Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2919 Discussions

How to create a provisioning certificate for internal domain name

DWebb
Novice
2,618 Views

We have our internal DNS using an internal domain name that is not the same as the external domain name. It will not be possible to change this configuration.

Is it possible to acquire a externally signed certificate to allow remote configuration of the vPro devices?

One idea that I have is to create a certificate for provisionserver.example.com and may be add a subject alternative name to provisionserver.example.local. Would this work and if not what will work?

I think that having different internal and external domain names is relatively common.

Thanks

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
1,634 Views

Unfortunately your idea will not work as Public CA's will not issue certificates with CN or SAN that can't be verified for domain ownership.

 

This issue used to be Intel AMT Remote Configuration showstopper for a long time but ...not anylonger

Possible sollutions from the most ready/easy to use:

  1. Use the latest McAfee ePO Deep Command - it has incorporated pseudo DHCP server that "spoofs" Intel AMT that it is in ... your external registered domain - just for configuration proces time.

     

    Even more - McAfee Deep Command comes with ready to use AMT Provisioning certificate that will work with this Pseudo DHCP server default domain name.
  2. Create DHCP reservations in your DHCP server for Intel AMT based systems to be configured with Reservation (only) Option 15 equal your external/registered domain name.

     

    You will need anyway AMT RCFG cert from one of 15 Public CA's that are trusted by default AMT FW. After AMT is configured you may delete reservations.

     

    I believe PS scripts can help to automate whole task.
  3. Change just DHCP server Option 15 to = your external/registered domain name. This will make AMT Remote Configuration work BUT may also negatively impact behaviour of other network devices (ex their autoconfiguration) that rely on DHCP option 15.
  4. You can import your own CA root cert hash into ME FW (with USB local preconfiguration) of every Intel AMT based system (it requires locall access during POST) and then self issue AMT RCFG cert signed by your own CA.

     

     

    rgds

     

     

    darek

     

View solution in original post

3 Replies
Dariusz_W_Intel
Employee
1,635 Views

Unfortunately your idea will not work as Public CA's will not issue certificates with CN or SAN that can't be verified for domain ownership.

 

This issue used to be Intel AMT Remote Configuration showstopper for a long time but ...not anylonger

Possible sollutions from the most ready/easy to use:

  1. Use the latest McAfee ePO Deep Command - it has incorporated pseudo DHCP server that "spoofs" Intel AMT that it is in ... your external registered domain - just for configuration proces time.

     

    Even more - McAfee Deep Command comes with ready to use AMT Provisioning certificate that will work with this Pseudo DHCP server default domain name.
  2. Create DHCP reservations in your DHCP server for Intel AMT based systems to be configured with Reservation (only) Option 15 equal your external/registered domain name.

     

    You will need anyway AMT RCFG cert from one of 15 Public CA's that are trusted by default AMT FW. After AMT is configured you may delete reservations.

     

    I believe PS scripts can help to automate whole task.
  3. Change just DHCP server Option 15 to = your external/registered domain name. This will make AMT Remote Configuration work BUT may also negatively impact behaviour of other network devices (ex their autoconfiguration) that rely on DHCP option 15.
  4. You can import your own CA root cert hash into ME FW (with USB local preconfiguration) of every Intel AMT based system (it requires locall access during POST) and then self issue AMT RCFG cert signed by your own CA.

     

     

    rgds

     

     

    darek

     

DWebb
Novice
1,634 Views

Thanks for the answers, it helps and leads to some more questions.

Points 2 and 3 sound similar, it the difference just that 2 restricts the change to option 15 to a subnet? We were discussing this as an option but haven't found out if anyone has successfully implemented this, easy to test for a few hosts or subnet.

Point 3 our company purchased multiple (100+) TLDs for our domain name. So it seems sensible to use one of these for the internal domain, would this be a good route?

Point 4 I was searching for a way to insert a thumbprint hash using a USB stick but have only found the error prone method of typing in 40 hex digits.What software would we need to use insert the hash into the BIOS?

Many thanks

Duncan

0 Kudos
Dariusz_W_Intel
Employee
1,634 Views

Duncan,

Point 4 - USBFile.exe tool allows to create setup.bin file with various AMT configuration/pre-configuration options. -hash option allows to create setup.bin file containing your own Root Certificate hash and then add it into Intel ME FW. if you like to see other possible usage options listed just run USBFile /?

 

USBFile.exe is part of Inel AMT SDK available at http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk in \Windows\Intel_AMT\Bin\Configuration\USBFile folder.

 

See also https://downloadcenter.intel.com/download/20979/Intel-vPro-Use-Case-Reference-Design-Local-Setup-and-Configuration-Using-a-USB-Flash-Drive Download Intel® vPro™ Use Case Reference Design - Local Setup and Configuration Using a USB Flash Drive.

Point 3 - TLDs - some TLDs like .com, .net and also some country domains allow to use single Intel AMT Provisioning certificate for subdomains - please see for details -https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm

 

Points 2 and 3 - DHCP Option 15 change is needed only for a subnet/segment where unconfigured Intel vPro based systems are located (or DHCP Reservation per such single unconfigured system) and only for the time of Intel AMT first configuration (from unconfigured state).

 

Once Intel AMT is configured you can move those systems to different segment/DHCP scope with original internal domain name configured as DHCP Option 15 or delete Reservation.v

Until you will do Full Unprovision or Intel AMT (or its reset to factory defaults) you can change/reload AMT configuration from the RCS server (via ACUConfig script or SCS Jobs).

Rgds

darek

0 Kudos
Reply