https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516254#M6090 <P>Translator</P><P></P><P>You'll need to make sure your certificate and private key are in the correct format. Using the Manageability Director tool you'll want to make sure you select either <B>Intel AMT Remote Console Certificate </B>or <B>All Permissions Certificate</B> and enter the FQDN of the AMT computer for the Common name. Once created you will need to save off the certificate as a base-64 .CER file as well as a .PFX file that includes your private key.</P><P></P><P>Take the PFX file and extract the private key using Openssl.</P><OL><LI>Openssl pkcs12 –in <A>c:\path\cert.pfx</A> –out <A>c:\path\cert.key</A></LI><LI>Enter password used to secure PFX certificate</LI><LI>Enter a PEM pass phrase</LI><LI>Verify PEM pass phrase</LI></OL><P></P><P>After extracting your private key you'll need to convert the Encrypted Private Key file to an RSA Private Key.</P><OL><LI>Openssl rsa –in <A>c:\path\cert.key</A> –out <A>c:\path\newcert.key</A></LI></OL><P></P><P></P><P>The new private key should begin and end with:</P><P></P><P>-----BEGIN RSA PRIVATE KEY-----</P><P></P><P>-----END RSA PRIVATE KEY-----</P><P></P><P>Use this new private key in your configuration profile.</P><P></P><P></P><P>Regards,</P><P>Alan</P> Wed, 23 Aug 2017 23:58:52 GMT Alan_A_Intel2 2017-08-23T23:58:52Z https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516253#M6089 <P>My office pc has an AMT 11 enabled board, and I want to switch it on/off and reboot out-of-band via Internet (port 16992). </P><P>&nbsp;</P>I've managed to get the WebUI of AMT working perfectly, but the conncetion is not encrypted. So I want to enable the TLS function of AMT (port 16993).<P>From the documentation I learned that I should choose the Host-based Provisioning method which is provided by Intel's configuration utility (ACUconfig.exe). The utility works and is able to modify some settings in my board's AMT/ME firmware. But if I check the TLS box and enter certificate files, it doesn't work anymore but displays "File decryption failed".</P><P>So far I used a self-signed certificate, created by the Manageability Director tool and exported as files. Maybe this is a wrong way. How can I enable TLS? I don't need remote provisioning, KVM, SOL etc. I need WebUI only, but with TLS. </P> Wed, 09 Aug 2017 13:32:38 GMT https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516253#M6089 RKell5 2017-08-09T13:32:38Z https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516254#M6090 <P>Translator</P><P></P><P>You'll need to make sure your certificate and private key are in the correct format. Using the Manageability Director tool you'll want to make sure you select either <B>Intel AMT Remote Console Certificate </B>or <B>All Permissions Certificate</B> and enter the FQDN of the AMT computer for the Common name. Once created you will need to save off the certificate as a base-64 .CER file as well as a .PFX file that includes your private key.</P><P></P><P>Take the PFX file and extract the private key using Openssl.</P><OL><LI>Openssl pkcs12 –in <A>c:\path\cert.pfx</A> –out <A>c:\path\cert.key</A></LI><LI>Enter password used to secure PFX certificate</LI><LI>Enter a PEM pass phrase</LI><LI>Verify PEM pass phrase</LI></OL><P></P><P>After extracting your private key you'll need to convert the Encrypted Private Key file to an RSA Private Key.</P><OL><LI>Openssl rsa –in <A>c:\path\cert.key</A> –out <A>c:\path\newcert.key</A></LI></OL><P></P><P></P><P>The new private key should begin and end with:</P><P></P><P>-----BEGIN RSA PRIVATE KEY-----</P><P></P><P>-----END RSA PRIVATE KEY-----</P><P></P><P>Use this new private key in your configuration profile.</P><P></P><P></P><P>Regards,</P><P>Alan</P> Wed, 23 Aug 2017 23:58:52 GMT https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516254#M6090 Alan_A_Intel2 2017-08-23T23:58:52Z https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516255#M6091 <P>Thanks for your answer. I had to modify your receipe slightly, because the Manageability Director exports binary .cer but not base64 .cer. So I imported the binary .cer into the Windows Cert Manager and exported it back as a base64 .cer file.</P><P>Then, after having followed all remaining steps of your receipe, I had the two files as described in Intel(R)_AMT_Configuration_Utility.pdf V11.1. But it doesn't work. </P><P></P><P>Log file:</P><P>&nbsp;</P>2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 1905: <B>Failed to read certificates from given files. Reason: File decryption failed. </B><P>&nbsp;</P>2017-08-25 10:12:32: Thread:5384(ERROR) : RDESK3, Category: Configure Profile Source: ACUDll.cpp : ConfigureAMT Line: 2389: Configure Profile Failed: File decryption failed. (0xc000028f). <P>&nbsp;</P>2017-08-25 10:12:32: Thread:5384(DETAIL) : localhost, Category: end function Source: ACUDll.cpp : ConfigureAMT Line: 2499: <P>&nbsp;</P>2017-08-25 10:12:32: Thread:5384(ERROR) : ACU.dll, Category: Profile Configuration Source: ACUDll.cpp : ClientControlConfiguration Line: 3399: File decryption failed. (0xc000028f). <P>&nbsp;</P>2017-08-25 10:12:32: Thread:5384(DETAIL) : ACU Configurator , Category: -END- Source: ACUDll.cpp : ClientControlConfiguration Line: 3418: ***** END <P></P><P>I could look into ACUDll.cpp but there are no source files available? </P> Fri, 25 Aug 2017 09:15:20 GMT https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516255#M6091 RKell5 2017-08-25T09:15:20Z https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516256#M6092 <P>When you open your key file how does the BEGIN and END read, what's the exact text?</P><P></P><P>-----BEGIN RSA PRIVATE KEY-----</P><P></P><P>OR</P><P>&nbsp;</P><P></P><P>-----BEGIN ENCRYPTED PRIVATE KEY-----</P><P></P><P></P><P></P><P>Also, did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store? </P><P></P><P>Regards,</P><P>Alan</P> Mon, 28 Aug 2017 19:18:40 GMT https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516256#M6092 Alan_A_Intel2 2017-08-28T19:18:40Z https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516257#M6093 <P>"When you open your key file how does the BEGIN and END read, what's the exact text?"</P><P></P><P>Copy from the file:</P><P>-----BEGIN RSA PRIVATE KEY-----</P><P>and</P><P>-----END RSA PRIVATE KEY-----</P><P></P><P>"did you install the Manageability Director Self-signed Root certificate into the target client's Computer account Trusted Root Certificate store"</P><P></P><P>Yes, I did. Additionally I put a copy into the Admin account Trusted Root Certificate store.</P> Tue, 29 Aug 2017 12:27:03 GMT https://community.intel.com/t5/Intel-vPro-Platform/Enabling-TLS-via-SCS-Hoste-based-method/m-p/516257#M6093 RKell5 2017-08-29T12:27:03Z