4 Replies Latest reply on Aug 2, 2008 4:41 PM by Morpheus

    Setting up SCS with a Certificate for Remote Configuration



      Was wondering if anybody has gone through the process of obtaining a certificate, for Remote configuration.

      The machines that I have have the following AMT certificates



      Verisign Class 3 Primary CA-C1     






      Verisign Class 3 Primary CA-G3







      Go Daddy Class 2 CA







      StarField Class 2 CA







      After looking at the costs, I thought that I would try and use a GoDaddy Certificate as they are lot less than the verisign certificates.



      But I can't see how to go about it..  Anybody got any experiences or ideas?

      Many thanks






        • 1. Re: Setting up SCS with a Certificate for Remote Configuration

          Hi Gibbo,


          If you need to obtain a digital certificate suitable for use with remote configuration of Intel AMT clients, the following instructions can be used in conjunction with freely available OpenSSL tools to generate a certificate signing request (CSR) suitable for submission to a CA and to construct a complete certificate suitable for use with Microsoft Windows MMC certificates snap-in. These instructions have been proven with GoDaddy and Verisign Certificate Authorities (CA). Please also see the notes at the end of this post which contain information on GoDaddy certificates and the critiera you will need to satisfy for most CA's to issue you a certificate.


          OpenSSL tools for Microsoft Windows are available using the link http://www.openssl.org/related/binaries.html


          The two batch files and the ZTC.CFG configuration file referenced in the instructions below are reproduced at the end of this posting






          Copy the OpenSSL tools for Microsoft Windows into a folder on a Windows client



          Copy the two batch files and the configuration file at the end of this posting into the same folder



          Edit the configuration file ZTC.CFG, locate the section [req_distinguished_name] and set the C, ST, L, O and CN fields to the appropriate country, state or province, location, company name and provision server FQDN. The company information must match the government or commercial company registration information and the CN field should match the hostname and domain name of the provision server. Do not change the OU field which is set for use with Intel AMT. Save the edited file



          Run the batch file MAKECSR which will generate public and private keys and a CSR file called ZTCREQ.PEM



          Request a SSL certificate from your CA. When prompted for the CSR by the CA website, cut and paste all the contents of ZTCREQ.PEM into the CA website dialog box. If you are asked what type of software you are using the certificate with, use 'Other'



          Once you have completed the procedural steps required by the CA (see notes later in this posting) for them to issue the certificate, you should receive a signed certificate from the CA which needs to be merged with your private key so you can load it into the Provision Server's Local Machine certificate repository. To carry out this merging process proceed as follows :-



          Copy the signed certificate from the CA into a file called ZTCCERT.PEM. The file should have a format which starts with the string '---BEGIN CERTIFICATE-' and ends '-END CERTIFICATE---'. Make sure this file is in the same directory as you used to make the CSR



          Run the batch file MAKEPFX which will merge the signed certificate from the CA with the private key and produce a file ZTCCERT.PFX which you can import into the Provision Server's Local Machine certificate repository (in the personal certificate folder) using the Windows MMC certificates snap-in. The password protecting the private key is P@ssw0rd



          At this point, you should have a digital certificate suitable for use with Intel AMT and remote configuration and it should be in a format suitable for you to load into the certificate store of your Microsoft Windows based provision server






          When the certificate is issued by the CA, you should also receive information describing how to download the Root and any Intermediate certificates from the CA's signing chain. You need to download all of these certificates and load them into the Provision Server's Local Machine certificate repository in the Root and Intermediate folders.



          After loading all of the certificates into the Provision Server's Local Machine certificate repository, run the LOADCERT utility which comes with the Intel Setup and Configuration Service (SCS) and select the RCFG certificate as the remote configuration certificate. Use the <View> option and the Certificate Path tab to view the full certificate path and check it is valid before ckicking <OK> to complete the process



          When using GoDaddy as the CA, you cannot use Standard SSL certificates, you must use High Assurance certificates for the necessary OU information required by Intel AMT to be included in the certificate



          When requesting a certificate from a CA, you will need to provide proof of domain ownership and proof of organisational details which may include providing commercial documents. You may also be telephoned by the CA to verify commercial contact details. The CA should provide clear information on their website indicating what criteria needs to be satisfied before certificates can be issued



          Sample Files






          openssl req -config ztc.cfg -new -keyout ztckey.pem -out ztcreq.pem -days 365






          openssl pkcs12 -export -in ztccert.pem -inkey ztckey.pem -out ztccert.pfx -name "Intel(R) RCFG Certificate" -password "pass:P@ssw0rd"





          # SSLeay example configuration file.

          # This is mostly being used for generation of

          # RCfg certificate requests.


          RANDFILE= ./.rnd



          default_bits = 1024

          default_keyfile = keySS.pem

          distinguished_name = req_distinguished_name

          oid_section = Amt_OID

          encrypt_rsa_key = no

          default_md = sha1

          prompt = no

          req_extensions = v3_ztc



          C = GB

          ST = England

          L = London

          O = My Company Name

          OU = Intel(R) Client Setup Certificate

          CN = myhostname.mydomain.com










          • 2. Re: Setting up SCS with a Certificate for Remote Configuration

            did the bottom of this post get cut out? I don't see the go daddy instructions.

            • 3. Re: Setting up SCS with a Certificate for Remote Configuration


              No thats it..

              Just make sure that you order the $90 SSL, not the $20 one..









              • 4. Re: Setting up SCS with a Certificate for Remote Configuration


                should there be a "KeySS.pem" file in the directory structure?



                it is referenced in the section