topic Failed PKI provisioning in Intel vPro® Platform

Failed PKI provisioning

mrant-k — Thu, 18 May 2023 13:53:35 GMT

We are trying to adopt EMA in addition to our existing endpoint management solutions and running into some serious issues. We acquired PKI cert with valid OID from GoDaddy. The leaf cert (in the form of pfx), GoDaddy G2 Root CA, and Intermediate cert are added into the server. The first 2 devices were successfully provisioned, but then any new devices we attempt to add are failing.

- Windows Server 2019 Datacenter (US-English) (EMA server)

- Succeeded client laptop has AMT 14.1.67

- Failed Client laptops have AMT 11 and lower, and AMT 15 and above

- Verified DHCP option 15 is set with correct DNS suffix, which is also in the GoDaddy Deluxe cert

- Correct OID is verified

- Exported EMAAgent files and run -fullinstall on client

- We can see the client in EMA console as power on and connected (but unprovisioned)

- We then attempt to provision the client and it fails provisioning and we see these 2 msgs in the Failed Intel AMT SetupAdmin activation and Failed PKI provisioning

- On the client we see the Intel ME software repeated switching states from "Configured" to "Unconfigured"

- The clients are connected to LAN via USB-C ethernet dongle since these newer laptops don't come with ethernet port anymore

- We've tried searching and following many threads in this forum and other places to no avail

Any help is greatly appreciated.

Re: Failed PKI provisioning

mrant-k — Thu, 18 May 2023 17:09:30 GMT

Here's the out put from config tool if that helps.

C:\Program Files (x86)\Intel\EMAConfigTool>EMAConfigTool.exe --verbose

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 5/18/2023 12:06:32 PM

*** Host Computer Information ***
Computer Name: "ComputerName"
Manufacturer: Dell Inc.
Model: Latitude 9520
Processor: 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: 1.21.0
UUID: 4C4C4544-005A-3210-8032-C8C04F4B5233

*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 15.0.42.2235
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True

*** ME Information ***
Version: 15.0.42.2235
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Client
Driver Installed: True
Driver Version: 2220.3.1.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2220.3.1.0
MicroLMS State: NotPresent
EHBC Enabled: False

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: False
KVM Enabled: False
RSE Enabled: True

*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
ME Wired Interface Not Detected

*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: "mac_address"
DHCP Enabled: True
DHCP Mode: Passive

*** Root Certificate Hash Entries ***
Root Cert 1: Go Daddy Class 2 CA, SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default;
Root Cert 2: Go Daddy Root CA-G2, SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default;
Root Cert 3: Comodo AAA CA, SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default;
Root Cert 4: Starfield Class 2 CA, SHA256, 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58, Active, Default;
Root Cert 5: Starfield Root CA-G2, SHA256, 2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5, Active, Default;
Root Cert 6: VeriSign Class 3 Primary CA-G5, SHA256, 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF, Active, Default;
Root Cert 7: Baltimore CyberTrust Root, SHA256, 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB, Active, Default;
Root Cert 8: Cybertrust Global Root, SHA256, 96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3, Active, Default;
Root Cert 9: Verizon Global Root, SHA256, 68:AD:50:90:9B:04:36:3C:60:5E:F1:35:81:A9:39:FF:2C:96:37:2E:3F:12:32:5B:0A:68:61:E1:D5:9F:66:03, Active, Default;
Root Cert 10: Entrust.net CA (2048), SHA256, 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77, Active, Default;
Root Cert 11: Entrust Root CA, SHA256, 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C, Active, Default;
Root Cert 12: Entrust Root CA-G2, SHA256, 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39, Active, Default;
Root Cert 13: VeriSign Universal Root CA, SHA256, 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C, Active, Default;
Root Cert 14: Affirm Trust Premium, SHA256, 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A, Active, Default;
Root Cert 15: DigiCert Global Root CA, SHA256, 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61, Active, Default;
Root Cert 16: DigiCert Global Root G2, SHA256, CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F, Active, Default;
Root Cert 17: DigiCert Global Root G3, SHA256, 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0, Active, Default;
Root Cert 18: DigiCert Trusted Root G4, SHA256, 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88, Active, Default;
Root Cert 19: GlobalSign NP RSA CA 2018, SHA256, 67:54:0A:47:AA:5B:9F:34:57:0A:99:72:3C:FE:FA:96:A9:6E:E3:F0:D9:B8:BF:4D:EF:94:40:B8:06:5D:66:5D, Active, Default;
Root Cert 20: GlobalSign NP ECC CA 2018, SHA256, 72:24:39:52:22:CD:58:8C:4F:26:83:71:69:22:AD:DB:41:E3:9B:58:1A:C3:4F:A8:7B:39:EF:A8:96:FB:B3:9E, Active, Default;
Root Cert 21: GlobalSign Root CA - R3, SHA256, CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B, Active, Default;
Root Cert 22: GlobalSign ECC Root CA - R5, SHA256, 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24, Active, Default;
Root Cert 23: GlobalSign Root CA - R6, SHA256, 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69, Active, Default;

Pausing before ending process in 3 sec. The duration of this pause can be adjusted using the --delayterm option.

