Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2846 Discussions

Endpoint Management Assistant AMT clients provisioning issue post ssl cert renewal

DesktopTechie
Beginner
1,004 Views

Hi

We recently renewed our AMT certificate and are now finding when we install the EMA client on test devices using regenerated client install files we are getting records created in EMA that are in a "not provisioned" state. If we use the web portal to do remote provisioning this seems to complete successfully. There doesn't appear to be anything getting written to the EMALog-ManageabilityServer log file on the server until we do the remote provisioning.

Just wondering where we should be looking to check we have followed the cert renewal process properly as prior to that devices were provisioning in admin control mode as expected just by installing the client, we did not need to use the remote provisioning via the web. 

 

Kind regards

 

Pete

 

 

0 Kudos
5 Replies
Victor_G_Intel
Employee
986 Views

Hello DesktopTechie,


Thank you for posting on the Intel® communities.


To continue please provide the following:


  1. Please provide the name of your certificate vendor.
  2. What EMA version are you currently using in your deployment?
  3. How many endpoints does your deployment have and how many have experienced this issue?
  4. Can you please share with us the steps you completed to renew the certificate? If you followed a document with the steps on it, you could just share it instead of writing down the steps.
  5. Please share with us a screenshot of the certificate you renewed showing fully the tab enhanced key usage and the tab certification path.


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
DesktopTechie
Beginner
967 Views

Hi Victor

 

It turns out we seem to have to just been patient, the profile were were using to provision the devices before the cert change started working as normal again the day after the original cert had expired.

We are using v1.9.1.0.

For information we were routed via this page when we went looking for specific instructions to follow just in case we had made a simple mistake with the new certificate setup: Requirements for Renewing the Certificate for Intel® Endpoint...

The link to instructions that we got from our certificate supplier (Comodo/Sectigo) didn't go anywhere either.

Is there a specific document other than the Admin guide we should be looking for when changing the certificates so we follow best practices?

I have noticed in the current EMALog-ManageabilityServer log file this morning the following for machines that appear to be successfully provisioned  in admin control mode just by installing the client:

Applying wired 802.1X settings failed.
Error = Certificate could not be added. Status code: INVALID_CERT.

Do we need to be removing the old cert from the system or does this indicate something might still be amiss.

 

Kind regards

 

Pete

 

0 Kudos
Victor_G_Intel
Employee
949 Views

Hello DesktopTechie,


Thank you so much for your response.


To answer your question the steps to renew the cert are the same as you use to install the cert for EMA, the only information we have appears in our Intel® Endpoint Management Assistant (Intel® EMA) Server Installation Guide; however, the steps from the certificate vendor can also be followed.


Also, in regard to the old certificate, you don’t need to erase it, at some point, you can if you like once all the endpoints in your deployment start reporting the new certificate, but until then you can just leave it there.


Additionally, in relation to the error you got in the ema logs, please provide the following so we can investigate further:


We are going to need a picture/screenshot where the sections enhanced key usage and certification path for your PKI, secure, and root certificates are shown fully.


The logs below will be required as well:


EMA logs from Server:


[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


EMA log from the endpoint:


[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Employee
887 Views

Hello DesktopTechie,


Were you able to check the previous post?  


Please let me know if you need further assistance.  

 

Regards,


Victor G. 

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Employee
848 Views

Hello DesktopTechie,


We have not heard back from you.


If you need any additional information, please submit a new question as this thread will no longer be monitored.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Reply