Hi, Long time lurker, first time poster.

I'm confused over cert generation after reading different posts, and I'm so close to getting this working. The infrastructure I support uses a root 4096 key length so I've been following some examples for requesting Certs from External CA's like Godaddy and Verisign (I'm forced to use Entrust due to circumstances out of my control). Some examples say to generate the 3rd party cert from the Member/Webserver server but then the Technet documentation indicates it's done from the Domain's CA. This is were I'm geting lost and here is what I've done so far;

I got the Domain admins to generate a 2048bit cert using the internal CA for the "AMT Provisioning" cert template (however, it's root cert is 4096bit). Upon reading this is not compatibe, I then generated a CSR from the SCCM server and got the 2048bit Entrust cert issued and imported on the webserver (and imported the Entrust Root cross cert). However I notice in SCCM>component config>OOBM, I only have the option to choose the Internal CA's template from above (that has the 4096 length root), I can't reference the Entrust cert for the AMT Certificate Config Diag box but I figured ok, lets try it anyway.

 

So on the workstations, I've imported the Entrust Root hashes and needless to say, in the log files I get a handshake but it appears there is a cert issue based on the errors. I got a feeling that the 3rd party cert must be generated and applied on the domain CA, not the member server as per the Technet article "http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning http://technet.microsoft.com/en-us/library/cc161804.aspx# BKMK_AMTprovisioning" , is this correct?