Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2877 Discussions

CERT_VERIFY_FAILED on AddNextCertInChain for custom Root CA

penovac
Beginner
1,165 Views

Hi,

I am trying to enable ACM on Intel AMT, however when activating a client I get a CERT_VERIFY_FAILED on AddNextCertInChain for my custom Root CA certificate, even though the fingerprint has been added properly. The leaf certificate seems to get added properly. What could I be missing?


More info:
- I am using Open AMT Cloud Toolkit platform, CCM is working properly.
- I cannot obtain a certificate from a supplier already trusted in AMT, so I am trying to make my own.
- I generated an RSA2048 SHA256 key+cert as Root CA, then generated a key+cert request and signed it with the Root CA for the leaf AMT cert with proper OID, RSA2048 SHA256 as well.
- I bundled the Root CA cert, the leaf cert and the leaf key in a .pfx file imported into Open AMT Cloud Toolkit.

- The Root CA cert fingerprint has been enrolled in the client MEBx using a `setup.bin` on USB drive created with USBFile.
- The DNS suffix has been set manually in MEBx.

- Abbreviated output of `rpc activate -u <redacted> -n -profile <redacted> -v` (with hopefully enough info):

<h:AddNextCertInChain_INPUT xmlns:h=\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\"><h:NextCertificate><redacted></h:NextCertificate><h:IsLeafCertificate>true</h:IsLeafCertificate><h:IsRootCertificate>false</h:IsRootCertificate></h:AddNextCertInChain_INPUT>
————
<g:AddNextCertInChain_OUTPUT><g:ReturnValue>0</g:ReturnValue></g:AddNextCertInChain_OUTPUT>
————
<h:AddNextCertInChain_INPUT xmlns:h=\"http://intel.com/wbem/wscim/1/ips-schema/1/IPS_HostBasedSetupService\"><h:NextCertificate><redacted></h:NextCertificate><h:IsLeafCertificate>false</h:IsLeafCertificate><h:IsRootCertificate>true</h:IsRootCertificate></h:AddNextCertInChain_INPUT>
————
<g:AddNextCertInChain_OUTPUT><g:ReturnValue>4</g:ReturnValue></g:AddNextCertInChain_OUTPUT>
————
Device <redacted> activation failed. Error while adding the certificates to AMT.


- Output of `rpc amtinfo` on the client:

Version : 12.0.92
Build Number : 2145
SKU : 16392
Features : AMT Pro Corporate
UUID : <redacted>
Control Mode : pre-provisioning state
DNS Suffix : <redacted>
DNS Suffix (OS) : <same as hostname>
Hostname (OS) : <redacted>
RAS Network : unknown
RAS Remote Status : not connected
RAS Trigger : user initiated
RAS MPS Hostname :
---Wired Adapter---
DHCP Enabled : true
DHCP Mode : active
Link Status : up
IP Address : 0.0.0.0
MAC Address : <redacted>


- Output of `rpc amtinfo -cert` on the client (default fingerprints omitted):

Certificate Hashes :
Custom AMT Root CA (Active)
SHA256: 430ef2367bb1430b0e8e62c31959f8b3989dac597d75f47bf02665cfbc99e2ce


- Output of `openssl x509 -noout -fingerprint -sha256 -in Root_CA.crt`:

sha256 Fingerprint=43:0E:F2:36:7B:B1:43:0B:0E:8E:62:C3:19:59:F8:B3:98:9D:AC:59:7D:75:F4:7B:F0:26:65:CF:BC:99:E2:CE



- Output of `openssl x509 -noout -text -in Root_CA.crt`

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <redacted>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = <redacted>, ST = <redacted>, L = <redacted>, O = <redacted>, OU = Custom AMT Root CA, CN = <same as DNS suffix>, emailAddress = <redacted>
        Validity
            Not Before: Aug 17 12:21:39 2023 GMT
            Not After : Aug 14 12:21:39 2033 GMT
        Subject: C = <redacted>, ST = <redacted>, L = <redacted>, O = <redacted>, OU = Custom AMT Root CA, CN = <same as DNS suffix>, emailAddress = <redacted>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <redacted>
                Exponent: <redacted>
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Digital Signature, CRL Sign
            X509v3 Subject Key Identifier: 
                <redacted>
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        <redacted>

