Intel® vPro™ Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
2601 Discussions

How to set up the PKI certificate in my Intel EMA server

Teeee555
Beginner
3,214 Views

I'm trying to use Intel EMA to perform ACM connection,but failed.And I check the log in EMALog-ManageabilityServer.txt.It seems the cer we upload is't workable and matched.We have added the hash to the EMA setting.txt,so how can we solve this problem.

Maybe you someone can assist a way more reasonable and efficiency! Looking forward your reply and very much appreciation.

The log below is the error we check.

[1] - Message:Checking if the admin control mode is allowed : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Current certificate chain status - NotStarted : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Pushing activation certificate - EMA.vpro.local : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Pushing activation certificate - vpro-EMA-CA : (DESKTOP-7K27LCD,B039E9AB).

[1] - Warning:Failed to push activation certificate - UNKNOWN : (DESKTOP-7K27LCD,B039E9AB).

[1] - Warning:Unable to go to admin mode, rolling back out of client mode : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Connecting to Swarm Server : (DESKTOP-7K27LCD,B039E9AB). -
[1] - Message:Requesting ME unprovisionning : (DESKTOP-7K27LCD,B039E9AB). -
[1] - Disconnecting Swarm Server : (DESKTOP-7K27LCD,B039E9AB).
[1] - Clearing credentials from ema agent : (DESKTOP-7K27LCD,B039E9AB).-
[1] - Message:Deactivation completed : (DESKTOP-7K27LCD,B039E9AB).
Warning: Failed Intel AMT SetupAdmin activation : (DESKTOP-7K27LCD,B039E9AB).
Warning:-- Failed PKI provisioning : (DESKTOP-7K27LCD,B039E9AB).
[0] - Message:Performing database cleanup.

0 Kudos
11 Replies
Teeee555
Beginner
3,204 Views

I have attached the log and cer which we create and upload. Please kindly give your views.Thank you!

JoseH_Intel
Moderator
3,179 Views

Hello Teeee555,


Thank you for joining the Intel community


Are you using a commercially available certificate authority or trying to use your own certificate? If trying to use you own cert the process is more time consuming since you will need to add the hash manually to every system MEBx. You can follow these steps: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=222


When using a commercial CA then the process is detailed here: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-...


Hope it helps


Regards


Jose A.

Intel Customer Support Technician


Teeee555
Beginner
3,181 Views

HI Jose A

         Thankyou for your reply.

       I use my own certificate with the correct AMT OID,and the MEFW of client we use is ME16.

By the way,we can't add the PKI Cert Hash value into the client MEBX,it's not support now. So,if any way we could do to do ACM with our own cert using Intel EMA tool.    

JoseH_Intel
Moderator
2,995 Views

Hello Teeee555,


I found this information related to your question


There are many design decisions that could be make here. You can virtualize your CA or do a bare metal install with Intel® EMA on the same server.


It is also important to note that setting up your own PKI is considerably more complex than purchasing a commercially available certificate.


For best practices on setting up Intel® EMA server your should refer to the Intel® EMA Installation and user guide after your have established your PKI. Section 3.3 will walk you through on how to upload your private certification into the Intel® EMA server. My Document (intel.com)


Regards


Jose A.

Intel Customer Support Technician


JoseH_Intel
Moderator
2,760 Views

Hello Teeee555,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you back on next Tuesday 1st. After that this thread will be automatically archived.


Regards


Jose A.

Intel Customer Support Technician


Teeee555
Beginner
2,756 Views
Hi Jose A
Yes we have tried virtual CA,then would you offer some information about how and what EMA settings to change to match the virtual CA?Only upload it may not work.
So much thanks!
JoseH_Intel
Moderator
2,576 Views

Hello Teeee555,


Let me get this settings for you and I will get back to you soon.


Regards


Jose A.

Intel Customer Support Technician


JoseH_Intel
Moderator
2,197 Views

Hello Teeee555,


Are these pre-production systems? ME16 has not been released yet and is not supported.

Regardless, if you are on ME 15 that is because MEBX doesn't support SHA 1 hashes anymore for security reasons. You must use SHA 256. You can import this using USB SHA 256 key into MEBX using the USBfile tool in the AMT SDK found at...

https://software.intel.com/content/www/us/en/develop/download/intel-active-management-technology-sdk...


Let me know if you have further questions


Regards


Jose A.

Intel Customer Support Technician


Teeee555
Beginner
2,191 Views
HI Jose A,
Yes we are the pre-production system. So,we can't get this function until now?
Teeee555
Beginner
2,158 Views

HI Jose A,

  Thankyou very much.Now we have figured out the info you assist.That's a big help for us.

Last,Thanks!

JoseH_Intel
Moderator
2,124 Views

Hello Teeee555,


I am glad to hear that you were able to get the issue resolved. We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician


Reply