Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
2705 Discussions

AMT Provisioning issue

idata
Employee
2,049 Views

We had tested intel amt provisioning using sccm 2007 sp1 earlier. for the test we used a private certificate for testing. i entered the hash manually int eh client and amt provisioning was working fine. now we purchased the certificate from veresign and installed it in sccm OOB. now i unprovision the client and try to provision it again and on the lientlog (oobmgmt.log) it gives an error " Failed to call checkcertificate provider method,80041001". the certificate that we purchased from veresign has a different root hash than what we have built in in the amt bios of the clients. its like doig it with a private certificate. i installed the proper root, intermediate certificated that i got from veresign but still cannot. juts for testing i manually entered the rooot hash in the client and the client was provisioned. BUT the client log said device provisioned successfully. amt log in the server said provisioning successfull but i was not able to connect to the client using OOB or Power control. if i dont include the certificate hash in the client device manually if fails. i am attaching a log for your info. i am not sure if it is an issue with the veresign certificate or our web server certificate. i verefied in the local CA that a certificate was issued to the client which was provisioned.

0 Kudos
5 Replies
idata
Employee
174 Views

I'd suggest starting with this article from Buz Brodin at Microsoft.

http://blogs.technet.com/configurationmgr/archive/2009/04/30/configmgr-2007-amt-provisioning-error-hash-list-of-amt-device-doesn-t-contain-our-provision-server-certificate-hash.aspx http://blogs.technet.com/configurationmgr/archive/2009/04/30/configmgr-2007-amt-provisioning-error-hash-list-of-amt-device-doesn-t-contain-our-provision-server-certificate-hash.aspx

It's my understanding that Verisign changed their root CA certificate a few months back. Any certificates obtained after that point in time have a mismatching hash with the ones embedded in the AMT firmware. Terry Cutler talks about this situation in this article:

/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro http://communities.intel.com/community/openportit/vproexpert/activation/blog/2009/05/22/how-does-the-verisign-root-certificate-change-affect-intel-vpro

It would probably be desirable to update your systems to the latest AMT firmware, in order to ensure that the appropriate hashes are available. I don't know if any OEMs actually followed through with the G2 update or not, but it's worth checking on.

Cheers,

Trevor Sullivan

idata
Employee
174 Views

Thanks for your reply. So in my case if i understand correctly i should request Verisign to reissue the certificate wit a root hash of G1 premium which matches the root hashes in the intel vpro machines. i will contact verisign and update accordingly. this might be a common problem and was curios to know ehat other people are doain about this.

idata
Employee
174 Views

That is my understanding, yes. Back when I was at my last company, I had requested a Verisign certificate prior to the changeover to G2 certs, so these days, I typically recommend that people use Godaddy, since they're more consistent.

Cheers,

Trevor Sullivan

idata
Employee
174 Views

I just noticed that Steve Davies with Intel just recently updated a document on the vPro Expert Center. Please review the last page of this document for information on default certificate hashes:

/docs/DOC-2110 http://communities.intel.com/docs/DOC-2110

Hope this helps!

Cheers,

Trevor Sullivan

idata
Employee
174 Views

WE had to return the server certificate to verisign and request for a new secure site pro certificate which has a root hash maching the hash on the intel vpro machines.

Reply