config ztc.cfg -new -keyout ztckey.pem -out ztcreq.pem -days 365
openssl pkcs12 -export -in ztccert.pem -inkey ztckey.pem -out ztccert.pfx -name "Intel(R) RCFG Certificate" -password "pass:P@ssw0rd"
# SSLeay example configuration file.
# This is mostly being used for generation of
# RCfg certificate requests.
default_bits = 1024
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
oid_section = Amt_OID
encrypt_rsa_key = no
default_md = sha1
prompt = no
req_extensions = v3_ztc
C = GB
ST = England
L = London
O = My Company Name
OU = Intel(R) Client Setup Certificate
CN = myhostname.mydomain.com