We are trying to user Remote Configuration without using a USB key. I believe that I have followed the instructions were I have obtained a certificate from Verisign and have used the loadcert tool to enter the certificate into the registry. However, when our systems try to provision we receive the following error in the SCS log:
Cannot handle provisioning exception: (0xCFFF06AC) SOAP Failure (23): getFullCoreVersion: SSL error - SSL authentication failed in tcp_connect(): check password, key file, and ca file..
Any ideas? Our AMT clients are version 2.6. The SCS server is version 3.3.
- If you previously changed the MEBx password on that computer, SCS will need to know that new MEBx password.
- Make sure that from any computer in your network, you can ping the SCS computer with the exact name that is in your verisign certificate. Also, Intel AMT will perform a reverse DNS lookup and see the DNS is reporting that the server computer's name is exactly equal to the verisign certificate you are using. So make a reverse DNS lookup to make sure.
- Check that the verisign certificate is in fact signed with a root certificate that is trusted by Intel AMT. The certificate that signed your certificate must have a hash that is trusted by Intel AMT.
- Check that your certificate contains the correct certificate key usage for Intel AMT remote provisioning. It should contain a key usage OID: "2.16.840.1.113722.214.171.124" or OU = "Intel Client Setup Certificate". If your Verisign certificate does not contain his, it will be rejected.
Ylian (Intel AMT Blog)
Thanks for your response. These are all brand new units so I do not belive the password is the issue. I have also verified that the password is set to the default (without changing it). I have also verified that the system ins pingable with the correct FQDN and that reverse lookup returns the same name. The certificate does have an OU that is set to "Intel Client Setup Certificate".
The only remaining item is to verify that my Verisgn certificate is signed with a root that is trusted by Intel AMT. I'm not sure how to verify this. Any guidelines?
Are you using TLS encryption?
Could you make sure that the RCFG certificate is imported with its private key to both local computer certificate store and SCS service user certificate?
Also,we need SCS dev log. In order to turn on the one you should do the follow:
In the registry HKEY_LOCAL_MACHINESOFTWAREIntelAMTConfServerLOG create new create new string value "LogLevel" with value data V.
It should create 2 files: scs_server.log and scs_win_server.log in root directory
Please capture the error and send it to us with machine name.
Please make sure that you imported the RCFG certificate not only into local computer certificate store, but into SCS service user account certificate store also
Boris Dunayevsky in behalf of SCS Support