Can anyone point me in the right direction to create a .bin file with my root certificate hash and put it on a USB key? I've been told its possible and that the USBkey utility from Intel can do it, but there don't seem to be any clear instructions on how to do this (atleast none that I can find). This is to enable one touch provisioning of DQ35JO workstations on SCCM 2007 SP1
First step is to export a copy of your Root CA certificate which the Provisioning Certificate is issued from.
- Within Certificate snap-in, right click on the desired certificate for your root certificate authority (the root CA that chains up from your provisioning certificate) and select "All Task" -> "Export"
- When the Wizard window appears, select next
- Select "DER Encoded binary X.509 (.CER)" format and select next
- Give the export file a name. Something like "root-ca.cer", select next, and then finish
Using the USBFile command line utility, run the following command.
usbfile -create setup.bin admin /mailto:P@ssw0rd P@ssw0rd -hash root-ca.cer "My Root CA"
You can then view the setup.bin file by executing...
usbfile -view setup.bin
If you are happy with it, copy it to a USB stick.
Ive already tried this, and while the USB file utility creates the setup.bin, the vPro machine doesnt recognise it as being on the USB drive when I plug it in and turn the machine on. Initially I thought the USB key might be bad, but a PSK setup.bin placed on the same key (either copied / using the utility in the development toolkit) works just fine.
Have you been using the UKPU (usb key provisioning utility) to place the setup.bin file on the USB key? The utility helps avoid some of the common gotchas preparing a USB key.
The utility is here: http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-provisioning-utility-onetouch-provisioning-tool-binary-38-source-now-available http://communities.intel.com/community/openportit/vproexpert/activation/blog/2008/03/17/usb-key-provisioning-utility-onetouch-provisioning-tool-binary-38-source-now-available
Thanks for the suggestion, but unfortunately Ive already tried this utility (two different versions of it infact... including the latest one that came with the management development tool kit) with no success. Once again, using the utility to place a PSK setup.bin file works perfectly
To confirm, the AMT firmware version is 3.x or higher? AMT 2.x (more specifically 2.2 desktop / 2.6 laptop) do not support configuring / loading custom certificate hashes which limits us to provisioning certificates issue by the third party certificate authorities (VeriSign, GoDaddy, etc)
I am assuming that when you do a "usbfile -view setup.bin", everything looks healthy?
USBFILE utility availible in the http://softwarecommunity.intel.com/articles/eng/1023.htm AMT Software Development Kit (SDK); it's located in the .\Windows\Intel AMT SDK\Bin\Configuration\ConfigScripts directory of the AMT Software Development Kit download file.
I make a USB setup file with USBFile.exe for importing PKI hash into bios. The client boots from the stick, but I get the error message - "missing current Intel ME password. If I view the setup.bin file the password is admin. Have you an idee? Thank you.
I tried to get an USB key for PKI provisioning to work but it's not working at all. I followed a lot of threads in the forum but no success. If I create a setup.bin for TLS-PSK Provisioning the AMT Bios will detect the key and ask me to confim provisioning.
If I create a setup.bin for TLS-PKI provisioning the AMT BIOS didn't detect it. I also followed the instruction to change the setup.bin version information to 2.0 and/or 2.1 but still no success.
I appreciate for any further hints tips and tricks. One thing to mention. I used the SCS Console to create the setup.bin file for TLS-PSK provisioning. The TLS-PKI file was created via usbfile.exe. Is it possible to create a setup.bin for PKI Provisoning via the SCS console?
Thanks in advance