Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT & Manageability Commander)
Announcements
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
2678 Discussions

AMT ACM mode provisioning error (Failed to push activation certificate - CERT_VERIFY_FAILED)

SistemasLVDG
Beginner
1,216 Views

Hello 

We have the following scenario:

- EMA Server version 1.8.1 over a Windows Server 2019 DCE VM.

- TLS PKI Certificate imported to EMA Server certificates. The certificate has the Vpro OID "2.16.840.1.113741.1.2.3" and all the certificates of certificate chain are imported (root CA and 2 intermmediate CAs)

In this situation ACM provisioning does not succeed and we get the following error at the Manageability server log:

 

2022-11-29 17:54:13.9424|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - srvema.corporacion.lavoz.es : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0987|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - Sectigo RSA Domain Validation Secure Server CA : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.1924|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - USERTrust RSA Certification Authority : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.2862|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - AAA Certificate Services : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Unable to go to admin mode, rolling back out of client mode : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Connecting to Swarm Server : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.5050|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Requesting ME unprovisionning : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:15.0206|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Disconnecting Swarm Server : (DYNABOOK00,BB2B0878).

 

Full logs are at attached file "EMA_Manageability.log"

 

We have checked that SHA256 hash of the root certificate of the TLS-PKI/vPRO certificate:

 

PS C:\> Get-FileHash -path C:\AAACertificateServices.crt.cer -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4 C:\AAACertificateServices.crt...

 

does match with the SHA256 hash for the Comodo/Sectigo Root CA stored at the MEBX of the Endpoint (Dynabook laptop by Toshiba with a Intel Vpro 12th generation processor ).

We get this value (hash stored at the MEBX) with "EMA Configuration tool":

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Intel EMA Configuration Tool\MEFirmwareInfo\RootCertificates]
"Go Daddy Class 2 CA"="SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default; "
"Go Daddy Root CA-G2"="SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default; "
"Comodo AAA CA"="SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default; "

 

Previously, before having uploaded to the EMA Server the TLS-PKI Vpro certificate, we had a configuration with Intel AMT AutoSetup enabled with "Activation Method" configured to "Host Based Provisioning/HBP" (instead of TLS-PKI)

With this configuration, AMT Provisioning succeded in CCM (Client Control Mode)

 

Please, may you help us regarding the error at ACM AMT Provisioning?

 

Thank you very much in advance

 

 

 

 

0 Kudos
2 Replies
Victor_G_Intel
Moderator
1,101 Views

Hello SistemasLVDG,


Thank you for posting on the Intel® communities.


In order to continue can you please provide the following:


  1. Model and manufacturer of the server?
  2. SQL version installed?
  3. How many endpoints are in your deployment and how many of those are been affected?
  4. Are the Endpoints on the same network or not?
  5. What is the exact Intel AMT version(s) being used?
  6. Is this a new deployment or a previously existing one? If it’s an old one, please share with us if this problem was presented on previous versions of Intel EMA.
  7. We are going to need a picture/screenshot of the enhanced key usage and the certification path of your PKI, secure, and root certificates.
  8. We appreciate the log provided. Please send us the following ones as well. You can find their paths below:


  • EMA logs from Server

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


  • Installation log:

<installer Directory>/EMALog-Intel EMAInstaller.txt


  • EMA log from one of the endpoints:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


Regards,


Victor G.

Intel Technical Support Technician


Victor_G_Intel
Moderator
990 Views

Hello SistemasLVDG,


I hope this message finds you well.


We are continuing the conversation via email for security purposes. We have also deleted some of the information on the thread so everything can be handled privately via email.


Best regards,


Victor G.

Intel Technical Support Technician  


Reply