Re: Failed PKI provisioning

MIGUEL_C_Intel — Fri, 19 May 2023 00:26:52 GMT

Hello, mrant-k,

The issue seems to be a hardware limitation. The endpoints (client) need to have Intel® vPro in the processor, chipset, and embedded network card (only Intel® wired and wireless cards). Few docking stations are prepared for Intel® vPro.

I suggest you try the following:
1- Review the EMA agent profile settings, and make sure the WiFi configuration is set. If not, do the changes and re-install the new EMA agent file to the endpoints.
2- Unplug the USB-C ethernet dongle and try the provisioning and connection using the WiFi connection. I am sorry for the limitation.

Bear in mind, Intel® EMA requires endpoints with AMT version 11.8.79 and later.

Look forward to your response.

Regards,
Miguel C.
Intel Customer Support Technician

Re:Failed PKI provisioning

MIGUEL_C_Intel — Tue, 23 May 2023 17:31:32 GMT

Hello, mrant-k,

I hope this email finds you well.

By any chance, have you been able to work on my previous suggestions?

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Tue, 23 May 2023 19:11:42 GMT

Hello Miguel,

Unfortunately, still hasn't worked for us. We use certificate-based authentication for corporate WiFi, and I have not been able to PKI provision any of these new laptops that don't have ethernet port even after creating WiFi profile to my best knowledge. If I do host-based provisioning, it provisions just fine, but then it goes to CCM mode.

Re:Failed PKI provisioning

MIGUEL_C_Intel — Tue, 23 May 2023 21:02:25 GMT

Hello, mrant-k,

Thank you for your update.

Thank you for your update on the status of the laptops.

Please keep using the wireless network card. The full provisioning of the laptops in Admin control mode requires manual configuration the first time. It is necessary to include the PKI DNS suffix manually into the MEBx (AMT BIOS).

Please review if the PKI DNS suffix was included.

Steps:

-Adding PKI DNS suffix to MEBx

-From the MEBx Main Menu, click MEBx Login, and type your password. The Default is admin, if I am not wrong, you set a password for all the endpoints in the EMA web console. If a randomized password was set, select the endpoint, click the Actions button, and it displays the password of the endpoint.

-Click over Intel® AMT Configuration

-Scroll down and select Remote Setup and Configuration

-Select TLS PKI

-Select PKI DNS Suffix, hit enter

-Type your PKI DNS Suffix, hit Enter

The new Window will display the new PKI DNS Suffix

-Then, keep pressing Exit until you close MEBX.

At this point, the Endpoint will be in Admin Mode with the company PKI DNS Suffix.

Details in the document: Configuring LAN-less Endpoints to ACM https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/configuring-lan-less-endpoints-to-acm.pdf

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Re:Failed PKI provisioning

mrant-k — Tue, 23 May 2023 21:58:56 GMT

Hi Miguel,

I deprovisioned one of the laptops, uninstall agent, and "stop managing endpoint" in EMA. And follow your instructions to enter those info, yet the issue persists.

Re:Failed PKI provisioning

MIGUEL_C_Intel — Tue, 23 May 2023 23:28:33 GMT

Hello, mrant-k,

I am sorry to hear about the issue. Do you mind confirming if the PKI DNS suffix was included manually in MEBx BIOS? In addition, if you are using the wireless card instead of the USB-Network dongle.

The PKI DNS suffix needs to match the PKI DNS of the AMT certificate. Do you mind sending a new EMA Configuration log from the endpoint that you are trying to provision?

EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Run:

a-Open a command prompt (alternatively, you can run the tool from within Windows PowerShell*) as administrator.

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe –verbose

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Wed, 24 May 2023 16:26:52 GMT

Hello Miguel,

Yes, I confirm DNS suffix is added to MBEx. The laptops are directly connected to corp WiFi. Here's verbose result of one of the laptops.

C:\Program Files (x86)\Intel\EMAConfigTool>EMAConfigTool.exe --verbose

Intel EMA Configuration Tool
Application Version: 1.1.0.183
Scan Date: 5/24/2023 8:17:57 AM

*** Host Computer Information ***
Computer Name: LTxxxx
Manufacturer: Dell Inc.
Model: Latitude 9520
Processor: 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: 1.21.0
UUID: 4C4C4544-005A-3210-8032-C8C04F4B5233

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

*** ME Wired Network Information ***
ME Wired Interface Not Detected

*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Unknown

*** Root Certificate Hash Entries ***
Root certs HERE

Re: Failed PKI provisioning

mrant-k — Wed, 24 May 2023 13:22:10 GMT

Client logs also show pretty much the same as before.

Re:Failed PKI provisioning

MIGUEL_C_Intel — Wed, 24 May 2023 22:24:59 GMT

Hello, mrant-k,

The ECT log is showing the PKI DNS as not found in this wireless machine. Please remember the ethernet USB dongle is not supported.

