The easiest method is use an external certificate, and is not expensive, you can buy one for less than $100 dollars/year.
You have also the possibility to use USBFile.exe tool to generate a USB Key with your cert hash and touch each machine to insert the CA hash (i.e. you must restart the vPro machine with USB key plugged), for 2300 machine is time consuming.
You still need a internal PKI in order to issue certificates to each one of these 2.300 machines due TLS requirement.
You can find further details about the whole process in this guide
cool cool, much appreciated.
my web server cert template is already setup on my CA
do you recommend verisign over godaddy?
verisign seems to have a better rep but the price difference is just insane
not sure which one to pick
In fact it's used only internally, so there no technically big difference between those two CAs.
However, if you are issuing certificated to .gov outside US/Canada, only Verisign is able to issue.
Best Regards and have a Great Weekend!
I have chosen verisign, however the first step is to follow the verisign Certificate Signing Request (CSR) Generation Instructions - Microsoft IIS 6.0
which are as follows
1. Click Start > All Programs > Administrative Tools > Internet Services Manager (IIS) Manager
2. Double-click the Server Name > Web Sites folder
3. Under Web Sites, right-click the corresponding Web site you wish to secure, and select Properties.
4. Click Directory Security tab
5. Under Secure communications, click Server Certificate
6. Select Create a new certificate
Note: If you are renewing an SSL certificate, select Renew the current certificate. This will generate a CSR based on the information of the certificate currently installed on the server.
7. Select Prepare the request now, but send it later
8. Enter a name for the certificate. Please note that this is not the Common Name of the certificate request.
9. Select the bit length of 2048 for the certificate
Note: Do not check the box for Select cryptographic service provider (CSP) for this certificate
10. Complete the information requested by the IIS Certificate Wizard to create a private key that is stored locally on your server and a Certificate Signing Request that you will use during the enrollment process. The Wizard will prompt for the following X.509 attributes of the certificate:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
11. Click Finish to exit the IIS Certificate Wizard. A CSR file has been generated.12. Verify your CSRMy CA server sits on server A and sccm sits on server B. I want to configure amt to work within sccm, so in step 10 under common name is it best to create a dns alias and use that in case the server name ever changes?Also, were should i point the alias...to server A (my CA) or server B (sccm). Looking at this it seems to be logical to point it to server B??I am a bit confused and i don't want to screw up my certificate request.thanksStéphane
You should use the FQDN of SCCM in common name field... in fact, you must generate the CSR in the SCCM server to work.
Hi, perfect thank you.
small network question now. In the guide you attached it mentions about doing the following to routers and firewalls.
"open intel vpro technology related ports on routers and firewalls on 9971 and 16992 through 16995-out of band management ports"
I need to request this work to be done through our network department. Is there any more detailed info available somewheres or is this sufficient for them to process my request? seems vague.
9971 is the port used for provisioning
16992 - Out of Band Management (w/o TLS)
16993 - Out of Band Management (w TLS)
16994 - IDEr without TLS
16995 - IDEr with TLS
In the guide under section 2.3 Summary of prerequisites required for OOB management
its says the following:
"3rd Party Remote Configuration Certificate on each OOB Service Point to provision Intel vPro
I need a little bit of clarification on this if possible
In our organisation we have a central primary site called A and a primary child site called B and a bunch of secondary branch sites used for package distribution points. Questions is should i be able to get all clients from all branches and site B provisioned through the central primary site A with one verisign certificate sitting on central primary site A or do i need another provisioning certificate elsewhere as well?
thanks you have been great help.