Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Do I really need to purchase a 3rd party external root CA certificates for RCFG and TLS?

idata
Employee
‎05-14-2012 11:03 PM
1,578 Views

Hi vPro Experts,

I would like to start by thanking you guys for the great work and the tremendous support that you guys have been rendering to the people across the world. We all know that vPro in itself is a new technology and there are many people who seek help every other moment just like I have found myself in need of your help yet again:

Anyway, coming to the question, I was just wondering the authenticity of the document located at http://hosted.comm100.com/KnowledgeBase/Article.aspx?siteId=128016&id=78 http://hosted.comm100.com/KnowledgeBase/Article.aspx?siteId=128016&id=78 . It seems like an extract from SDK dcoumentation. As far the above link is concerned, it states that one doesnt need a external root CA certificate for either remote management or for TLS. Is this true? Coz that excatly what I want to do (not purchase the external root CA certificate from the SSL vendors). Is it OK to follow the above document to generate, modify, use and then insert the cert hash into the vpro MeBX firmware for the purpose of remote provisioning and TLS communication?

Will it work?

Please confirm.

Thanks in advance

Mohammed

0 Kudos

Link Copied

3 Replies
idata
Employee
‎05-18-2012 09:24 AM
493 Views

Hi Mohammed,

In your previous thread /thread/29140 http://communities.intel.com/thread/29140, we showed when doing TLS communications a certificate is needed, as well for RCFG.

 

You need two seperate certificates for TLS and RCFG, the TLS certificate supplied by the CA and the RCFG certificate is the Go Daddy, Verisign ect.

The link you provided, shows you How to create AMT Certificates using the AMT SDK and OpenSSL, not that none are needed.

Greg

0 Kudos
Copy link
idata
Employee
‎05-21-2012 11:51 AM
493 Views
In response to idata

 

Also if you wish not to use TLS or RCFG certificates are not needed.

Greg

In response to idata
0 Kudos
Copy link
Jacob_G_Intel
Employee
‎05-22-2012 10:19 AM
493 Views

It sorta comes down to your goals. That document will work, if AMT is already configured. This means one of two things; either you use MEBx to do the initial config or you do Host Based Config. MEBx is a BIOS extension, so it means going into BIOS on every PC you with to setup & configure. Host Based Config can be acomplished with SCS 8 by running one of the ACU tool on the client in windows. The implication is that you are in "Client Control Mode" which means all redirection operations (SOL, IDEr, and KVM) require user consent before doing them.

So, if you're OK with one of those states, then the doc will work for you. I'd suggest just trying it on a couple systems to see how it works for you.

Oh, I almost forgot. That doc will only work on AMT 6 and above, and for host based config you need AMT 6.2 and above.

One other question is, do you need TLS? As Greg pointed out, you can do all remote operations w/o TLS. TLS is optional for added security.

My final thought; there are lots of ways to setup & configure AMT. If you're OK with an MS CA & host based config, SCS 8 can setup and configure AMT 6.2 and up with TLS, but no need for the RCFG cert. This is the easiest and most secure of all methods.

Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.