Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2860 Discussions

AMT ACM mode provisioning error (Failed to push activation certificate - CERT_VERIFY_FAILED)

SistemasLVDG
Beginner
3,187 Views

Hello 

We have the following scenario:

- EMA Server version 1.8.1 over a Windows Server 2019 DCE VM.

- TLS PKI Certificate imported to EMA Server certificates. The certificate has the Vpro OID "2.16.840.1.113741.1.2.3" and all the certificates of certificate chain are imported (root CA and 2 intermmediate CAs)

In this situation ACM provisioning does not succeed and we get the following error at the Manageability server log:

 

2022-11-29 17:54:13.9424|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - srvema.corporacion.lavoz.es : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0987|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - Sectigo RSA Domain Validation Secure Server CA : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.1924|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - USERTrust RSA Certification Authority : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.2862|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - AAA Certificate Services : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Unable to go to admin mode, rolling back out of client mode : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Connecting to Swarm Server : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.5050|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Requesting ME unprovisionning : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:15.0206|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Disconnecting Swarm Server : (DYNABOOK00,BB2B0878).

 

Full logs are at attached file "EMA_Manageability.log"

 

We have checked that SHA256 hash of the root certificate of the TLS-PKI/vPRO certificate:

 

PS C:\> Get-FileHash -path C:\AAACertificateServices.crt.cer -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4 C:\AAACertificateServices.crt...

 

does match with the SHA256 hash for the Comodo/Sectigo Root CA stored at the MEBX of the Endpoint (Dynabook laptop by Toshiba with a Intel Vpro 12th generation processor ).

We get this value (hash stored at the MEBX) with "EMA Configuration tool":

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Intel EMA Configuration Tool\MEFirmwareInfo\RootCertificates]
"Go Daddy Class 2 CA"="SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default; "
"Go Daddy Root CA-G2"="SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default; "
"Comodo AAA CA"="SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default; "

 

Previously, before having uploaded to the EMA Server the TLS-PKI Vpro certificate, we had a configuration with Intel AMT AutoSetup enabled with "Activation Method" configured to "Host Based Provisioning/HBP" (instead of TLS-PKI)

With this configuration, AMT Provisioning succeded in CCM (Client Control Mode)

 

Please, may you help us regarding the error at ACM AMT Provisioning?

 

Thank you very much in advance

 

 

 

 

0 Kudos
8 Replies
Victor_G_Intel
Employee
3,072 Views

Hello SistemasLVDG,


Thank you for posting on the Intel® communities.


In order to continue can you please provide the following:


  1. Model and manufacturer of the server?
  2. SQL version installed?
  3. How many endpoints are in your deployment and how many of those are been affected?
  4. Are the Endpoints on the same network or not?
  5. What is the exact Intel AMT version(s) being used?
  6. Is this a new deployment or a previously existing one? If it’s an old one, please share with us if this problem was presented on previous versions of Intel EMA.
  7. We are going to need a picture/screenshot of the enhanced key usage and the certification path of your PKI, secure, and root certificates.
  8. We appreciate the log provided. Please send us the following ones as well. You can find their paths below:


  • EMA logs from Server

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


  • Installation log:

<installer Directory>/EMALog-Intel EMAInstaller.txt


  • EMA log from one of the endpoints:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Employee
2,961 Views

Hello SistemasLVDG,


I hope this message finds you well.


We are continuing the conversation via email for security purposes. We have also deleted some of the information on the thread so everything can be handled privately via email.


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
mrant-k
Novice
1,920 Views

Did this get resolved at all? I'm running into the exact same issue. Please share what you found out.

0 Kudos
SistemasLVDG
Beginner
1,908 Views

Hello mrant-k
Yes, it got resolved
Intell engineers that support this forum (like Victor G.) will help you for sure.

0 Kudos
Cully1910
Beginner
1,680 Views

Hey

 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Thoughts?

0 Kudos
Cully1910
Beginner
1,680 Views

Hi

 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Can I schedule a call with you?

0 Kudos
Cully1910
Beginner
1,680 Views

Hi

 

"Yes, it got resolved" is not helpful to this forum if I am being completely honest. 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Can you lend any pointers here?

 

 

0 Kudos
Cully1910
Beginner
1,675 Views

My Bad - I meant to post this on the thread before this one. 

 

 

0 Kudos
Reply