Please review the MEBx BIOS, and check if the PKI DNS suffix is there. I sent you an email with a Word document with pictures as an example. Please review if the machine is running the latest BIOS and Management Engine Interface driver.

We can continue privately in order to gather the EMA url that you are using, the PKI DNS suffix, the certificate configuration, and how many endpoints will you provision.

Look forward to your response; if there is no response to this email, I will send you a follow-up on 5/26/2023.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Thu, 25 May 2023 15:06:30 GMT

Hello Miguel,

I confirm the correct dns suffix was already set. We are not using USB dongle nor docking sttion.

Yet, I'm still getting the same "Failed PKI provisioning" error.

Did follow your instructions, too.

log into MEBx
full unprovision

In addition to that,

I also ran "EMAConfigTool.exe --unconfigure --password PASSWORD" and got confirmation it was successfully unconfigured
And then I uninstalled the agent
Logged into MEBx again and made sure it is full unprovisioned and the DNS suffix is still there
Logged back into Windows and reinstalled the agent
Get that very same error

Re: Failed PKI provisioning

mrant-k — Thu, 25 May 2023 15:27:38 GMT

Here are the new agent logs:

[2023-05-25 10:24:42.803 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0
[2023-05-25 10:24:52.888 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0
[2023-05-25 10:25:01.826 AM] \Agent\MeshManageability\agent\core\meshctrl.c:1143 Packet is not encrypted correctly or uses an old key. Last error: 0

Re:Failed PKI provisioning

MIGUEL_C_Intel — Thu, 25 May 2023 19:34:29 GMT

Hello, mrant-k,

It seems GoDaddy’s certificate does not match Intel® EMA requirements, the root, intermediate, and leaf need to be SHA256.

Please validate this information by doing the following:

-Open IIS, go to the personal store, and open the Certificate, you should see the Cert. chain (3 lines) in the Certificate Path tab.

-Open each line (Details tab) and verify they match the encryption of SHA 256 (SHA2) (2048 bits).

-In addition, for the leaf; from the Details tab, scroll down and confirm the Enhanced Key usage matches the OID number 2.16.840.1.113741.1.2.3.

I would appreciate it if you can share screenshots.

Look forward to your response.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Thu, 25 May 2023 19:51:36 GMT

Hi Miguel,

Here's my GoDaddy SSL with correct OID.

The chain however shows "Go Daddy Class 2 Cert Authority" having SHA1.

The other two certs (Go Daddy Root CA and Go Daddy Secure CA) have SHA256.

Re:Failed PKI provisioning

MIGUEL_C_Intel — Thu, 25 May 2023 23:18:33 GMT

Hello, mrant-k,

You are right, the certificate chain is wrong.

It is necessary to get in touch with GoDaddy. The Certificate chain usually has 3 lines only. I am sending a link with an example of the Root section of the certificate.

https://certs.godaddy.com/repository/gdroot-g2.crt

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Tue, 30 May 2023 15:39:41 GMT

Hi Miguel,

I did contact them, but they didn't have any clue what needs to be done. In fact, most of the support reps I've been dealing at Go Daddy aren't familiar with vPro at all. Can you tell me what information I need to relay to them so I can get a correct cert?

Re: Failed PKI provisioning

MIGUEL_C_Intel — Tue, 30 May 2023 16:24:53 GMT

Hello, mrant-k,

I apologize for the inconvenience experienced with GoDaddy. I have a piece of old information, hopefully, this with help as a guide.

While you are selecting the type of certificate, choose the option that says: Organizational Validation (OV) SLL Certificate.

Then, a pop-up should appear, and select Intel® vPro.

I look forward to hearing from you.

Regards,

Miguel C.

Intel Customer Support Technician

Re: Failed PKI provisioning

mrant-k — Tue, 30 May 2023 18:55:24 GMT

Hi Miguel,

That was how I set up our cert. It is why some of the devices are getting provisioned successfully. The issue here is that some devices don't get provisioned. One thing I notice is that if I open the cert on my laptop, I can see it has presumably correct certificate chain.

But if I open it on vPro server, it shows one additional CA (the class 2 one) in the chain for some reason.

Re:Failed PKI provisioning

MIGUEL_C_Intel — Tue, 30 May 2023 22:23:42 GMT

Hello, mrant-k,

Thank you for your quick response.

The certificate is showing an extra line as you mentioned, and it is SHA1. This is the Certificate issue. We need a Certificate chain with SHA2 (SHA256) in all the lines.

I found this public GoDaddy link, it talks about how to request an Intel® vPro Certificate. Please review it and confirm with GoDaddy if they send you the correct certificate.

GoDaddy certificate instructions

https://www.godaddy.com/help/intel-vpro-certificate-info-5260

If I understand correctly, it is necessary to choose the “Organizational Validation (OV) SLL Certificate” option. When the product is added to the shopping cart, the terminology changes to “You’ve chosen a Deluxe SSL OV”.

I hope that Go Daddy will provide the correct Cert this time.