Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

Change CCM mode to ACM.

alex00900
Novice
5,451 Views

Hello.

We have a problem with the AMT setup.

We can configure HBP without any problems.

But we can't configure TLS-PKI.

We created a self-signed certificate according to the requirements, with the addition of an OID and made a chain.

We entered the DNS suffix PKI server-ema.it-ktk.local.

And entered the fingerprint of the root certificate.

But the AMT status hangs on Pending Activation.
How to enable Admin Control correctly?

0 Kudos
11 Replies
MIGUEL_C_Intel
Moderator
5,422 Views

Hello, alex00900,


The self-certificate option is tricky, it requires some extra steps due to the encryption requirements of the Certificate chain -SHA2.  The root and the cert need to be SHA256.  Then, it is necessary to install manually the certificate hash in the endpoint.  Please, be aware this process needs to be done in every single endpoint.


First, review if both are SHA256. 

Open the Microsoft Manage Computer Certificates app, and open the Certificate folder of the Certificate-Local Computer>Personal.

Open the Certificate

Go to the Certification Path tab.

Select the Root Cert and press the View Certificate icon.

In the new window, select the Details tab.

Make sure it is SHA256. 


Upload the Certificate chain in the EMA console Settings tab.  You should see both lines of the Certificate.


If both are SHA256, it is necessary to perform the steps below.

Hash manual installation using the USBFile.exe tool.  Endpoints with Intel® vPRO come with pre-installed hashes of Authorized Certificate vendors.

It is possible to download it from Intel® Active Management Technology SDK.

https://software.intel.com/content/www/us/en/develop/download/intel-active-management-technology-sdk.html


Note: 

USB drive needs to be formatted as FAT (FAT32 and UEFI are not supported)

AMT configuration via USB option needs to be activated in the BIOS of the endpoint.


Finally, add the PKI DCS suffix in the endpoint.


If the issue continues, please share pictures of the Certificate chain (both lines) from the Details tab showing the SHA type.

Add a picture from the settings tab of the EMA console showing the Certificate installation.

And share the results of running the EMA Configuration tool (ECT), which will show the hash inclusion.


Intel® EMA Configuration Tool (ECT)

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

 

Installation:

Download and unzip the tool.

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt (alternatively, you can run the tool from Windows PowerShell*) as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe --verbose


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
alex00900
Novice
5,415 Views

Hello, thanks for your reply, we tried to do with USBFile.exe tool but couldn't find a suitable one libcrypto.dll , taken from OpenSSL.

All our certificates have SHA256. We have made a chain and added it to the EMA server.

Error in the attached screenshot.

Need a specific version of the file libcrypto.dll ?
We renamed it and dropped it into a folder with USBFile.exe.

We executed the command USBFile.exe -create setup.bin passMEBx passMEBx -amt -hash SERVER-EMA-CA.cer SERVER-EMA-CA sha256

0 Kudos
MIGUEL_C_Intel
Moderator
5,387 Views

Hello, alex00900,


The case will require further investigation by the engineering team.  Please send me in a private message the self-certificate that you created. 


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
5,320 Views

Hello, alex00900,


I got the private message with the self-cert.  Intel® AMT does not support the .local domain.  I am sending the Certificate requisites.


PKI Certificate Verification Methods

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
alex00900
Novice
5,313 Views

Hello, thank you for your reply. Please confirm my understanding of how I will start to redo the CA and create a separate domain.

I need to create a certificate so that it has a name, say "intel.it-ktk.ee". Following the table from your link.

Then it will be checked with libcrypto.dll ?

And will I be able to proceed to the above written procedure?

0 Kudos
MIGUEL_C_Intel
Moderator
5,304 Views

Hello, alex00900,


The domain of the EMA Certificate needs to match the domain of your company. 


I am gathering more details about the libcrypto.dll file.  I will provide an update soon. 


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
5,138 Views

Hello, alex00900,


We are still working on your case.  


Do you mind confirming the version of Intel® AMT SDK version that you are using?


Latest: Intel® AMT SDK version 16.0.7.1

https://www.intel.com/content/www/us/en/download/704388/intel-amt-sdk.html?cache=1639697797


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
alex00900
Novice
5,119 Views

We mainly use versions 12.0.x.

I'm afraid this topic is no longer relevant because of the necessary actions to enable Admin mode.

It is necessary to deploy a new domain, create all the existing infrastructure on it, reconnect all PCs to this domain, then generate a certificate and it will work.

Correct me if I'm wrong.

While we are using the program to turn on the PC.

0 Kudos
MIGUEL_C_Intel
Moderator
5,094 Views

Hello, Alex00900,


You are right, it is necessary to create a new domain, Certificate, and provision all the PCs to the new domain.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
4,984 Views

Hello, Alex00900,


By any chance, have you been able to work on your EMA configuration?  Please let us know if I can help you with anything else.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
4,856 Views

Hello, Alex00900,


I hope this post finds you well.


If further assistance is necessary, do not hesitate to reply.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply