Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Bind Specific Certificate to Remote TLS Security interface of AMT TLS Server Authentication

Maynman28
Beginner
‎02-02-2022 11:47 AM
1,411 Views

I'm writing a PowerShell script to configure a system running AMT in Admin Control Mode but am having trouble replicating a step I can perform with MeshCommander.

 

So far I have successfully enabled AMT via Provisioning USB drive, installed the Intel vPro PowerShell cmdlets, and using WSMAN commands from the sample code on the SDK website, set the various network settings and other desired configuration properties, imported a self signed Trusted Root certificate, Public Certificate, and it's Private Key.

 

I'm just trying to bind that Public Certificate to the Remote  the TLS settings to use that particular Public Certificate.

 

In MeshCommander, I can go to Security Settings, and under Remote TLS security I can select Server-auth TLS and select the certificate. But I am at a loss at how to perform that same step in PowerShell.

 

Running the Invoke-ConfigureTLSServerAuthentication command will do most of the needed stops, but not that particular binding step.

 

Does anybody have any experience or tips on how I can figure out how to do that binding step on PowerShell?

Preview file
74 KB
0 Kudos

Link Copied

8 Replies
JoseH_Intel
Moderator
‎02-02-2022 09:51 PM
1,397 Views

Hello Maynman28,


Thank you for joining the Intel community


The commands do not work if the following local policy is enabled:

System cryptography > Use FIPS compliant algorithms for encryption, hashing, and signing.

Change the setting to disabled, then reboot the system, after that the error will no longer appears.

Please give this a try and let us know.


An alternate approach could be contacting MeshCommander support for suggestions. Open Software Projects - MeshCommander

Also you can take a look at Intel® Endpoint Management Assistant (Intel® EMA) since SCS/AMT is end of life now


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
Maynman28
Beginner
‎02-03-2022 10:41 AM
1,387 Views
In response to JoseH_Intel

Hello Jose, FIPS is not enabled. I actually reported the incompatibility with FIPS last year in another post. 

 

My question is what Powershell commands are needed to bind the specific TLS certificate to the Remote Security Settings in the same way that MeshCommander does it.

In response to JoseH_Intel
0 Kudos
Copy link
JoseH_Intel
Moderator
‎02-03-2022 05:06 PM
1,380 Views

Hello Maynman28,


Thank for confirming that FIPS is not enabled on your system. Let me try to get this commands for you. I will get back shortly.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
Maynman28
Beginner
‎02-11-2022 11:19 PM
1,343 Views
In response to JoseH_Intel
Hello Jose, did you ever hear back on the command?
In response to JoseH_Intel
0 Kudos
Copy link
JoseH_Intel
Moderator
‎02-15-2022 04:10 PM
1,305 Views

Hello Maynman28,


Sorry about the delay. See if this helps them with the Powershell script. Doesn't look our Engineers have a specific Powershell command, might be more useful to try a Microsoft forum for Powershell assistance.


Intel® AMT SDK Implementation and Reference Guide


Hope this helps.


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
JoseH_Intel
Moderator
‎02-15-2022 07:51 PM
1,300 Views

Hello Maynman28,


We did a review of the SDK contents and there is no included command to manipulate certificates or do the binding you are trying to accomplish. If you go to Open Software Projects - MeshCommander support, its possible they could give you a hint or point you into a different direction that delivers a similar outcome.


Hope this helps.


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
JoseH_Intel
Moderator
‎02-17-2022 06:44 PM
1,283 Views

Hello Maynman28,


We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
JoseH_Intel
Moderator
‎03-03-2022 07:48 PM
1,218 Views

Hello Maynman28,


A very final update:

You need to download the following vPro Powershell SDK

https://www.intel.com/content/www/us/en/download/674527/intel-vpro-technology-module-for-microsoft-windows-powershell-module.html


In the...


IntelProModule_16.0.0.5\bin\IntelvPro\


There is a function Invoke-ConfigureTLSServerAuthentication that should provide as good example on binding the Cert to the TLS connection.


I believe this is the example you are looking for...

Invoke-ConfigureTLSServerAuthentication -ComputerName 192.168.168.10 -Username admin -Password Admin!98 -CertificateFilePath ".\leaf.cer"


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.