Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,159 Views

Do I really need to purchase a 3rd party external root CA certificates for RCFG and TLS?

Hi vPro Experts,

I would like to start by thanking you guys for the great work and the tremendous support that you guys have been rendering to the people across the world. We all know that vPro in itself is a new technology and there are many people who seek help every other moment just like I have found myself in need of your help yet again:

Anyway, coming to the question, I was just wondering the authenticity of the document located at http://hosted.comm100.com/KnowledgeBase/Article.aspx?siteId=128016&id=78 http://hosted.comm100.com/KnowledgeBase/Article.aspx?siteId=128016&id=78 . It seems like an extract from SDK dcoumentation. As far the above link is concerned, it states that one doesnt need a external root CA certificate for either remote management or for TLS. Is this true? Coz that excatly what I want to do (not purchase the external root CA certificate from the SSL vendors). Is it OK to follow the above document to generate, modify, use and then insert the cert hash into the vpro MeBX firmware for the purpose of remote provisioning and TLS communication?

Will it work?

Please confirm.

Thanks in advance

Mohammed

0 Kudos
3 Replies
idata
Community Manager
74 Views

Hi Mohammed,

In your previous thread /thread/29140 http://communities.intel.com/thread/29140, we showed when doing TLS communications a certificate is needed, as well for RCFG.

 

You need two seperate certificates for TLS and RCFG, the TLS certificate supplied by the CA and the RCFG certificate is the Go Daddy, Verisign ect.

The link you provided, shows you How to create AMT Certificates using the AMT SDK and OpenSSL, not that none are needed.

Greg

idata
Community Manager
74 Views

 

Also if you wish not to use TLS or RCFG certificates are not needed.

Greg

Jacob_G_Intel
Employee
74 Views

It sorta comes down to your goals. That document will work, if AMT is already configured. This means one of two things; either you use MEBx to do the initial config or you do Host Based Config. MEBx is a BIOS extension, so it means going into BIOS on every PC you with to setup & configure. Host Based Config can be acomplished with SCS 8 by running one of the ACU tool on the client in windows. The implication is that you are in "Client Control Mode" which means all redirection operations (SOL, IDEr, and KVM) require user consent before doing them.

So, if you're OK with one of those states, then the doc will work for you. I'd suggest just trying it on a couple systems to see how it works for you.

Oh, I almost forgot. That doc will only work on AMT 6 and above, and for host based config you need AMT 6.2 and above.

One other question is, do you need TLS? As Greg pointed out, you can do all remote operations w/o TLS. TLS is optional for added security.

My final thought; there are lots of ways to setup & configure AMT. If you're OK with an MS CA & host based config, SCS 8 can setup and configure AMT 6.2 and up with TLS, but no need for the RCFG cert. This is the easiest and most secure of all methods.

Reply