Installing AMT root certificates remotely

BZant · ‎09-11-2014

Hello,

I have a question. I'm in a project to setup and configure our desktops with AMT using SCCM 2012 R2 and using Intel SCS 9.12.74.

I'm trying to use the Intel SCS 9.1 since SCCM natively doesn't support all AMT versions.

We have our own internal PKI running, I successfully created and issued the AMT provisioning certificates for our Provisioning server, and the certificate templates for the client certificates are also ready and standby. The Microsoft procedure from http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e# BKMK_AMT2008_cm2012 Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Aut… was used for this.

Now I have the challenge of getting the machines provisioned but our internal root CA is not yet trusted by default in the AMT machines.

As far as I found, I have 2 options

Enter the thumbprint for our Root CA cert in all machines
- manually using ctrl-P :-(
- using an USB key - also manually :-(
Buy a third party AMT provisioning certificate from a vendor that is pre-trusted in AMT, so VeriSign, GoDaddy etc..

The problem here, is that we (as most of the companies) use INTERNAL Dns names for our infrastructure like company.internal and that VeriSign etc will NOT issue certificates for internal websites anymore after 1-nov-2015.

A great solution would be, that we get a utility to remotely update the root hashes in AMT, ideally some tool using the same config file as the USB tool, running remotely, or which can be scripted using SCCM.

What possibility do we have to automatically update the root hashes remotely?

TIA, B.v.Zanten

UPas · ‎10-14-2014

same problem - no real solution

according intel:

There are some discussions on private SSL solutions with Verisign, Commodo and Entrust (new one or repurposed old root –no longer used publicly –so not trusted at all) that will allow to issue RCFG certs for any invalid domains.

Adding either own cert hash to ME FW or setting up PKI DNS suffix in AMT FW (it will replace one assigned by DHCP Option 15) allows to use any domain name.

Process for adding/setting both is the same – via USB One touch (different content of setup.bin file on USB).

There is workaround but it will require cooperation with your network team:

1. Change DHCP Option 15 to a external domain (publicdomain.com) for which AMT RCFG cert can be purchased

DHCP Option 15 assigns DNS domain name to LAN systems so AMT will get this domain suffix for provisioning and it will be one checked against domain name in RCFG CN (so it will match).

2. Order AMT RCFG cert for public registered domain name from any of existing supported Public root CA.

3. Windows OS when joined to AD will get its primary DNS suffix configured to AD name. For non AD systems Primary DNS suffix can be configured in Windows.

Primary DNS suffix shall be used in AMT profile so AMT FQDN will be configured to match OS FQDN.

There may be some issues with :

a. Older printers/printservers that do not allow to configure their domain name – so they will "jump" to external domain name.

b. External domain name will be added to domain suffix search list but it shall not impact most of operations

c. Some solutions using DHCP Option 15 as ex campus/school indicator will not work properly.