Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
2617 Discussions

Do I really need to purchase a 3rd party external root CA certificates for RCFG and TLS?

Community Manager

Hi vPro Experts,

I would like to start by thanking you guys for the great work and the tremendous support that you guys have been rendering to the people across the world. We all know that vPro in itself is a new technology and there are many people who seek help every other moment just like I have found myself in need of your help yet again:

Anyway, coming to the question, I was just wondering the authenticity of the document located at . It seems like an extract from SDK dcoumentation. As far the above link is concerned, it states that one doesnt need a external root CA certificate for either remote management or for TLS. Is this true? Coz that excatly what I want to do (not purchase the external root CA certificate from the SSL vendors). Is it OK to follow the above document to generate, modify, use and then insert the cert hash into the vpro MeBX firmware for the purpose of remote provisioning and TLS communication?

Will it work?

Please confirm.

Thanks in advance


0 Kudos
3 Replies
Community Manager

Hi Mohammed,

In your previous thread /thread/29140, we showed when doing TLS communications a certificate is needed, as well for RCFG.


You need two seperate certificates for TLS and RCFG, the TLS certificate supplied by the CA and the RCFG certificate is the Go Daddy, Verisign ect.

The link you provided, shows you How to create AMT Certificates using the AMT SDK and OpenSSL, not that none are needed.


Community Manager


Also if you wish not to use TLS or RCFG certificates are not needed.



It sorta comes down to your goals. That document will work, if AMT is already configured. This means one of two things; either you use MEBx to do the initial config or you do Host Based Config. MEBx is a BIOS extension, so it means going into BIOS on every PC you with to setup & configure. Host Based Config can be acomplished with SCS 8 by running one of the ACU tool on the client in windows. The implication is that you are in "Client Control Mode" which means all redirection operations (SOL, IDEr, and KVM) require user consent before doing them.

So, if you're OK with one of those states, then the doc will work for you. I'd suggest just trying it on a couple systems to see how it works for you.

Oh, I almost forgot. That doc will only work on AMT 6 and above, and for host based config you need AMT 6.2 and above.

One other question is, do you need TLS? As Greg pointed out, you can do all remote operations w/o TLS. TLS is optional for added security.

My final thought; there are lots of ways to setup & configure AMT. If you're OK with an MS CA & host based config, SCS 8 can setup and configure AMT 6.2 and up with TLS, but no need for the RCFG cert. This is the easiest and most secure of all methods.