same problem - no real solution
There are some discussions on private SSL solutions with Verisign, Commodo and Entrust (new one or repurposed old root –no longer used publicly –so not trusted at all) that will allow to issue RCFG certs for any invalid domains.
Adding either own cert hash to ME FW or setting up PKI DNS suffix in AMT FW (it will replace one assigned by DHCP Option 15) allows to use any domain name.
Process for adding/setting both is the same – via USB One touch (different content of setup.bin file on USB).
There is workaround but it will require cooperation with your network team:
1. Change DHCP Option 15 to a external domain (publicdomain.com) for which AMT RCFG cert can be purchased
DHCP Option 15 assigns DNS domain name to LAN systems so AMT will get this domain suffix for provisioning and it will be one checked against domain name in RCFG CN (so it will match).
2. Order AMT RCFG cert for public registered domain name from any of existing supported Public root CA.
3. Windows OS when joined to AD will get its primary DNS suffix configured to AD name. For non AD systems Primary DNS suffix can be configured in Windows.
Primary DNS suffix shall be used in AMT profile so AMT FQDN will be configured to match OS FQDN.
There may be some issues with :
a. Older printers/printservers that do not allow to configure their domain name – so they will “jump” to external domain name.
b. External domain name will be added to domain suffix search list but it shall not impact most of operations
c. Some solutions using DHCP Option 15 as ex campus/school indicator will not work properly.