Do no hesitate to ask if I omitted some important information.
Thanks,

0 Kudos
1 Solution
MIGUEL_C_Intel
Moderator
1,139 Views

Hello, Penovac,

Intel® Open AMT Cloud toolkit is now supported via Discord. https://discord.com/invite/yrcMp2kDWh. Please use this community.


They will gladly assist you.


As general information, the endpoint BIOS firmware contains the root certificate hashes from a number of commercial Certificate Authorities including GoDaddy, Comodo, Entrust, Starfield, Cybertrust, or VeriSign. Additional details on supported root certificate hashes are available in the Intel AMT Implementation and Reference Guide at Intel® AMT SDK Implementation and Reference Guide https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Frootcertificatehashes.htm


The validated Certificates to Support Intel® AMT are available in the link below:

Open Active Management Technology Cloud Toolkit (Open AMT Cloud Toolkit) (button of the page)

https://www.intel.com/content/www/us/en/developer/topic-technology/edge-5g/tools/open-amt-cloud-toolkit.html


Regards,

Miguel C.

Intel Customer Support Technician


View solution in original post

0 Kudos
3 Replies
MIGUEL_C_Intel
Moderator
1,140 Views

Hello, Penovac,

Intel® Open AMT Cloud toolkit is now supported via Discord. https://discord.com/invite/yrcMp2kDWh. Please use this community.


They will gladly assist you.


As general information, the endpoint BIOS firmware contains the root certificate hashes from a number of commercial Certificate Authorities including GoDaddy, Comodo, Entrust, Starfield, Cybertrust, or VeriSign. Additional details on supported root certificate hashes are available in the Intel AMT Implementation and Reference Guide at Intel® AMT SDK Implementation and Reference Guide https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Frootcertificatehashes.htm


The validated Certificates to Support Intel® AMT are available in the link below:

Open Active Management Technology Cloud Toolkit (Open AMT Cloud Toolkit) (button of the page)

https://www.intel.com/content/www/us/en/developer/topic-technology/edge-5g/tools/open-amt-cloud-toolkit.html


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
penovac
Beginner
1,117 Views

Hi,

thanks for the answer. The people over at the Open AMT Cloud Toolkit community were very helpful. It turns out they just published yesterday a guide to generate the certificates: https://open-amt-cloud-toolkit.github.io/docs/2.14/Reference/Certificates/generateProvisioningCert/ .
This helped me figuring out what I was missing in my certificates :

  1. The Root CA certificate was missing `keyCertSign` in `keyUsage`, this was the cause of the `CERT_VERIFY_FAILED` error in `AddNextCertInChain`.
  2. The leaf certificates was missing the X509v3 extensions since I did not specify `-copy_extensions copyall` in my OpenSSL signing command line, this was the cause of a subsequent `AUTH_FAILED` in `AdminSetup`.

With the corrected certificates, the device activates properly in ACM and KVM without user consent is confirmed working.

It is important to note that the above guide recommends inputting the root CA certificate SHA1 fingerprint manually in the MEBx UI. Doing this still causes an "Invalid domain certificate, hash does not exists in list of trusted root certificates on AMT" error for me on an ME14 device, and this article says that it is not possible to do this since ME15 anymore: https://www.intel.com/content/www/us/en/support/articles/000058972/technologies/intel-active-management-technology-intel-amt.html .
Therefore, I still had to create a `setup.bin` with USBFile in order to enroll the SHA256 hash since SHA256 cannot be typed in manually in the MEBx UI.

Thanks for the help,

0 Kudos
MIGUEL_C_Intel
Moderator
1,087 Views

Hello, Penovac,


It was my pleasure.  Thank you for using Intel products.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply