Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Hashes in AMT bios from PC vendor?

SWood7
Novice
2,840 Views

We're working on configuring / provisioning a demo machine from HP, a dc7800. I've noticed that it has 4 hashes in it's AMT

  • Verisign Class 3 Primary CA G1

  • Verisign Class 3 Primary CA G3

  • Go Daddy Class 2 CA

  • Starfield Class 2 CA

From what I can tell, I'll need to have my own hash in there if I want to do Remote Configuration. This would lead me to think that for demo purposes, I won't be able to provision this demo system, using Remote Configuration, unless I get ahold of one of these hashes myself.

Any comments / help are warmly welcomed!

0 Kudos
5 Replies
idata
Employee
736 Views

Hi swood,

you are correct. You will need to get a certificate from one of the certificate providers to perform zero touch (AMT 3.0 only). But if your not interested in zero touch you can issue a certificate from you own CA and do One touch. I.E. All the configuration information is placed on a USB key, then boot the AMT system with the USB key connected.

I would suggest you have a look at AMT DTK, this will allow you to provision and get a feel for what is possible.

Hope this helps.

Gibbo

0 Kudos
SWood7
Novice
736 Views

Thanks for the answer to my question. I've been trying to get answers from my local HP and Intel folks and it seems like pulling teeth sometimes. This will help in my rollout.

0 Kudos
Matthew_R_Intel
Employee
736 Views

Below I have included some high level steps that walk you through procuring a VeriSign certificate and configuring it for the Intel Setup and Configuration Service (SCS). Other certificate vendors like Go Daddy and Starfield will have different purchasing processes. As noted, you can configure the hash from your own Certificate CA within the AMT ME; however, if you are going to touch the box anyway it may make more sense to do a USB provisioning with PID/PPS.

Purchase Verisign Certificate

  1. Generate Certificate Signing Request (CSR) by following the instruction in the link, http://www.verisign.com/support/ssl-certificates-support/page_dev019431.html .

  2. The Common Name (CN) needs to be the FQDN of the server you want to install this certificate on. (i.e. host name + domain name)

  3. Enter 'Intel(R) Client Setup Certificate' for Organization Unit (OU).

  4. Complete all the steps.

  5. Visit VeriSign website, [http://www.verisign.com/ssl/buy-ssl-certificates/] to start purchasing process.

  6. Select 'Secure Site: SSL Certificates' under 'Buy Individual SSL Certificates'.

Note: you could choose the other two, which are in more advanced level, depending on your need.

  1. Enter all the information required and copy the CSR generated by the server

  2. Complete all the steps and print out the order confirmation page for your record.

  3. You will receive an email of Verisign automated order verification within few hours. You have only 24 hours, after receiving the email, to finish this process. Click the link in the email and go through the process.

Important: If you cannot recognize the second phone number listed on the webpage, cancel the automated verification process and have them call you instead.

Certificate Installation and Exporting

  1. You will receive the link of installation instruction in the email containing the certificate. Follow the instruction to complete installation

  2. VeriSign will send you the SSL certificate via email. If the certificate is an attachment (Cert.cer), save the file to the hard drive. If the certificate is in the body of the email, create a .cer file (example: NewCertificate.cer) by copying and pasting the certificate text into a plain text editor such as Notepad or Vi. Please be sure to include the header and footer as well as the surrounding dashes. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.

  3. Open the Internet Services Manager (IIS). Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager.

  4. Under Web Sites, right-click your web site and select Properties.

  5. Click the Directory Security tab.

  6. Under Secure Communications, click Server Certificate.

  7. The Web Site Certificate Wizard will open, click Next.

  8. Choose Process the Pending Request and Install the Certificate, then click Next.

  9. Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.

  10. Select the location of the certificate response file, and then click Next.

  11. Read the summary screen to be sure that you are processing the correct certificate and then click Next.

  12. You see a confirmation screen.

After you read this information, click Next.

Go back to IIS Manager (Start > Programs > Administrative Tasks > IIS Manager)

Expand Web Sites and right click Default Web Site

Under Secure Communications, click View Certificate...

select Detail tab

Click Copy to file at right bottom of window, the Certificate Export wizard will pop up. (N)

choose Yes, export the private key (N)

mark Include all certificates in the certification path if possible (N)

give a password (can be weak password) and confirm (N)

Give location and file name for the resulting PFX. (N), Finish, Ok.

Close all windows.

Adding Cert To SCS

1. Install the certificate created above in the System Certificate Store on the platform where the SCS executes. Follow the following steps:

  1. Open certificates (local computer) using the Microsoft Management Console (MMC). To add the certificates plug-in to the MMC,

  2. Select file/add snap-in.

  3. Select Add....

  4. Select Certificates.

  5. Select computer account; click Next.

  6. Select Local computer; click Next.

  7. Select Finish; Close; select Certificates and click OK.

  8. In the console tree, click the logical store where the mmc will import the certificate.

  9. On the Action menu, point to All Tasks and then click Import to start the Certificate Import Wizard.

  10. Type the path and file name of the certificate to be imported or click Browse and navigate to the file.

  11. Select Automatically select the certificate store based on the...

0 Kudos
SWood7
Novice
736 Views

Good morning miroyer,

Thanks for the great, in-depth explanations on procuring and adding certs. This is really good information. I'm going to print it out and add it to my docs.

We're currently opting not to purchase a separate third-party cert to match the hashes that HP ships in their AMT. Our management feels that since we have our our CA, why use someone elses? I've tried to explain that ours does not good if it's not added to the device hash list by HP, but that's another story.

Our Intel rep has promised me that we can absolutely do Remote Configuration, (Zero Touch) with just our CA. I'm holding them to it!

Thanks again for the help!

0 Kudos
idata
Employee
736 Views

Apologies for the delayed response. I don't get the chance to read the forum as often as I'd like. I want to clarify Remote Configuration for you as it seems you might have some inexact information.

You can use your own CA's hash to do Remote Configuration. There are two ways to accomplish that:

  1. Have your OEM (in your case this would be HP) insert your Hash into the Management Engine (ME) during system manufacturing. There is typically a charge from the OEM for this service.

  2. Use USB "one-touch" to insert your Hash into the Management Engine on your own. This would (obviously) require each and every system physically be touched

There is no way to perform "zero-touch" Remote Configuration using your own CA's Hash without having your OEM pre-load the ME.

It might be beneficial for you to provide management with a quick overview of your choices from a financial perspective. Contact your HP rep and find out what they charge for the hash pre-configuration. Then contact the vendors listed in your initial post and get a quote for purchasing the Remote Configuration certificate (they all charge different amounts btw).

Also it might be helpful to know that, if you have a simple DNS infrastructure, you can purchase a single RC Cert, install it on your Provision Server to use for Remote Configuration, and still use your existing, internal CA to distribute TLS or 802.1x certs to your vPro client systems.

Hope that helps.

-jeff

0 Kudos
Reply