Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

AMT ACM mode provisioning error (Failed to push activation certificate - CERT_VERIFY_FAILED)

SistemasLVDG
Beginner
‎11-29-2022 09:33 AM
3,568 Views

Hello 

We have the following scenario:

- EMA Server version 1.8.1 over a Windows Server 2019 DCE VM.

- TLS PKI Certificate imported to EMA Server certificates. The certificate has the Vpro OID "2.16.840.1.113741.1.2.3" and all the certificates of certificate chain are imported (root CA and 2 intermmediate CAs)

In this situation ACM provisioning does not succeed and we get the following error at the Manageability server log:

 

2022-11-29 17:54:13.9424|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0050|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - srvema.corporacion.lavoz.es : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.0987|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - Sectigo RSA Domain Validation Secure Server CA : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.1924|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - USERTrust RSA Certification Authority : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.2862|INFO||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - AAA Certificate Services : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|WARN||3924|54|RequestHostBasedProvisioningEx - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Unable to go to admin mode, rolling back out of client mode : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.3800|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Connecting to Swarm Server : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:14.5050|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Requesting ME unprovisionning : (DYNABOOK00,BB2B0878).
2022-11-29 17:54:15.0206|INFO||3924|54|TriggerMeHbpUnprovision - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Disconnecting Swarm Server : (DYNABOOK00,BB2B0878).

 

Full logs are at attached file "EMA_Manageability.log"

 

We have checked that SHA256 hash of the root certificate of the TLS-PKI/vPRO certificate:

 

PS C:\> Get-FileHash -path C:\AAACertificateServices.crt.cer -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4 C:\AAACertificateServices.crt...

 

does match with the SHA256 hash for the Comodo/Sectigo Root CA stored at the MEBX of the Endpoint (Dynabook laptop by Toshiba with a Intel Vpro 12th generation processor ).

We get this value (hash stored at the MEBX) with "EMA Configuration tool":

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Intel EMA Configuration Tool\MEFirmwareInfo\RootCertificates]
"Go Daddy Class 2 CA"="SHA256, C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4, Active, Default; "
"Go Daddy Root CA-G2"="SHA256, 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA, Active, Default; "
"Comodo AAA CA"="SHA256, D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4, Active, Default; "

 

Previously, before having uploaded to the EMA Server the TLS-PKI Vpro certificate, we had a configuration with Intel AMT AutoSetup enabled with "Activation Method" configured to "Host Based Provisioning/HBP" (instead of TLS-PKI)

With this configuration, AMT Provisioning succeded in CCM (Client Control Mode)

 

Please, may you help us regarding the error at ACM AMT Provisioning?

 

Thank you very much in advance

 

 

 

 

0 Kudos

Link Copied

8 Replies
Victor_G_Intel
Employee
‎11-30-2022 10:28 AM
3,453 Views

Hello SistemasLVDG,


Thank you for posting on the Intel® communities.


In order to continue can you please provide the following:


  1. Model and manufacturer of the server?
  2. SQL version installed?
  3. How many endpoints are in your deployment and how many of those are been affected?
  4. Are the Endpoints on the same network or not?
  5. What is the exact Intel AMT version(s) being used?
  6. Is this a new deployment or a previously existing one? If it’s an old one, please share with us if this problem was presented on previous versions of Intel EMA.
  7. We are going to need a picture/screenshot of the enhanced key usage and the certification path of your PKI, secure, and root certificates.
  8. We appreciate the log provided. Please send us the following ones as well. You can find their paths below:


  • EMA logs from Server

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


  • Installation log:

<installer Directory>/EMALog-Intel EMAInstaller.txt


  • EMA log from one of the endpoints:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Victor_G_Intel
Employee
‎12-01-2022 01:24 PM
3,342 Views

Hello SistemasLVDG,


I hope this message finds you well.


We are continuing the conversation via email for security purposes. We have also deleted some of the information on the thread so everything can be handled privately via email.


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Copy link
mrant-k
Novice
‎05-15-2023 10:23 AM
2,301 Views
In response to Victor_G_Intel

Did this get resolved at all? I'm running into the exact same issue. Please share what you found out.

In response to Victor_G_Intel
0 Kudos
Copy link
SistemasLVDG
Beginner
‎05-16-2023 10:01 AM
2,289 Views
In response to mrant-k

Hello mrant-k
Yes, it got resolved
Intell engineers that support this forum (like Victor G.) will help you for sure.

In response to mrant-k
0 Kudos
Copy link
Cully1910
Beginner
‎07-11-2023 12:30 PM
2,061 Views
In response to mrant-k

Hey

 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Thoughts?

In response to mrant-k
0 Kudos
Copy link
Cully1910
Beginner
‎07-11-2023 12:31 PM
2,061 Views
In response to Victor_G_Intel

Hi

 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Can I schedule a call with you?

In response to Victor_G_Intel
0 Kudos
Copy link
Cully1910
Beginner
‎07-11-2023 12:30 PM
2,061 Views

Hi

 

"Yes, it got resolved" is not helpful to this forum if I am being completely honest. 

I am having the same exact issue. Trying to install Intel EMA and have been unsuccesful in doing so. I run the installer, It connects to our SQL DB and created the DB fine, but then the install wizard presents a "There are warnings in the process. Please see the detailed event log to find details". Log files say all sorts of Intel EMA components 'Failed' to connect. I am doing a single server install. 

 

Can you lend any pointers here?

 

 

0 Kudos
Copy link
Cully1910
Beginner
‎07-11-2023 12:36 PM
2,056 Views

My Bad - I meant to post this on the thread before this one. 

 

 

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.