Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2860 Discussions

EMA 1.7.1 TLS-PKI Cert Issue

carlosmnzn
Novice
1,755 Views

Hi, I was reading about ACM provisioning in Intel EMA 1.7.0.0 version had a bug where certificate chains were not retrieved from the database in the correct order, which could prevent certificate-based PKI-TLS (admin control mode) provisioning from working in certain cases.

 

We already have the new version (1.7.1.0) and this issue still appears. 

We have tried to provision Intel AMT later than 12.0.45 version devices with a valid certificate and doesn't work. 

 

On platform manager we can see this:

ema1.png

 

Thanks, regards.

0 Kudos
1 Solution
carlosmnzn
Novice
1,608 Views

Hi @JoseH_Intel 

 

After several tests we realized that enterprise root certificate import is required for the new version, so we additionally import the root certificate and it works.

 

We thought that only an Intel AMT PKI certificate was necessary because 1.6 and previous versions work without loading the enterprise root certificate. 

 

 

Thanks and regards.

View solution in original post

0 Kudos
11 Replies
JoseH_Intel
Moderator
1,717 Views

Hello carlosmnzn,


Thank you for joining the Intel community


We appreciate you bringing this to our attention. Could you share the following info:

  • Current certificate provider
  • Attach screenshot of the EMA console > Settings > certificates
  • Are you using CIRA or TLS security?
  • Where did you read about this cert chain issues on EMA v1.7.0?


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
carlosmnzn
Novice
1,706 Views

Hi @JoseH_Intel, I'm going to answer your questions in order:

 

 

1) The current certificate provider is GoDaddy. This certificate works correctly at the 1.6.X version of Intel EMA.

 

2) 

carlosmnzn_0-1653464685664.png

 

 

 

 

 

 

 

 

 

 

 

 

 

3) We use CIRA. In fact, in client mode, the devices are provisioned well and with the CIRA connection activated.

 

4) I read it in the pdf of 1.7.1.0 release notes, concretely at point 2 of  2 What's New in this Release?

carlosmnzn_1-1653464985702.png

 

I'm not sure if this issue is the one we are being affected by but I think so...

 

I will appreciate any information about it that can fix or tell us if it could be a bug or something similar because we have no idea what can be going on.

 

Thanks so much, regards.

Carlos M.

0 Kudos
JoseH_Intel
Moderator
1,689 Views

Hello carlosmnzn,


Thank you for your updates. I am not quite understanding well what your issue is. You say your endpoints are successfully provisioned and the CIRA connection is working fine. All this is working on EMA v1.6. So, is your issue related to EMA 1.7.1? Are you trying to provision any newer systems?

In the Release Notes > What's new section specifies that the certificate chain issue is corrected on this version (1.7.1). If you are finding issues when provisioning any new system, please attach the EMA log so we can take a look at the error shown.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
carlosmnzn
Novice
1,682 Views

Hi @JoseH_Intel 

 

Yes, the issue is related only to the 1.7.1.0 version. The EMA Server is running on Windows Server 2022 and the new device we are trying to test on this version has a 12.0.97 Intel AMT version with Windows 10 pro and is an intel vpro i5 8th gen device...

 

And yes, that's why I think the problem of the 1.7.0.0 still continues on 1.7.1.0 although in the release notes it appears that it has been fixed. Maybe I could be wrong, I only want to make sure the problem is not ours. 

 

What kind of logs exactly do you want me to attach? all logs at the path C:\Program Files (x86)\Intel\Platform Manager\EMALogs or any specific?

 

 

Thanks so much again, regards.

0 Kudos
JoseH_Intel
Moderator
1,661 Views

Hello carlosmnzn,


Thank you for the extra details. You stated to have EMA installed on a Window Server 2022 system. Looking at the supported OS for EMA, Win Server 2022 is not within the list. This might be generating issues during provisioning.

https://downloadmirror.intel.com/646990/Intel_EMA_Release_Notes.pdf#page=11


About the EMA logs, you can attach all of them.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
carlosmnzn
Novice
1,649 Views

Hello @JoseH_Intel 

 

Ok, let me try first to install EMA on a windows server 2019, when I have done the new results I'll inform you and if the issue continues I'll attach the logs. 

 

 

Thanks for your support again, regards.

0 Kudos
SergioS_Intel
Moderator
1,645 Views

Hello carlosmnzn,


We will be looking forward to your updates and the logs.



Best regards,

Sergio S.

Intel Customer Support Technician


0 Kudos
JoseH_Intel
Moderator
1,620 Views

Hello carlosmnzn,


I am just following up to double-check if you were able to gather the requested information. Otherwise let us know if you require more time to accomplish this.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
carlosmnzn
Novice
1,609 Views

Hi @JoseH_Intel 

 

After several tests we realized that enterprise root certificate import is required for the new version, so we additionally import the root certificate and it works.

 

We thought that only an Intel AMT PKI certificate was necessary because 1.6 and previous versions work without loading the enterprise root certificate. 

 

 

Thanks and regards.

0 Kudos
SergioS_Intel
Moderator
1,595 Views

Hello carlosmnzn,


We appreciate the additional information, please let us know if you need additional assistance or if we can close this thread.



Best regards,

Sergio S.

Intel Customer Support Technician


0 Kudos
carlosmnzn
Novice
1,575 Views

Hello Sergio.

 

All good. You can close this thread.

 

Thank you and Joseph for your quick assistance, regards.

0 Kudos
Reply