Solved: CIRA Not connected in ACM mode with PKI certificate

spudich · ‎08-07-2025

Hello,

I am trying to provision a client device (Minisforum MS-01 computer) in Intel EMA using ACM mode, but the endpoint fails to connect and shows „not provisioned“ and CIRA not connected.

I have purchased a certificate from Sectigo for PKI provisioning. However, it seems that the Root certificate from Sectigo is not present in the MEBx certificate hashes. Unfortunately, on this device, there is no option in MEBx to manually add a custom root hash, and USB provisioning does not seem to work either.

I tried to connect in CCM mode and everything worked fine but I need ability to control UEFI without user consent.

My goal is to connect out-of-band computers that are not in "ourdomain.cz".

Additional environment details:

EMA server components run on a single server (EMA 1.14.3.0)
server is accessible from the internet with ports 443, 8080, and 8084 open.
EMA server is under the domain name ema.ourdomain.cz with valid SSL certificate
Sectigo AMT SSL certificate purchased and installed on the server is for this domain (ema.ourdomain.cz)
PKI certificate imported to EMA contains full certificate chain and has Intel specific OID

Computed details:

Latest UEFI version and latest ME version
DNS suffix configured in MEBx is "ourdomain.cz"
I tried "Network Active" and "Network Inactive"
Output from EMAConfigTool is attached below

I tried Full Unprovision in MEBx multiple times but no success.

Computer Status in Intel EMA:

Intel® EMA Agent: Win64-Service v1.14.3
Intel® ME: v16.1.25.2049 Admin Control Mode
CIRA selected: Yes
Intel® AMT setup status: Pending Activation

Power On

Connected

CIRA Not Connected

Could be missing Sectigo root certificate hash entry in MEBx problem? And what are my options for solving this issue? Are these hash entries in EMA Agent profile or does this depend on computer vendor?

Thank You.

spudich · ‎08-08-2025

It’s finally working.

The issue was that the DigiCert root certificates weren’t uploaded in the EMA console. After adding them, everything works as expected.

In hindsight, the earlier problem with the Sectigo certificate was likely due to the Sectigo root hash not being present in MEBx because root certificate was present in EMA before.

I don't know why Sectigo is not included in MEBx. Maybe they ended their partnership with Intel recently? The only reason I originally bought certificate from them was that I found Sectigo on Intel’s website, including an installation guide.

Many thanks for your help.

View solution in original post

AlphaSeb · ‎08-07-2025

I'm pretty much stuck here as well "Pending configuration" Maybe check the logs here:

C:\Program Files (x86)\Intel\Platform Manager\EMALogs\EMALog-ManageabilityServer.txt

and look for errors regarding the hostname you try to configure.

Arun_Intel1 · ‎08-07-2025

Hi spudich,

Greetings!

Hi

We see that you are trying to provision the endpoint in ACM, however the CIRA connection fails with the Sectigo Certificate.

As you have already mentioned that the hash of the cert is not present in the MEBx or in the AMT firmware and you do not have an option to manually provision the PKI DNS Suffix in the MEBx.

Hence we would suggest you to make sure that the Sectigo certificate has the AMT OID 2.16.840.1.113741.1.2.3, if not kindly purchase an AMT provisioning certificate with the AMT OID 2.16.840.1.113741.1.2.3, from any of the Authorized Certificate vendors such as GoDaddy or DigiCert etc, where this Provisioning certificate with the AMT OID's hash is on the firmware of the AMT.

As per the ECT log, we see that the endpoint has been provisioned successfully in ACM mode, however the CIRA tunnel is not established from the AMT to the Swarm server in ACM mode.

Please check if the port 8080 and 16993 are open for the CIRA connection.

Please refer to the link given below for the certificate purchase:

https://www.intel.com/content/www/us/en/support/articles/000055009/technologies.html

Certificate Root Hash details:

Intel® AMT SDK Implementation and Reference Guide

OID Details:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Please feel free to share your observation.

Thanks & Regards

Arun

Intel Customer Support Technician

spudich · ‎08-08-2025

Thanks for suggestions and guidance.

The original Sectigo certificate did have the correct OID.

Anyway, to be thorough, I purchased a new certificate from DigiCert, installed it on IIS, and imported it into EMA following Intel’s documentation.
I verified the certificate chain and confirmed the required OIDs are present.

To be sure I rebooted server.

On the endpoint, I removed the original EMAAgent profile, performed a Full Unprovision in MEBx, and also removed the device from EMA.

In EMA, I deleted the original Endpoint Group and the original AMT profile.

I reconfigured everything from scratch, including the new DigiCert PKI certificate, and applied the profile to the target machine.
Provisioning completes on the machine, but it still fails to establish a CIRA connection.

I tested connection from endpoint to ema.ourdmain.cz with Test-NetConnection on port 8080 and it passes. (also it was working in CCM mode)

Just to be extra sure, I exported DigiCert Global Root G2 certificate from IIS (exactly the one from the certificate chain) and converted with openssl to SHA256 thumbprint. I compared this thumbprint with the one from MEBx and they match.

Quick recap:

valid certificate from DigiCert with specific OID 2.16.840.1.113741.1.2.3
port 8080 for CIRA is open
DNS suffix is set in MEBx to domain

Just to be sure: could you please confirm that if I have EMA server on "ema.ourdomain.cz" valid DNS suffix in MEBx is "ourdomain.cz"?

Are there any other requirements? Thank You very much.

spudich · ‎08-08-2025