Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1380 Discussions

Howto import & use a own certificate into the Managebility Director

theperfectwave
Beginner
1,114 Views
I created a certificate with makecert.

I imported it into the Intel tool "Managebility Director".

I also installed it in the "Internet Options" Certificate Cache "Trusted Root Certification Authorities".

==> Now the "Managebility Director" shows the imported certificate in the "Managment certificates" tab.

But when I try to use this certificate in a profile, I can not select my imported own certificate in the "issure certifcate" drop down box.

----------------------------------

1. Can somebody tell me please the correct parameters for makecert, which I have to use to create a certificate, that I can use in the "Intel Managebility Director" tool.

e. g. makecert -r -pe ..... valid_vert.cer

2. What else do I have to do, to proper import and use my own certificate into the "Intel Managebility Director" tool.

3. What might be the reason for the described problem?



Thanks in advance for your help.


0 Kudos
14 Replies
Gael_H_Intel
Moderator
1,114 Views
Have you viewed the very short video on the download page regarding applying certs? I don't know if it would help - it assumes you already created the cert but it does show some of the requirements.
What version of the DTK are you using (also what version of AMT) - and is this cert for provisioning or is for configuring TLS communications with AMT?
You might want to take a look at this blog: How to create AMT Certificates using the AMT SDK and OpenSSL
Gael
0 Kudos
theperfectwave
Beginner
1,114 Views
Thanks for your fast answer. Here are the details (which you wanted to know)


o iAMT Version is: ME v6.1.1.1045

o Director Version: The Dirctor Tools was installed thru Manageability_Developer_Tool_Kit_0_6_0937_2.msi package.
Director --> Help --> About says: Copyright (c) 2008 Intel Corporation .....

o I use the certificates to configure TLS.



==> ok. I will read the mentioned blog and watch the video ==> maybe there are some usefull hints

0 Kudos
theperfectwave
Beginner
1,114 Views
Thansk for your detailed HOWTO:

>> How to create AMT Certificates using the AMT SDK and OpenSSL <<


**************************************************************************


Questions regarding your HOWTO
>> How to create AMT Certificates using the AMT SDK and OpenSSL <<


Step 6 is not clear.

1. What do you mean with hash?
Do you mean the thumbprints of the certificates?

2. Where is the "TLS ps1 script" ?
I was not able to located it.

3. And where exactly ( in which line ) do I have to insert those 3 hashes.

==> steps 1-5 are clear. But not step 6. Can you please answer those
open questions regarding step 6





**************************************************************************




AS you can see above, I used an old Director tool
( Manageability_Developer_Tool_Kit_0_6_0937_2.msi ).
Now I downloaded the latest version and installed it.

In the old director version I was able to add and contect to an AMT PC
via it'S DNS computer name ( e.g. MYTESTPC.TEST.NET).

In the new director I just can add and connect to AMT PCs via their IP
address. Adding and connecting to it via DNS name fails. THe WEB UI
http:\\MYTESTPC.TEST.NET:16992 still works proper. ==> The new director
can not resolve the DNS computer name.

How can I fix this prolbem ? (How can I help the new Director to
resolve the DNS name and to connect to the AMT computer)


**************************************************************************

Question regarding your video

In the mentioned video you show the use of Commander tool. I did exactly
the same as in the video. Connecting to a AMT PC via IP address. Then I
opend the tab "Intel Management Engine". --> I opend the "Certificate
store" dialog. In trusted roots I added the just create root ca. Then
I went to the certifcates tab. There I pressed the button "new".
==> And an error dialog was shown:
>> Exception error logged in Exception-Commander.txt <<

( I added the last entry of the Exception-Commander.txt at the end of this question. )

After pressing ok on the error dialog. The same "New certificate" dialog as
in the video appears. But the drop down box "Issure certificate" is empty.

====> How can I fix this problem ? What must be done that this drop
down box in the Commander Tool is not empty?




==> Can you please help me and answer all my questions.


Thanks in advance for your help.







