Platform Manifest being rejected by api server

doskias · ‎01-28-2026

I'm currently trying to get a basic TDX attestation to work. To that
effect I'm following the guide at https://cc-
enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/
infrastructure_setup/#platform-registration

What I've gathered up until now is that in order to get the QGS working
I'd need to get collateral from Intel. So essentially I'm trying to
obtain the PCK. It should be as simple as running PCKIDRetrievalTool and
then making the respective API call as per https://
api.portal.trustedservices.intel.com/content/documentation.html#pcs-
certificate-v4

Unfortunately as I'm doing this I'm receiving the following error from
Intel's API service:

 < HTTP/1.1 400 Bad Request
< Content-Length: 0
< Request-ID: 041fa7d2fbb54d48aad51702d2f5000a
< Error-Code: PackageNotFound
< Error-Message: The request was rejected by the server as at least one
of the processor packages could not be recognized by the server.
< Date: Wed, 28 Jan 2026 18:31:10 GMT


I've tried the request with platform manifest generated on 2 separate
machines:

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 207
model name      : INTEL(R) XEON(R) PLATINUM 8592+
stepping        : 2


and

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 173
model name      : Intel(R) Xeon(R) 6972P
stepping        : 1


and I get the same error. The call I'm doing is a POST to https://
api.trustedservices.intel.com/sgx/certification/v4/pckcert

As per the API docs it should be possible to obtain a PCK with a
platform manifest and  SVNs i.e without first registering the platform
manifest via the Register Platform API

Scott_R_Intel · ‎01-28-2026

Hello doskias.

Can you please run through the Troubleshooting steps in the TDX Enabling Guide and provide the results?

https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/#troubleshooting

Thanks.

Scott

doskias · ‎01-28-2026

So the issue was that I had a pre-production CPU. Using the sbx.api endpoint I'm now getting :

{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }

Despite sending the subscription key for "Product Intel® Software Guard Extensions Provisioning Certification Service subscription" in the Ocp-Apim-Subscription-Key header:

* Connected to sbx.api.trustedservices.intel.com (4.255.73.206) port 443
* using HTTP/1.x
> POST /sgx/certification/v4/pckcert HTTP/1.1
> Host: sbx.api.trustedservices.intel.com
> User-Agent: curl/8.14.1
> Accept: */*
> Content-Type: application/json
> Ocp-Apim-Subscription-Key: 1bc*******************
> Content-Length: 35998
>
* upload completely sent off: 35998 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 401 Access Denied
< Content-Length: 143
< Content-Type: application/json
< WWW-Authenticate: AzureApiManagementKey realm="https://sbx.api.trustedservices.intel.com/sgx/certification/v4/pckcert",name="Ocp-Apim-Subscription-Key",type="header"
< Date: Thu, 29 Jan 2026 07:02:38 GMT
<
* Connection #0 to host sbx.api.trustedservices.intel.com left intact
{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }

I tried both the primary and secondary key and even without a key but I get the same error? On a different note, I believe there is an error in the API documentation for the https://api.trustedservices.intel.com/sgx/certification/v4/pckcert since the Ocp-Apim_subscription-Key header is documented as not being required/mandatory, isn't it always required when using this API?

doskias · ‎02-06-2026

FWIW I think this is a problem with the sbx.api endpoint, because I'm able to get a certificate from api when using a production CPU, even without providing an API key.