This issue may have multiple reasons so I need to get clarifying information.
Each platform has separate versions of AMT, I specifically need to know which versions you have.
I also highly recommend you upgrade to the latest version for each generation you have, there have been various issues with certificates including the replacement of Verisign G2 cert about a year ago, here is the link http://communities.intel.com/community/openportit/vproexpert/blog/2010/04/27/microsoft-sccm-and-intel-vpro-certificates).
If this is not a Verisign cert please let me know what cert you are using.
Once I have this info I can work thru the issue. One last thing on USB keys, there are a limited number of USB keys that are supported, I would contact Lenovo directly and ask them for a list of apporved keys to use for provisioning.
some additoanl quesiotns I need to ask, what consoel woudl you be using and are you looking to buy a provisioning cert our use your own. the Idea of PKI si to remotely update platforms and this will help me point you in the right direciton. Currently by jsut the words you sue it sounds like you ahve yrou own cert, if that is the case then its going to be by hand or usb key. There are alternative (and possibly cheaper and less time consuming) ways to get thsi done.
I think you'd be better off buying a provisioning cert from GoDaddy, VeriSign, Komodo... I looked a month ago and you can get a 2 year cert for $200.00 from GoDaddy. Those hashes are in the MEBx by default. I don't know of a way that you can put your in-house root hash into the MEBx other than getting a custom firmware load from the manufacturer or touching every machine. With they USB key method, again, you are touching every machine.