How to set up the PKI certificate in my Intel EMA server

Teeee555 · ‎05-20-2021

I'm trying to use Intel EMA to perform ACM connection,but failed.And I check the log in EMALog-ManageabilityServer.txt.It seems the cer we upload is't workable and matched.We have added the hash to the EMA setting.txt,so how can we solve this problem.

Maybe you someone can assist a way more reasonable and efficiency! Looking forward your reply and very much appreciation.

The log below is the error we check.

[1] - Message:Checking if the admin control mode is allowed : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Current certificate chain status - NotStarted : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Pushing activation certificate - EMA.vpro.local : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Pushing activation certificate - vpro-EMA-CA : (DESKTOP-7K27LCD,B039E9AB).

[1] - Warning:Failed to push activation certificate - UNKNOWN : (DESKTOP-7K27LCD,B039E9AB).

[1] - Warning:Unable to go to admin mode, rolling back out of client mode : (DESKTOP-7K27LCD,B039E9AB).

[1] - Message:Connecting to Swarm Server : (DESKTOP-7K27LCD,B039E9AB). -
[1] - Message:Requesting ME unprovisionning : (DESKTOP-7K27LCD,B039E9AB). -
[1] - Disconnecting Swarm Server : (DESKTOP-7K27LCD,B039E9AB).
[1] - Clearing credentials from ema agent : (DESKTOP-7K27LCD,B039E9AB).-
[1] - Message:Deactivation completed : (DESKTOP-7K27LCD,B039E9AB).
Warning: Failed Intel AMT SetupAdmin activation : (DESKTOP-7K27LCD,B039E9AB).
Warning:-- Failed PKI provisioning : (DESKTOP-7K27LCD,B039E9AB).
[0] - Message:Performing database cleanup.

Teeee555 · ‎05-20-2021

I have attached the log and cer which we create and upload. Please kindly give your views.Thank you!

JoseH_Intel · ‎05-20-2021

Hello Teeee555,

Thank you for joining the Intel community

Are you using a commercially available certificate authority or trying to use your own certificate? If trying to use you own cert the process is more time consuming since you will need to add the hash manually to every system MEBx. You can follow these steps: https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=222

When using a commercial CA then the process is detailed here: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=25

Hope it helps

Regards

Jose A.

Intel Customer Support Technician

Teeee555 · ‎05-20-2021

HI Jose A

Thankyou for your reply.

I use my own certificate with the correct AMT OID,and the MEFW of client we use is ME16.

By the way,we can't add the PKI Cert Hash value into the client MEBX,it's not support now. So,if any way we could do to do ACM with our own cert using Intel EMA tool.

JoseH_Intel · ‎05-23-2021

Hello Teeee555,

I found this information related to your question

There are many design decisions that could be make here. You can virtualize your CA or do a bare metal install with Intel® EMA on the same server.

It is also important to note that setting up your own PKI is considerably more complex than purchasing a commercially available certificate.

For best practices on setting up Intel® EMA server your should refer to the Intel® EMA Installation and user guide after your have established your PKI. Section 3.3 will walk you through on how to upload your private certification into the Intel® EMA server. My Document (intel.com)

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎05-27-2021

Hello Teeee555,

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you back on next Tuesday 1st. After that this thread will be automatically archived.

Regards

Jose A.

Intel Customer Support Technician

Teeee555 · ‎05-27-2021

Hi Jose A
Yes we have tried virtual CA，then would you offer some information about how and what EMA settings to change to match the virtual CA？Only upload it may not work.
So much thanks!

JoseH_Intel · ‎05-30-2021

Hello Teeee555,

Let me get this settings for you and I will get back to you soon.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎06-07-2021

Hello Teeee555,

Are these pre-production systems? ME16 has not been released yet and is not supported.

Regardless, if you are on ME 15 that is because MEBX doesn't support SHA 1 hashes anymore for security reasons. You must use SHA 256. You can import this using USB SHA 256 key into MEBX using the USBfile tool in the AMT SDK found at...

https://software.intel.com/content/www/us/en/develop/download/intel-active-management-technology-sdk.html

Let me know if you have further questions

Regards

Jose A.

Intel Customer Support Technician

Teeee555 · ‎06-07-2021

HI Jose A，
Yes we are the pre-production system. So,we can't get this function until now？

Teeee555 · ‎06-08-2021

HI Jose A，

Thankyou very much.Now we have figured out the info you assist.That's a big help for us.

Last,Thanks!

JoseH_Intel · ‎06-08-2021

Hello Teeee555,

I am glad to hear that you were able to get the issue resolved. We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new topic.

Regards

Jose A.

Intel Customer Support Technician