8 Replies Latest reply on Mar 7, 2011 2:46 PM by stepland

    Vpro activation question

    stepland

      Hi, we have been buying vpro technology enabled desktop and laptops for a few years now with the intention of enabling it down the road, well we are now down that road  :O)

       

      I went through the training video and intend on enabling this through sccm.

       

      My question is: I intended to use internal provisioning certs from our CA but have not gotten our Dell and HP vendors to include our root cert hash into the vpro firmware from scratch. From what i read there is no easy way to copy it to all our clients. Am i screwed as far as internal provisioning certs go. Am I forced to go with an external cert?

       

      We have about 2300 clients out there.

       

      thank you

        • 1. Re: Vpro activation question
          brunodom

          Stéphane,

           

               The easiest method is use an external certificate, and is not expensive, you can buy one for less than $100 dollars/year.

               You have also the possibility to use USBFile.exe tool to generate a USB Key with your cert hash and touch each machine to insert the CA hash (i.e. you must restart the vPro machine with USB key plugged), for 2300 machine is time consuming.

               You still need a internal PKI in order to issue certificates to each one of these 2.300 machines due TLS requirement.

               You can find further details about the whole process in this guide

           

          Best Regards!

          --bruno

          • 2. Re: Vpro activation question
            stepland

            cool cool, much appreciated.

             

            my web server cert template is already setup on my CA

             

            do you recommend verisign over godaddy?

             

            verisign seems to have a better rep but the price difference is just insane

             

            not sure which one to pick

             

            please advise

             

            thanks man

            • 3. Re: Vpro activation question
              brunodom

              Stéphane,

               

                   In fact it's used only internally, so there no technically big difference between those two CAs.

               

                   However, if you are issuing certificated to .gov outside US/Canada, only Verisign is able to issue.

               

              Best Regards and have a Great Weekend!

              --bruno

              • 4. Re: Vpro activation question
                stepland

                ok, thanks.

                 

                I have chosen verisign, however the first step is to follow the verisign Certificate Signing Request (CSR) Generation Instructions - Microsoft IIS 6.0

                 

                which are as follows

                 

                1.  Click Start > All Programs > Administrative Tools > Internet Services Manager (IIS) Manager


                2.  Double-click the Server Name > Web Sites folder

                3.  Under Web Sites, right-click the corresponding Web site you wish to secure, and select Properties.

                4.  Click Directory Security tab

                5.  Under Secure communications, click Server Certificate

                6.  Select Create a new certificate

                Note:  If you are renewing an SSL certificate, select Renew the current certificate. This will generate a CSR based on the information of the certificate currently installed on the server.

                7.  Select Prepare the request now, but send it later

                8.  Enter a name for the certificate. Please note that this is not the Common Name of the certificate request.

                9.  Select the bit length of 2048 for the certificate

                Note: Do not check the box for Select cryptographic service provider (CSP) for this certificate

                10.  Complete the information requested by the IIS Certificate Wizard to create a private key that is stored locally on your server and a Certificate Signing Request that you will use during the enrollment process.  The Wizard will prompt for the following X.509 attributes of the certificate:

                - Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
                - State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
                - Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
                - Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
                - Organizational Unit (OU): This field is the name of the department or organization unit making the request.
                - Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".

                 

                VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

                11.  Click Finish to exit the IIS Certificate Wizard. A CSR file has been generated.
                My CA server sits on server A and sccm sits on server B. I want to configure amt to work within sccm, so in step 10 under common name is it best to create a dns alias and use that in case the server name ever changes?
                Also, were should i point the alias...to server A (my CA) or server B (sccm). Looking at this it seems to be logical to point it to server B??
                I am a bit confused and i don't want to screw up my certificate request.
                thanks
                Stéphane
                • 5. Re: Vpro activation question
                  brunodom

                  Hi Stéphane,

                   

                       You should use the FQDN of SCCM in common name field... in fact, you must generate the CSR in the SCCM server to work.

                   

                  Best Regards!

                  --bruno

                  • 6. Re: Vpro activation question
                    stepland

                    Hi, perfect thank you.

                     

                    small network question now. In the guide you attached it mentions about doing the following to routers and firewalls.

                     

                    "open intel vpro technology related ports on routers and firewalls on 9971 and 16992 through 16995-out of band management ports"

                     

                    I need to request this work to be done through our network department. Is there any more detailed info available somewheres or is this sufficient for them to process my request? seems vague.

                     

                    thanks again

                     

                    Stéphane

                    • 7. Re: Vpro activation question
                      brunodom

                      Stéphane,

                       

                           9971 is the port used for provisioning

                           16992 - Out of Band Management (w/o TLS)

                           16993 - Out of Band Management (w TLS)

                           16994 - IDEr without TLS

                           16995 - IDEr with TLS

                       

                      Best Regards!

                      --bruno

                      • 8. Re: Vpro activation question
                        stepland

                        Thanks Bruno,

                         

                        Another question,

                         

                        In the guide under section 2.3 Summary of prerequisites required for OOB management

                         

                        its says the following:

                         

                        "3rd Party Remote Configuration Certificate on each OOB Service Point to provision Intel vPro
                        technology-based systems"

                         

                        I need a little bit of clarification on this if possible

                         

                        In our organisation we have a central primary site called A and a primary child site called B and a bunch of secondary branch sites used for package distribution points. Questions is should i be able to get all clients from all branches and site B provisioned through the central primary site A with one verisign certificate sitting on central primary site A or do i need another provisioning certificate elsewhere as well?

                         

                        thanks you have been great help.

                         

                        Stéphane