TLS Alert (Certificate Unknown) occurs during the Secure Host Based Configuration process

jic5760 · ‎02-06-2024

I am moving the question at the request of the moderator.

See https://community.intel.com/t5/Intel-vPro-Platform/TLS-Alert-Certificate-Unknown-occurs-during-the-Secure-Host/td-p/1569623.

---

Hello,

We are implementing AMT provisioning on our own without a solution like EMA.

We encountered a problem while implementing Secure Host-Based Configuration to support CSME 19 or higher.

1. Registered the AMT CA certificate.

> rpc amtinfo
Version : 15.0.47
Build Number : 2521
SKU : 16392
Features : AMT Pro Corporate
Control Mode : pre-provisioning state
DNS Suffix : 192.168.1.10

> rpc amtinfo -cert
---Certificate Hashes---
...
Our AMT CA (Active)
SHA256: cabc80186952320c73691e6c4d62379a7d9a52ca246e34881b83ad1a51b9ac12

2. StartConfigurationHBased

StartConfigurationHBased was called as follows.

StartConfigurationHBased(
  ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA256,
ServerCertHash [SHA_512_KEY_SIZE]byte = SHA 256 HASH of Provisioning Certificate,
  HostVPNEnable = False,
  SuffixListLen = 0,
  NetworkDnsSuffixList [320]byte
)

3. The Provisioning server is connected to 127.0.0.1:16993.
But TLS Handshake Failure.

- Both the provisioning certificate and the CA certificate have been sent.

- The hashes of the CA certificate and provisioning certificate are the same as those sent in steps 1 and 2.

Provisioning Certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8d:7c:e8:91:6a:64:14:68:54:96:b8:98:b1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Our AMT CA, C = KR
        Validity
            Not Before: Feb  6 05:33:52 2024 GMT
            Not After : Feb  3 05:33:52 2034 GMT
        Subject: CN = 192.168.1.10, OU = Intel(R) Client Setup Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, 2.16.840.1.113741.1.2.3
            X509v3 Subject Alternative Name: 
                DNS:192.168.1.10
            X509v3 Subject Key Identifier: 
                58:CE:02:47:70:49:8C:C1:7B:DB:9E:FA:DE:C0:3D:8D:76:9A:5C:CA
            X509v3 Authority Key Identifier: 
                B7:FE:10:B2:C9:C8:E8:64:92:6E:17:D5:21:B1:40:72:66:A7:CF:89
            Netscape Cert Type: 
                SSL Server
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: ...

Here is a sample project that can be run standalone on a vPro PC: https://github.com/jclab-joseph/intel-vpro-hbased-problem-01

You can test it after registering the certificate with setup.bin.

>amt-test.exe
2024/02/07 10:24:32 AMT Version:  15.0.47
2024/02/07 10:24:32 DNS SUFFIX:  amt-provisioning.test.com
2024/02/07 10:24:32 StartConfigurationHBased: AMT Cert Hash:  6d802ab34996d397a9b4ebf901edf0c38a9fa7b997917732aaf8de82bc0ad1bb0000000000000000000000000000000000000000000000000000000000000000
2024/02/07 10:24:33 tcp connected. start mtls...
2024/02/07 10:24:34 RECEIVED AMT HASH :  6d802ab34996d397a9b4ebf901edf0c38a9fa7b997917732aaf8de82bc0ad1bb
2024/02/07 10:24:34 RECEIVED AMT HASH **MATCHED** :)
2024/02/07 10:24:34 tls handshake failed:  remote error: tls: unknown certificate