- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone point me in the right direction to create a .bin file with my root certificate hash and put it on a USB key? I've been told its possible and that the USBkey utility from Intel can do it, but there don't seem to be any clear instructions on how to do this (atleast none that I can find). This is to enable one touch provisioning of DQ35JO workstations on SCCM 2007 SP1
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First step is to export a copy of your Root CA certificate which the Provisioning Certificate is issued from.
- Within Certificate snap-in, right click on the desired certificate for your root certificate authority (the root CA that chains up from your provisioning certificate) and select "All Task" -> "Export"
- When the Wizard window appears, select next
- Select "DER Encoded binary X.509 (.CER)" format and select next
- Give the export file a name. Something like "root-ca.cer", select next, and then finish
Using the USBFile command line utility, run the following command.
usbfile -create setup.bin admin /mailto:P@ssw0rd P@ssw0rd -hash root-ca.cer "My Root CA"
You can then view the setup.bin file by executing...
usbfile -view setup.bin
If you are happy with it, copy it to a USB stick.
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matt
Ive already tried this, and while the USB file utility creates the setup.bin, the vPro machine doesnt recognise it as being on the USB drive when I plug it in and turn the machine on. Initially I thought the USB key might be bad, but a PSK setup.bin placed on the same key (either copied / using the utility in the development toolkit) works just fine.
Any suggestions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vinay,
Have you been using the UKPU (usb key provisioning utility) to place the setup.bin file on the USB key? The utility helps avoid some of the common gotchas preparing a USB key.
The utility is here: http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-provisioning-utility-onetouch-provisioning-tool-binary-38-source-now-available http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-provisioning-utility-onetouch-provisioning-tool-binary-38-source-now-available
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brian,
Thanks for the suggestion, but unfortunately Ive already tried this utility (two different versions of it infact... including the latest one that came with the management development tool kit) with no success. Once again, using the utility to place a PSK setup.bin file works perfectly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To confirm, the AMT firmware version is 3.x or higher? AMT 2.x (more specifically 2.2 desktop / 2.6 laptop) do not support configuring / loading custom certificate hashes which limits us to provisioning certificates issue by the third party certificate authorities (VeriSign, GoDaddy, etc)
I am assuming that when you do a "usbfile -view setup.bin", everything looks healthy?
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
USBFILE utility availible in the http://softwarecommunity.intel.com/articles/eng/1023.htm AMT Software Development Kit (SDK); it's located in the .\Windows\Intel AMT SDK\Bin\Configuration\ConfigScripts directory of the AMT Software Development Kit download file.
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I make a USB setup file with USBFile.exe for importing PKI hash into bios. The client boots from the stick, but I get the error message - "missing current Intel ME password. If I view the setup.bin file the password is admin. Have you an idee? Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
I just resolved the pki hash setup issue at my customer...
use version 3 of usbfile and flag the setup.bin as version 2.1 with the -v 2.1 switch...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I tried to get an USB key for PKI provisioning to work but it's not working at all. I followed a lot of threads in the forum but no success. If I create a setup.bin for TLS-PSK Provisioning the AMT Bios will detect the key and ask me to confim provisioning.
If I create a setup.bin for TLS-PKI provisioning the AMT BIOS didn't detect it. I also followed the instruction to change the setup.bin version information to 2.0 and/or 2.1 but still no success.
I appreciate for any further hints tips and tricks. One thing to mention. I used the SCS Console to create the setup.bin file for TLS-PSK provisioning. The TLS-PKI file was created via usbfile.exe. Is it possible to create a setup.bin for PKI Provisoning via the SCS console?
Thanks in advance
Joachim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
certificate for USB
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page