Certificate name mismatch

theperfectwave · ‎05-26-2010

Hi,

I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng

After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":

Computer name, connection name, DNS name, Certificate name mismatch.

What can be the reason and solution for this problem?

Thanks for your hints in advance.

P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"

Andrew_S_Intel2 · ‎05-26-2010

First off, what computer are you using?I know you updated to 6.1.1.1045 a few weeks ago to add a KVM resolution, but I've been wondering since then what hardware you have. I didn't realize that firmware was already available on OEM systems.

Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?

TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/

Brett_M_Intel · ‎05-26-2010

To continue what Andrew has said, you need to make sure that the certificate's Common Name (CN) matches that of the method you are using to connect the target Intel AMT system within the Manageability Commander Tool. For example, if the system is provisioned with a certificate CN of "MyAmtSystem.MyDomain.com", you will need to use the FQDN "MyAmtSystem.MyDomain.com" within the Manageability Commander Tool to avoid getting this warning message. If, however, you enter the device's IP address into Commander and connect to the system, then you will get this warning message because Commander is not designed to resolve the IP address to the DNS hostname and domain (FQDN) and compare this to the certificate CN.

theperfectwave · ‎05-31-2010

Hi,

thanks for your fast answer.

Is there no way, to create a valid certificate for an AMT computer, which isn't member of a domain?

May be using its IP address as part of the certificate's CN?

Lance_A_Intel · ‎06-01-2010

Hello,

You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.

You may also want to look at this FAQ.

theperfectwave · ‎06-02-2010

ok, now I attached the AMT computer to a domain.

To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!

I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng

The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<

So can you please tell me, where I have to look for wrong settings, misspelt strings, .....

In advance thanks for your hints.

Lance_A_Intel · ‎06-02-2010

Please take a look at this blog post and let us know if it is helpful.

jacace · ‎06-08-2010

You can install a cerficate authority in your Win 2003 server, also there is a SCS Wizard which helps you todo that.

Javier Andrs Cceres Alvis

theperfectwave · ‎06-11-2010

The solution is:

The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!

Richard_B_Intel1 · ‎06-11-2010

It is good to hear you have things working. Thanks for sharing your solution.