Hi, please check AMT Implementation and Reference Guide at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Frootcertificatehashes.htm
for list of Public trusted Root CA of which Root cert hashes are embeded in AMT FW so they are trusted by AMT FW.
You will need AMT Provisioning certificte (see requirements at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Facquiringanintelvprocertificate.htm and https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm
Please note that up to AMT 5.x it supports SHA-1 ONLY - you will need all certificates in the chain to be SHA-1 (you have to request it explicite from CA).
AMT 6.0 or newer added suport for SHA-2 so both SHA-1 & SHA-2 certificates will work. see more details https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/hardwareplatformarchitecture1.htm
just as an Info.
SHA-2 certificates may be supported with AMT 6.0 or higher, but they don't work, because the Hash-Values in the AMT-mebx only
points to the SHA-1 Certificate-Hashes.
We tried to use a Verysign/Symantec SHA-2 Certificate and got an Error moving the device to Admin-Mode.
The Error Message was 'Signing the Nonce failed. This command is not supported on the operating System where the RCS is running.'
The operating System and Intel SCS are both on the latest Version so it should have worked.
After checking the Problem with the Intel Support we got the message that SHA 2 is supported but not implemented in Version 6.0 or higher.
(We tried it with a new Client with AMT-Version 8.0 and Version 9.0)
Because of this we had to revoke the SHA-2 Certificate and use a Verisign/Symantec SHA-1 private Certificate at the moment. They still offer this
method but you can't use it for Websites.
Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.
SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.
Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.
all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.
and it works (checked it with other customers for AMT 8/9/10).
For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.