Looking at the initial issue here (ignoring the rest of this thread at this time), it looks like you want to know why your custom certificate - created using the makecert utility - isn't available in the "Certificate Issuing" window when you're setting up a Security Profile that uses TLS.
The following are the requirements that the Manageability Director Tool looks for when populating certificates into that dialog:
* It looks for certificates available in the Personal Store for the Current User. Open "mmc.exe", add the Certificates snap-in for "My user account", and expand "Certificates - Current User" --> "Personal" --> "Certificates" to view the available certificates.
* The private key must be available for the certificate. A certificate that only has the public key will not be displayed in the "Certificate Issuing" window.
* The certificate must be trusted. This can be controlled from the Manageability Director Tool's "Certificate Manager" node (in the tree view). Select your custom cert in the list and use the "Toggle Trust" button -- a green circle indicates that the certificate is trusted.
* The certificate must be a Certificate Authority (CA), which means that you can create child certs from it.
Using the makecert utility, for which I am no expert in using, the following sample command line will generate a cert that you can load into the "Certificate Issuing" window:
makecert -r -pe -n "CN=My Issuing Cert" -ss my -cy authority
After generating the certificate, I needed to toggle the trust for it within Director, then I was able to use it within a profile. NOTE: YMMV as I have not done end-to-end testing of this certificate to ensure that it will successfully work for TLS with Intel AMT systems.
By the way, since the source code is available for the Manageability Director Tool, you are free to look at it to determine causes for any issues you may be experiencing. For example, the source code for this issue is in the Manageability Director Tool project, CertificateEditForm.cs, CertificateEditForm_Load method, specifically lines 53 through 60.
The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.