2 Replies Latest reply on Feb 5, 2013 2:24 PM by Joseph Oster

    Valid certificate for PKI configuration not found during vPro Provisioning

      Hi,

       

      I'm trying to provision my vPro client with the command acuconfig configviarcsonly rcsserver.domain.com /wmiuser username /wmiuserpassword password.

       

      I've purchased my Verisign certificate with CN=rcsserver.domain.com and OU = Intel(R) Client Setup Certificate.  I've put this certificate in the service account that is running RCS server's personal certificate store and made sure I have all the Root/Intermediates to chain properly to the Verisign Root CA.  I've also validated that the hash is active and enabled and matches the Verisign Root CA hash I have.

       

      So my client's FQDN is actually client.sub1.sub2.domain.com and Primary Dns Suffix is sub1.sub2.domain.com, but my DHCP Option 15 is domain.com (I verified this by running the Intel Remote Configuration Scout and also did a Wireshark to validate that is string that is being passed).  My rcsserver is pingable both via rcsserver.domain.com and rcsserver.sub1.sub2.domain.com.  I don't have the Provisioning Server FQDN or the Secure DNS set via MEBx.  After reading the Domain Suffix Guide, I thought that if I have nothing configured, AMT would look at the DHCP Option 15 and compare it vs the suffix on the CN which would match.  However, I get the following error I get when I try to provision the client:

       

      2013-02-01 18:54:23: Thread:7148(DETAIL) : ACU Configurator , Category: WMI_ConfigAMT Source: Src\WMIAccess.cpp : WMI_ConfigAMT Line: 1090: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f) ((ExecMethod WMI_ConfigAMT) Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.  (0xc000521f). Valid certificate for PKI configuration not found.  (0xc00007e5).  (0xc000521f). )

        • 1. Re: Valid certificate for PKI configuration not found during vPro Provisioning
          Joseph Oster

          Hey Jonathan

           

          Your posting suggests to me that either you have a general password error and or SSL error.

           

          So my first question is; Are you trying to provision using TLS? If so try provisioning with a basic profile first, by doing the following. These steps will incrementally establish if your environment is set up correctly, by using simple provisioning profiles

           

          1. Create a SCS basic profile, with no options checked, with the exception of allow response to ping
          2. Provision Client using acuconfig and the basic profile.
            1. acuconfig.exe /lowsecurity /output console /verbose ConfigureViaRCSOnly <$SCSServerName> <ProfileName> /wmiuser domain\AMTAdmin /wmiuserpassword P@ssw0rd
            2. Verify at the end of the run “complete” is posted
          3. To test use web browser to access wired web UI on port 16992

           

          This will confirm provisioning is working; hence your VeriSign cert is correct.

           

          1. Unprovision Client – using either acuconfig or MEBx
          2. Create a SCS TLS profile, by making a copy of the basic profile and then editing it by selecting the TLS box and configuring its settings.
          3. Provision Client using acuconfig and the TLS Profile
            1. acuconfig.exe /lowsecurity /output console /verbose ConfigureViaRCSOnly <$SCSServerName> <ProfileName> /wmiuser domain\AMTAdmin /wmiuserpassword P@ssw0rd
            2. Verify at the end of the run “complete” is posted
          4. To test use web browser to access wired web UI on port 16993

           

          This will confirm that TLS provisioning is working.

           

          Let me know at what step this fails

          Joe