Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,654 Views

Creating a USB key for PKI provisioning

Can anyone point me in the right direction to create a .bin file with my root certificate hash and put it on a USB key? I've been told its possible and that the USBkey utility from Intel can do it, but there don't seem to be any clear instructions on how to do this (atleast none that I can find). This is to enable one touch provisioning of DQ35JO workstations on SCCM 2007 SP1

0 Kudos
11 Replies
Matthew_R_Intel
Employee
355 Views

First step is to export a copy of your Root CA certificate which the Provisioning Certificate is issued from.

  1. Within Certificate snap-in, right click on the desired certificate for your root certificate authority (the root CA that chains up from your provisioning certificate) and select "All Task" -> "Export"
  2. When the Wizard window appears, select next
  3. Select "DER Encoded binary X.509 (.CER)" format and select next
  4. Give the export file a name. Something like "root-ca.cer", select next, and then finish

Using the USBFile command line utility, run the following command.

usbfile -create setup.bin admin /mailto:P@ssw0rd P@ssw0rd -hash root-ca.cer "My Root CA"

You can then view the setup.bin file by executing...

usbfile -view setup.bin

If you are happy with it, copy it to a USB stick.

--Matt Royer

idata
Community Manager
355 Views

Hi Matt

Ive already tried this, and while the USB file utility creates the setup.bin, the vPro machine doesnt recognise it as being on the USB drive when I plug it in and turn the machine on. Initially I thought the USB key might be bad, but a PSK setup.bin placed on the same key (either copied / using the utility in the development toolkit) works just fine.

Any suggestions?

Brian_C_Intel
Employee
355 Views

Vinay,

Have you been using the UKPU (usb key provisioning utility) to place the setup.bin file on the USB key? The utility helps avoid some of the common gotchas preparing a USB key.

The utility is here: http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-prov... http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-prov...

idata
Community Manager
355 Views

Brian,

Thanks for the suggestion, but unfortunately Ive already tried this utility (two different versions of it infact... including the latest one that came with the management development tool kit) with no success. Once again, using the utility to place a PSK setup.bin file works perfectly

Matthew_R_Intel
Employee
355 Views

To confirm, the AMT firmware version is 3.x or higher? AMT 2.x (more specifically 2.2 desktop / 2.6 laptop) do not support configuring / loading custom certificate hashes which limits us to provisioning certificates issue by the third party certificate authorities (VeriSign, GoDaddy, etc)

I am assuming that when you do a "usbfile -view setup.bin", everything looks healthy?

 

 

--Matt Royer
idata
Community Manager
355 Views

How do I obtain the usbfile.exe utility?

Matthew_R_Intel
Employee
355 Views

USBFILE utility availible in the http://softwarecommunity.intel.com/articles/eng/1023.htm AMT Software Development Kit (SDK); it's located in the .\Windows\Intel AMT SDK\Bin\Configuration\ConfigScripts directory of the AMT Software Development Kit download file.

--Matt Royer

idata
Community Manager
355 Views

Hello,

I make a USB setup file with USBFile.exe for importing PKI hash into bios. The client boots from the stick, but I get the error message - "missing current Intel ME password. If I view the setup.bin file the password is admin. Have you an idee? Thank you.

idata
Community Manager
355 Views

HI,

I just resolved the pki hash setup issue at my customer...

use version 3 of usbfile and flag the setup.bin as version 2.1 with the -v 2.1 switch...

idata
Community Manager
355 Views

Hi

I tried to get an USB key for PKI provisioning to work but it's not working at all. I followed a lot of threads in the forum but no success. If I create a setup.bin for TLS-PSK Provisioning the AMT Bios will detect the key and ask me to confim provisioning.

If I create a setup.bin for TLS-PKI provisioning the AMT BIOS didn't detect it. I also followed the instruction to change the setup.bin version information to 2.0 and/or 2.1 but still no success.

I appreciate for any further hints tips and tricks. One thing to mention. I used the SCS Console to create the setup.bin file for TLS-PSK provisioning. The TLS-PKI file was created via usbfile.exe. Is it possible to create a setup.bin for PKI Provisoning via the SCS console?

Thanks in advance

Joachim

idata
Community Manager
355 Views

certificate for USB

Reply