Intel® Business Client Software Development
Support for Intel® vPro™ software development and the technologies associated with Intel vPro platforms.
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
1368 Discussions

Howto use the SCS to configure the ME for TLS connections



a few weeks ago I configure the ME for TLS connection with the Intel Manageability Director. This worked fine.

But now I am trying to do the same using the Intel SCS tool.

I want to go the easiest way.

I just want to put a certificate into the ME. And I want to configure the ME to use TLS for connections ( KVM, web GUI, . ). Thats all I want to do with the Intel SCS tool.

Therefore I installed the SCS ( on the management computer ) the Activator ( on the AMT computer ). and I tried several things ( creating USB Key with TLS PSK keys, creating profiles in the SCS, etc. ) but I wasnt able to put a certificate into the ME and configuring the ME for TLS.

1. Can somebody tell me please the easiest way how the desired task can be done.
2. A link (URL) to a good description would be also very helpful.

3. Whats with the SCS Lite?
a. Can the SCS Lite also be used to put a certificate into the ME?
b. Is the SCS Lite also redistributable?

Thanks in advance for all your answers.

0 Kudos
9 Replies

1. First, you have installed Microsoft Certificate Authority somewhere on your network, correct? That will need to be done so you canfollow the section on page 61 about setting up a profile for TLS, once the Certificate authority is setup correctly it's a matter of just selecting the certificate authority and certificate. There are details on setting up the Certificate Authority on page 113.
2. I'd recommend looking at Javier's blog-post on his experience here for trouble-shooting the issue:
3. SCS Lite doesn't support TLS.

Our aim is to configure the AMT computer using TLS with a self created certifcate ( e.g. make cert ).
Durring the provisioning we want to use PSK not PKI!

What we did and what worked is:

1. unconfigure ME

2. activate ME in the MEBx

3. creating a profile in the SCS

4. exporting PSK keys to UFD

5. provisioning the ME with that UFD

6. running the Activator on the AMT computer

===> now:

The SCS says that the system is beeing configured

The Activator shows a progress bar and also says that the AMT computer is beeing configured.

But after a while on the AMT computer the Activator displays the following error message:

>> Configuration request failed.
Error received: Intel AMT system is not configured yet. <<

And the Status in the SCS changes to "Configuration pending".

==> Until this point the configuration with the SCS Tool works now. But now the question is why we
receive the above error message.

What is the reason for this behaviour / error message.

Thanks in advance for your answers.

That self signed cert is for trusted root CA which is used for other features such as 802.1x, NAC/NAP, CIRA and for TLS mutual authentication. SCS does not support self created cert for TLS configuration of AMT.
@Andrew & Paul: Thanks for your answers.

1. With Microsoft Certificate Authority you mean the Active Directory Certificate Services, correct?

2. To use the SCS you have to install and use a lot of tools. On the SCS computer you have to install Windows Server and you have to configure the Active Directory Certificate Services, further more your have to install SQL Server and SCS on this computer. On the AMT computer you have to install the AMT driver and the Activator.
2.1. Is this everything? Did I forgot a tool?

2.2. We just want to:
o Put a certificate ( which we created with makecert ) into the ME.
o Configure the ME to use TLS.
For this simple task the SCS is to much overhead (all those installations and configurations). The
Manageability Directory can do the same with much less effort. Unfortunately you told use in:
>> Is it allowed to redistribute the Manageability Director?
( <<

that neither the Director nor the Commander are redistributable. You told use that the SCS is
redistributable, thats why we are currently trying to configure our AMT computers with the SCS. But for
our simple config task this is to much effort. Is the SCS the only Intel tool, which can be used for the
desired job ( putting certificates into the ME and configuring the ME to use TLS ) and which is

3. Are their no other simple tools like the Director, which can do the same and which are redistributable?

4. With the Manageability Director we can put selfsigned certificates into the ME and use them for TLS. Are you
sure that this cant be done with the SCS (selfsigned certificates)?

5. If you cant put self signed certificates with the SCS into the ME, the question is which certificates can be put
into the ME using the SCS tool:
5.1. Most those certificates be bought from a CA like Verisign?
5.2. Can those certificates also come from Windows Server Active Directory Certificate Services?

Please answer A L L the questions its important to use, to get all that infos!

Thanks in advance for all your answers.

If you want to use SCS, then it requires all of the infrastructure (database, Domain Controller, Cert Authority, etc). But if you want to do it yourself, you can create your own setup and configuration application using the APIs that are in the AMT SDK. Open the SDK documentation and navigate to Intel AMT Features > Transport Layer Security > Use Cases. There you will find the four use cases below:

  1. Set/Update the TLS Credentials Certificate
  2. Set TLS to Server/Mutual Authentication
  3. Change the Trusted FQDN Common Name
  4. Defining Secure Connection Settings

Click on any of these use cases and you will find the CIM classes that are used, the flows, and samples for each of the use cases.

Valued Contributor I
Actually, if you don't want to go to the trouble of setting up the SCS you can use the Setup and Configuration Application out of the SDK. This application will allow you to setup a TLS system without having to setup the full Domain system. You do have to remember though that TLS requires the use of at least a DNS server to resolve network names. The SCA can be used to generate demo certificates for you automatically, or you can supply your own certs that you've generated using an external CA. If you've got any questions about how to use the SCA, just post them to this forum.

@Paul: you did not answered my questions.

1. Can somebody please answer all my questions (above).


Our situation is:

We deliver our AMT- computers, which we produces, to our customers with unprovisioned & disabled MEs. Together with our computers we deliver a small manual, which describes how to configure and use AMT.

If there is a tool with which:
* certificates can be loaded into the ME
* the ME can be configured to use TLS
and which is redistributable, we also want to put this tool on our computers.


The results of our tests are:

The Manageability Director can be used to load the certificates into the ME and to configure the ME to use TLS. The effort therefore is not too big, thats ok. Unfortunately this tool isnt redistributable.

The Intel SCS tool is redistributable. And as its user manual says, it can be used for a big range of provisioning tasks ( PKI, PSK, using Active Directory, not using Active Directory, etc. ) . Unfortunately there is no less effort way to load certificates into the ME and to setup the ME to use TLS.

So what we need now is:

Either a good straight forward description for the SCS tool ( step by step: step 1, step 2, step 3 .) how certificates can be loaded in the ME and the ME can be configured to use TLS. This way must be as easy as possible.

Or we need another tool like the Manageability Director which is easy to use and which is redistributable.

==> Please give us such a short description for the SCS or / and tell us which other tool is redistributable and easy to use (low effort for the desired TLS configuration). May be you can make the Manageability Director redistributable.

Thanks in advance for your answer.

@rogerb: I already typed this new description of our situation, tests and questions in a text editor before I went to the forum, because yesterday there only has been Pauls answer in there forum.
Is the SCA redistributable?
Where can I download it (URL)?

Valued Contributor I
The SCA is in the SDK in the Configuration tools area. I have no idea if the SCA code is redistributable or not, but you can look at the code to see how the process works. The generation of all of the needed certificates is done in batch files, so you should be able to figure out exactly what is needed for each type of cert. Here's the URL for the SDK:


Regarding the SCA - it is redistributable, and it is available in the SDK. The source is also in the SDK, and you are free to use or modify it to fit your needs. The SDK can be downloaded from: