I am testing MeshCentral 2 - Beta 1.
Is it possible to configure the Web/MPS server to use your own trusted certificates rather than use those generated by the --cert parameter?
If yes, how would I go about getting this to work from the server and AMT client perspective?
The root hash for the certificate needs to be included at the firmware level. This can be done, but is a manual process and requires physically typing in the hash into the CSME.
Take a look in the CSME and you will see the root certificate store.
I think in this case we are talking about different certificates. I have previously used one of the firmware embedded root hash certificates during my zero touch AMT configuration process to enable AMT in admin mode. That is all working great.
In this instance I'm talking about the root and client certificates used for MeshCentral 2 - Beta 1 CIRA/TLS functionality. See this article http://www.meshcommander.com/meshcentral2/cira-setup. The configuration uses certificates generated by MeshCentral 2 during installation. My question is can these be switched out for certificates generated by your own CA?
As this is still a BETA solution it may not be possible but I'd like to check.
My apologies, I was talking the Provisioning Certificate and your talking the CIRA/TLS Certificate.
Ylian will have to speak to the requirements of Meshcentral2 and how to get the certificate installed for its use.
But talking from a strictly AMT point of view the certificates can be pushed to the firmware via a delta configuration profile. This profile can then be used acuconfig.exe and pushed to the clients in question. For more info on Delta Profiles see the AMT Developers Guide
ACUWizard and acuconfig.exe can be downloaded from the SCS Downloads page