Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2949 Discussions

Expired TLS certificate.

RJard1
Beginner
4,945 Views

Hi All,

The TLS certificate that I was using in my configuration expired. It was then renewed but not when connecting to clients it shows as invalid but still connects. When you download the certificate it has the new expiry dated. I have tried un-configuring and re-configuring the client but it made no difference. I tried creating a new profile and configuring with that. I also tried running a maintenance task on one of the clients. any suggestions on what to do next? create a new certificate and reconfigure all machines?

Cheers,

Ross

0 Kudos
15 Replies
idata
Employee
3,125 Views

Hello rjardine,

 

 

Thanks for joining the community.

 

 

As part of the research process we will need you to attach the following information:

 

 

1. Screen shot of the certificate, specifically the values under Enhanced Key Usage.

 

2. Screen shot of theCertificate's Certification path

 

3. Screen shot of the RCSService in services. Include the account the service is running as.

 

4. Need a copy of the RCSLog.log file from the RCS server.

 

5. Confirmation that the certificate is in the personal certificate store of the account running the RCSServer service.

 

 

We will look forward for your updates.

 

 

Regards.

 

 

Jose A.

 

0 Kudos
RJard1
Beginner
3,125 Views

Hi Jose,

Thanks for the reply. I have included my responses to your questions below.

1. Screen shot of the certificate, specifically the values under Enhanced Key Usage.

2. Screen shot of theCertificate's Certification path

3. Screen shot of the RCSService in services. Include the account the service is running as.

4. Need a copy of the RCSLog.log file from the RCS server.

(see attached)

5. Confirmation that the certificate is in the personal certificate store of the account running the RCSServer service.

(As Per Question 3 Screenshot)

0 Kudos
RJard1
Beginner
3,125 Views

Hi Jose,

Thanks for the reply. I have included my responses to your questions below.

1. Screen shot of the certificate, specifically the values under Enhanced Key Usage.

2. Screen shot of theCertificate's Certification path

3. Screen shot of the RCSService in services. Include the account the service is running as.

4. Need a copy of the RCSLog.log file from the RCS server.

(see attached)

5. Confirmation that the certificate is in the personal certificate store of the account running the RCSServer service.

(As Per Question 3 Screenshot)

0 Kudos
RJard1
Beginner
3,125 Views

Hi Jose,

Thanks for the quick reply. Please see my responses below.

1. Screen shot of the certificate, specifically the values under Enhanced Key Usage.

2. Screen shot of theCertificate's Certification path

3. Screen shot of the RCSService in services. Include the account the service is running as.

4. Need a copy of the RCSLog.log file from the RCS server.

(see attached)

5. Confirmation that the certificate is in the personal certificate store of the account running the RCSServer service.

(Included in Question 3)

Many thanks,

Ross

0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Thanks for the information provided.

 

 

Please try any of the following methods:

 

 

There are four ways to fix the expired TLS certificate issue.

 

 

The first two methods are run on the Intel® Setup and Configuration Software (Intel® SCS) server through RCS:
  • ACUConfig MaintainViaRCSOnly RCSServer ProfileName AutoMaintain [/AdminPassword password ] {[/WMIUser username] [/WMIUserPassword password]}
  • ACUConfig MaintainViaRCSOnly RCSServer ProfileName ReissueCertificates [/AdminPassword password] {[/WMIUser username] [/WMIUserPassword password]}
The next two methods are run locally on the affected system (Intel AMT 7 or greater):
  • ACUConfig MaintainAMT fileName.xml AutoMaintain [/AdminPassword password] [/DecryptionPasswordpassword]
  • ACUConfig MaintainAMT fileName.xml ReissueCertificates [/AdminPassword password] [/DecryptionPassword password]
The definitions for the parameters are the following: Command-Line ParameterDefinitionSyncNetworkSettingsMaintenance Task that Synchronizes network settings of the Intel® Active Management Technology (Intel® AMT) device as defined in the NetworkSettings tag of the Configuration ProfileAutoMaintainRuns all the maintenance tasks required for current Intel AMT–based device from the following task list [SyncAMTTime, SyncNetworkSettings, ReissueCertificates, RenewADPassword, RenewAdminPassword]RCSServerRCS server addressProfileNameConfiguration Profile name used by SCS to configure the Intel AMT–based devicefileName.xmlXML file containing Configuration Profile used to configure the Intel AMT–based device/WMIUser usernameThe name (in the format domain\username) of a user with WMI permissions on the computer running the RCS. This parameter is only required when running the Configurator under a user without WMI permissions on the RCS computer./WMIUserPassword passwordThe password of the WMI user/AdminPassword passwordThe current password of the default Digest admin user defined in the Intel AMT–based device

 

Let me know if any of these helps.

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
0 Kudos
RJard1
Beginner
3,125 Views

Hi Jose,

I tried the methods from the RCS Server but I had no success, a lot of the systems failed to perform the maintenance. Even with the systems that reports as successfully doing maintenance they still show the certificate error. We have 2 profiles for two domains with slightly different configs, resorting to ACUConfig might be very complex. Also I setup a Get discovery Data task and this has been running for days and only slowly going up.

SCS Console View:

Error from Maintenance Task:

Regards,

 

Ross Jardine
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Regret to hear about there is no progress. We will investigate further and will update you soon.

 

 

Regards

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

By any chance have you recently issued a new root or intermediate certificate? Did the RCS server got those updates?

 

 

Regards

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
0 Kudos
RJard1
Beginner
3,125 Views

Hi Jose,

Sorry I have been on vacation for a short while.

I am still trying to get to the bottom of this issue.

It appears our Domain Controller certificates where renew about 2 months ago. I am making some esquires about this.

I have tried running the maintenance tasks with acuconfig and have attached the logs. I have managed to create collections in Configuration Manager to identify which machines are running which profiles. So I can target the different groups of machines if i can get it working.

Regards,

Ross Jardine

0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Thanks for the updates.

 

 

We will take a look at your logs and will let you know what we find.

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

After looking at the maintenances logs that you attached I just found a line with an error:

 

 

Thread:6540(ERROR) : BB8XRC2.ltu.edu.au, Category: EnumerateNetworkInterfaces bad catch Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::EnumerateNetworkInterfaces Line: 6202:

 

 

Do you know what is this address BB8XRC2.ltu.edu.au for?

 

 

One suggestion is to please follow the section 5.10 page 111 of the following document: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf# page=118

 

 

Please let me know your updates.

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

Do you have any updates, questions or comments in regards to this issue?

 

 

Please do not hesitate to contact us back.

 

 

If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved.

 

 

Regards

 

 

Jose A.
0 Kudos
idata
Employee
3,125 Views

Hello rjardine,

 

 

We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and create a new topic.

 

 

Jose A.
0 Kudos
Reply