**********************************************

last entry of the Exception-Commander.txt



-> [5:03:42 PM] CallAttempt: GetAssetData
Call Param 1: 9

-> [5:03:42 PM] CallFailed: AmtSecurityAdmin.GetTLSCredentials
WSManFault.Code: a:Sender WSManFault.SubCode: b:DestinationUnreachable
at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
at Intel.Manageability.WSManagement.DotNetWSManClient.Get(Uri resourceUri, IEnumerable`1 selectors)
at Intel.Manageability.Cim.Untyped.CimObject.Get(CimKeys keys)
at Intel.Manageability.Cim.Typed.CimBase.Get()
at ManageabilityStack.AmtSecurityAdmin.GetTLSCredentials(UInt32& handle, Boolean& handleSpecified)
-> [5:03:42 PM] CallFailed: AmtSecurityAdmin.GetTLSCredentials WSMAN error
WSMAN Fault
Code: a:Sender (subcode: b:DestinationUnreachable)
Detail:
Reason: No route can be determined to reach the destination role defined by the WSAddressing To.
-> [5:03:39 PM] Error: Failure to retrieve the NAC Administration data.
The request failed with HTTP status 404: Not Found.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at EndpointAccessControlAdminService.Invoke(String methodName, Object[] parameters)
at EndpointAccessControlAdminService.GetEACStatus(Boolean& Enabled)
at ManageabilityStack.AmtNetworkAccessControlAdmin.GetEACStatus(Boolean& enabled)
at ManageabilityStack.AmtNetworkAccessControlAdmin.FetchCache()
-> [5:03:39 PM] Error: System.Net.WebException
System.Net.WebException: The request failed with HTTP status 404: Not Found.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at EndpointAccessControlAdminService.Invoke(String methodName, Object[] parameters)




0 Kudos
Gael_H_Intel
Moderator
1,114 Views
Did you try the Open Source DTK? It will probably be easier to get help with this version as Ylian is actively working with it.
I will work on clarifying step six, meanwhile.
The TLS.PS1 script is not included in OpenSSL as I thought it would be so I attached it in the blog inside step 6.
Thanks!
0 Kudos
theperfectwave
Beginner
1,114 Views

Thanks for that fast answer and the "TLS.ps1" script.



**********************************************************************************

---------------------------
--- V E R S I O N S ---
---------------------------


I used the following SDK & DTK Versions:
-----------------------------------------

latest SDK version: Intel%28R%29_AMT_Release_7.0_SP1_SDK_PV_-_3696.zip

latest DTK version: Manageability_Developer_Tool_Kit_7_0_11340_2.msi

an older DTK version: Manageability_Developer_Tool_Kit_0_6_0937_2.msi


The Director tool of the latest DTK version can not connect to "amtpc.test.net".
But the Director tool of that older DTK version can connect to "amtpc.test.net".


**********************************************************************************

------------------------------------
--- W H I CH H A S H S ??? ---
------------------------------------


In your script "TLS.ps1" there are the three red sections

# Add the Trusted Root CA
$certificateBlob = "...................

# Add AMT private Key
$keyBlob = "...................

# Add AMT Certificate
$certificateBlob = "...................


The red marked "HASHS" are much longer than the "thumbprints" of the certificates,
which has been create in steps 1-5. I guess those thumbprints are not the hashs that
must be placed here.

Can you please tell how I can extrax / generate the required hashs from those three
certificates ?



**********************************************************************************

---------------------------------------------------------------------------
--- Required steps to use own certificates in the Director tool ??? ---
---------------------------------------------------------------------------


It would be nice to have with your "TLS.ps1" script an alternative to the Director.

But the main questions of this forum-thread is, what do I have to do, to use own
certificates in the Director.

I played arround with "step 1-5" of your blog, makecert, the old and new Director
tool, Certmgr.msc, ....

The following steps:
1. Creating a certificate with makecert.
2. Importing it into the Director tool.

Lead to the following result:
1. In the "Director tool -> certificate manager" the imported certificate is
visible.
2. But in:
"Director tool -> My Profile -> Intel AMT Certificate -> Certificate
Issung dialog -> Issuer certificate drop down box"
the imported certificate is not present.

==> Importing the self create certificate is not enough to make it avilable in that
drop down box. There are additional steps necessary to make it available in that
drop down box.

I need to know these additional steps. <== That s the main question of this
forum thread.

Durring playing arround wiht: "step 1-5" of your blog, makecert, the old and new Director
tool, Certmgr.msc, ....

I had one time success. One time I was able to see and select my self create certificate
in that drop down box.

