Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Adding custom root certificate hashes to AMT

IBrow1
Beginner
1,103 Views

What options / utilities are available for adding custom root certificate hashes to AMT boards/PCs after they've been purchased?

 

We have a large estate with many older (pre amt 11.x) boards still in use and we can't find a supported CA that will still issue certs signed by their certificate chains that go back to their older sha1 roots that these boards/PCs need.

 

We have our own CA on prem, and would like to start using our own certificate on the vPro / rcs server, and are talking to our suppliers about getting our own root hashes onto PCs we buy in future, but want to know what our options are for adding it to the older PCs we already have.

0 Kudos
5 Replies
JoseH_Intel
Moderator
1,050 Views

Hello IBrow1,

 

Thank you for joining the Intel community

 

If what you are looking for is a way to inject your own generated certificate hash into the AMT firmware, it is certainly possible to be done, the steps are detailed here. Just take into consideration that this process needs to get the hash injected into each system manually.

 

About the actual hash, you will need to generate it using your own certificate server. If you find a commercially available CA then the process will be the same.

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
IBrow1
Beginner
1,050 Views

Hi Jose,

 

Are there any other ways? Typing is prone to mistakes.

I have a dim recollection of this being doable with a file on a USB stick, but just can't find it again in the documentation.

 

Also, are there any utilities that will do this from within Windows? Or can they hashes be added via the RCS server if the boards are already provisioned?

0 Kudos
JoseH_Intel
Moderator
1,050 Views

Hello IBrow1,

 

Unfortunately, the ability to inject custom hash into MEBx using an automated method is not currently available along with the USB method. These were available with the SDK but that is currently unavailable with no ETA on when it will be posted again.

 

About this statement:

Or can they hashes be added via the RCS server if the boards are already provisioned?"

 

If AMT is already provisioned by the OEM (it’s called Embedded Host Base Configuration, meaning DNS info and network info are defined at the factory and shipped already activated), then yes, the system can be provisioned in admin control mode.

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
JoseH_Intel
Moderator
1,050 Views

Hello IBrow1,

 

I am just following up to double check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this ticket as resolved. This support interaction will be marked as resolved automatically in the next 3 business if no activity is received.

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
JoseH_Intel
Moderator
1,050 Views

Hello IBrow1,

 

We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and create a new topic.

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
Reply