Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2878 Discussions

Bind Specific Certificate to Remote TLS Security interface of AMT TLS Server Authentication

Maynman28
Beginner
1,683 Views

I'm writing a PowerShell script to configure a system running AMT in Admin Control Mode but am having trouble replicating a step I can perform with MeshCommander.

 

So far I have successfully enabled AMT via Provisioning USB drive, installed the Intel vPro PowerShell cmdlets, and using WSMAN commands from the sample code on the SDK website, set the various network settings and other desired configuration properties, imported a self signed Trusted Root certificate, Public Certificate, and it's Private Key.

 

I'm just trying to bind that Public Certificate to the Remote  the TLS settings to use that particular Public Certificate.

 

In MeshCommander, I can go to Security Settings, and under Remote TLS security I can select Server-auth TLS and select the certificate. But I am at a loss at how to perform that same step in PowerShell.

 

Running the Invoke-ConfigureTLSServerAuthentication command will do most of the needed stops, but not that particular binding step.

 

Does anybody have any experience or tips on how I can figure out how to do that binding step on PowerShell?

0 Kudos
8 Replies
JoseH_Intel
Moderator
1,669 Views

Hello Maynman28,


Thank you for joining the Intel community


The commands do not work if the following local policy is enabled:

System cryptography > Use FIPS compliant algorithms for encryption, hashing, and signing.

Change the setting to disabled, then reboot the system, after that the error will no longer appears.

Please give this a try and let us know.


An alternate approach could be contacting MeshCommander support for suggestions. Open Software Projects - MeshCommander

Also you can take a look at Intel® Endpoint Management Assistant (Intel® EMA) since SCS/AMT is end of life now


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Maynman28
Beginner
1,659 Views

Hello Jose, FIPS is not enabled. I actually reported the incompatibility with FIPS last year in another post. 

 

My question is what Powershell commands are needed to bind the specific TLS certificate to the Remote Security Settings in the same way that MeshCommander does it.

0 Kudos
JoseH_Intel
Moderator
1,652 Views

Hello Maynman28,


Thank for confirming that FIPS is not enabled on your system. Let me try to get this commands for you. I will get back shortly.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Maynman28
Beginner
1,615 Views
Hello Jose, did you ever hear back on the command?
0 Kudos
JoseH_Intel
Moderator
1,577 Views

Hello Maynman28,


Sorry about the delay. See if this helps them with the Powershell script. Doesn't look our Engineers have a specific Powershell command, might be more useful to try a Microsoft forum for Powershell assistance.


Intel® AMT SDK Implementation and Reference Guide


Hope this helps.


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
1,572 Views

Hello Maynman28,


We did a review of the SDK contents and there is no included command to manipulate certificates or do the binding you are trying to accomplish. If you go to Open Software Projects - MeshCommander support, its possible they could give you a hint or point you into a different direction that delivers a similar outcome.


Hope this helps.


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
1,555 Views

Hello Maynman28,


We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.


Jose A.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
1,490 Views

Hello Maynman28,


A very final update:

You need to download the following vPro Powershell SDK

https://www.intel.com/content/www/us/en/download/674527/intel-vpro-technology-module-for-microsoft-windows-powershell-module.html


In the...


IntelProModule_16.0.0.5\bin\IntelvPro\


There is a function Invoke-ConfigureTLSServerAuthentication that should provide as good example on binding the Cert to the TLS connection.


I believe this is the example you are looking for...

Invoke-ConfigureTLSServerAuthentication -ComputerName 192.168.168.10 -Username admin -Password Admin!98 -CertificateFilePath ".\leaf.cer"


Jose A.

Intel Customer Support Technician


0 Kudos
Reply