Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

Certificate name mismatch

theperfectwave
Beginner
‎05-26-2010 07:18 AM
1,490 Views
Hi,

I tried to configure TLS for my AMT-KVM as shown in:
http://www.youtube.com/watch?v=KroJHYyarng

After setting the profile to the AMT computer, the icon of the computer changes to red.
Also the following warning is shown in the field "Connection Warnings":

Computer name, connection name, DNS name, Certificate name mismatch.

What can be the reason and solution for this problem?

Thanks for your hints in advance.




P.S.:
The version of my ME is: 6.1.1.1045
And I used the AMT Director from the following package: "Manageability_Developer_Tool_Kit_0_6_0937_2.msi"
0 Kudos

Link Copied

9 Replies
Andrew_S_Intel2
Employee
‎05-26-2010 09:38 AM
1,490 Views
First off, what computer are you using?I know you updated to 6.1.1.1045 a few weeks ago to add a KVM resolution, but I've been wondering since then what hardware you have. I didn't realize that firmware was already available on OEM systems.

Offhand, I'd say there might be issues because you're using an older version of the manageability developer toolkit (from February of last year) on a new platform with firmware that just released a couple of weeks ago. But the error you're getting seems to indicate thatthere's a naming issue with the certificate. If you're using IP addresses instead of FQDN's for the cert common name, are you using DHCP in your environment for both the AMT system and the system running the director software?

TLS can be tricky, if configured incorrectly you can disable access to the AMT machine. Javier had a good post on his experience (and how he debugged issues) with TLS last year when he went through this effort. He was actually using mutual TLS instead of just Server TLS (mutual has more constraints), but I think it could still be helpful: http://software.intel.com/en-us/blogs/2009/01/21/tips-to-check-if-the-scs-the-dtk-or-your-app-doesnt-connect-to-an-amt-enterprise-machine/
0 Kudos
Copy link
Brett_M_Intel
Employee
‎05-26-2010 01:29 PM
1,490 Views
To continue what Andrew has said, you need to make sure that the certificate's Common Name (CN) matches that of the method you are using to connect the target Intel AMT system within the Manageability Commander Tool. For example, if the system is provisioned with a certificate CN of "MyAmtSystem.MyDomain.com", you will need to use the FQDN "MyAmtSystem.MyDomain.com" within the Manageability Commander Tool to avoid getting this warning message. If, however, you enter the device's IP address into Commander and connect to the system, then you will get this warning message because Commander is not designed to resolve the IP address to the DNS hostname and domain (FQDN) and compare this to the certificate CN.

0 Kudos
Copy link
theperfectwave
Beginner
‎05-31-2010 08:31 AM
1,490 Views
Hi,

thanks for your fast answer.


Is there no way, to create a valid certificate for an AMT computer, which isn't member of a domain?

May be using its IP address as part of the certificate's CN?

0 Kudos
Copy link
Lance_A_Intel
Employee
‎06-01-2010 09:00 AM
1,490 Views
Hello,

You need to use a fully qualified domain name (FQDN) in your certificates.
Please refer to the following section in the AMT SDK documentation: Setup and Configuration of Intel AMT > Using the Setup and Configuration Application Sample > Issuing Certificates and Certification Authority.

You may also want to look at this FAQ.
0 Kudos
Copy link
theperfectwave
Beginner
‎06-02-2010 10:13 AM
1,490 Views
ok, now I attached the AMT computer to a domain.

To make sure that everything is ok with the AMT-computer's FQDN, I access the AMT computer from other computers using its FQDN instead of its IP address. So the AMT-computer's FQDN is ok and works fine!

I did exactly the steps described in :
http://www.youtube.com/watch?v=KroJHYyarng

The AMT Director still shows the same warning:
>> Computer name, connection name, DNS name, Certificate name mismatch. <<


So can you please tell me, where I have to look for wrong settings, misspelt strings, .....



In advance thanks for your hints.
0 Kudos
Copy link
Lance_A_Intel
Employee
‎06-02-2010 11:19 AM
1,490 Views
Please take a look at this blog post and let us know if it is helpful.
0 Kudos
Copy link
jacace
New Contributor I
‎06-08-2010 02:41 PM
1,490 Views

You can install a cerficate authority in your Win 2003 server, also there is a SCS Wizard which helps you todo that.

Javier Andrs Cceres Alvis

0 Kudos
Copy link
theperfectwave
Beginner
‎06-11-2010 01:47 AM
1,490 Views
The solution is:

The computer, into which the certificate (with CN=FQDN) has to stored,
must be accessed thru the AMT Director by entering the FQDN into the edit box
"IP / Hostname". If the IP address is set into the edit box "IP / Hostname",
the described error occurs. So here also the FQDN is required!

0 Kudos
Copy link
Richard_B_Intel1
Employee
‎06-11-2010 11:04 AM
1,490 Views
It is good to hear you have things working. Thanks for sharing your solution.
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.