I guess the additioal steps are something like:
o Installing the self create certificate into the right "Internet Options --> Certificate
Store" Sub folders
o Makeing the private key of the self create certificate somehow available to the Director.
o ....


I guess such steps are necessary.

==> Can you please ask you developers of the Director tool, which steps are excatly necessary.




Thanks in advance for your help.




0 Kudos
Gael_H_Intel
Moderator
1,114 Views
I spent the bulk of today trying to make the steps in my blog more clear. Could you take a look at it and see if it now answers some of your questions?
0 Kudos
theperfectwave
Beginner
1,114 Views
Thanks for your effort.

But those additional infos in your blog, do not answer my questions.


Can you please read & answer the questions in my previous reply.

Thanks in advance.
0 Kudos
Gael_H_Intel
Moderator
1,114 Views
I'm trying to find someone who can answer your specific Director questions. As far as creating certificates that AMT "likes" the 1-5 steps in the blog spell it out, and I ran through the blog and was able to create the certs and apply them to move my system from a "non-TLS" to a "TLS" configuration.
I will do some checking with the DTK as well.
0 Kudos
Brett_M_Intel
Employee
1,114 Views

Looking at the initial issue here (ignoring the rest of this thread at this time), it looks like you want to know why your custom certificate - created using the makecert utility - isn't available in the "Certificate Issuing" window when you're setting up a Security Profile that uses TLS.

The following are the requirements that the Manageability Director Tool looks for when populating certificates into that dialog:

* It looks for certificates available in the Personal Store for the Current User. Open "mmc.exe", add the Certificates snap-in for "My user account", and expand "Certificates - Current User" --> "Personal" --> "Certificates" to view the available certificates.

* The private key must be available for the certificate. A certificate that only has the public key will not be displayed in the "Certificate Issuing" window.

* The certificate must be trusted. This can be controlled from the Manageability Director Tool's "Certificate Manager" node (in the tree view). Select your custom cert in the list and use the "Toggle Trust" button -- a green circle indicates that the certificate is trusted.

* The certificate must be a Certificate Authority (CA), which means that you can create child certs from it.

Using the makecert utility, for which I am no expert in using, the following sample command line will generate a cert that you can load into the "Certificate Issuing" window:

makecert -r -pe -n "CN=My Issuing Cert" -ss my -cy authority

After generating the certificate, I needed to toggle the trust for it within Director, then I was able to use it within a profile. NOTE: YMMV as I have not done end-to-end testing of this certificate to ensure that it will successfully work for TLS with Intel AMT systems.

By the way, since the source code is available for the Manageability Director Tool, you are free to look at it to determine causes for any issues you may be experiencing. For example, the source code for this issue is in the Manageability Director Tool project, CertificateEditForm.cs, CertificateEditForm_Load method, specifically lines 53 through 60.

0 Kudos
Ylian_S_Intel
Employee
1,114 Views
Hi. You can only use a certificate to issue or sign another if it's a root certificate or marked for sub-CA usage. You can can't take just any certificate, Director will filter out only the certificates that are appropriate for signing other certificated and show these. Also, you do need to import your certificate along with the private key. Director does allow you to create sub-ca certificates so you can play with certificate chains.

Ylian
0 Kudos
theperfectwave
Beginner
1,114 Views


Thanks for all that very detailed information / help from you. - That's really great !


Unfortunately I currently do not have the time to test this AMT stuff.
When I have time I will test it and come back to this forum with feed back.

0 Kudos
borat
Beginner
1,114 Views
Thank you, this worked well for me, I came across this thread after 1 hour of surfing the net.
Good job!
jocuri - jocuri gratis jocuri - jocuri online jocuri - jocuri copii jocuri gratis online jocuri gratis copii jocuri online copii jocuri - cujocuri.com
0 Kudos
tcruise
Beginner
1,114 Views


I attended Oracle EMEA Exadata & Manageability Partner Communities Event on March 14-15. It was held in Istanbul. There were parallel sessions for Exadata and Manageability. I followed the manageability track because it mostly focused on Enterprise Manager Cloud Control. Although Im not a partner, Ive been invited there by Steven Lemme (Oracle Partner Enablement Director) to make a small speech about Turkish Oracle User Group. So my review about the event will reflect the opinions of an Oracle User, not a partner.
0 Kudos
wnag_y_
Beginner
1,114 Views

The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.

0 Kudos
Reply