Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2920 Discussions

How to setup TLS with own self signed certificate in Intel Manageability Commander?

JensD
Beginner
5,524 Views

Hello,

 

I have two PCs connected over LAN one of which is configured with Intel AMT v12. I'm trying to the remotely access the AMT Machine with Intel Manageability Commander using TLS but I'm a bit lost on how to setup the certificates so the connection can be established. I do not want to buy a certificate from some external CA, so I am trying to create the certificates myself to run some tests.

I've found a brief explanation about Certificate Checking in the Intel MC user guide saying, "Intel Manageability Commander automatically verifies that certificates, used in TLS, chain down to a root in the Windows Computer Account Trusted Root certificate store of the machine from which it is run. Additionally, the Intel MC will verify that the DNS name or Subject Name in the certificate matches the host name of the Intel AMT device".

Well now I'm no expert when it comes to certificates so that might be a fundamental problem, but how can I tell what certificate the Intel MC is trying to use?

Also i did not find a way to enable TLS in the Management Engine BIOS Extension of my AMT machine.

 

If possible can someone give me an explanation on where to put what certificates for each my client and the AMT Machine?

0 Kudos
11 Replies
Emeth_O_Intel
Moderator
4,998 Views

Hello,

 

Thank you for contacting Intel® AMT/SCS/Manageability Commander Community. 

 

Please check the following guides, you will find more information about the certificates and TLS configuration;

 

Chapter 6 - Preparing the Certification Authority:

Section 4.10 - Defining Transport Layer Security (TLS) 

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/Intel_AMT_Configuration_Utility.pdf

 

Chapter 9 - Preparing the Certification Authority :

Section 4.10 - Defining Transport Layer Security (TLS): 

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

 

On the other hand, what is the brand name of the AMT Machine that you are using?

 

Please let me know if you have any other questions about it and I will be more than happy to assist you.

 

Regards, 

 

Emeth O.

Intel Customer Support Technician.

Under Contract to Intel Corporation.

 

0 Kudos
JensD
Beginner
4,998 Views

Hello,

 

Thank you for the answer. I have the two machines SIMATIC IPC627E and SIMATIC IPC427E.

The first one is configured with AMT but also I only did configuration over the BIOS, which means i didn't use Intel SCS or Configuration Utility.

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hello,

 

We recommend using tools such as SCS and Configuration Utility in order to properly deploy the machines.

 

Now, could you please so kind and let me know if you could successfully see the configuration about the TLS feature?

 

Regards,

 

Emeth O.

Intel Customer Support Technician.

Under Contract to Intel Corporation.

 

0 Kudos
JensD
Beginner
4,998 Views

Hello,

 

I downloaded the SCS and installed some of the components. I've mainly looked into the ACU_Wizard where i found some settings for TLS.

It lets me choose between "Request certificate from Microsoft CA" and "Use certificate from file".

I figured I should choose the second option and just to test it out I put in a certificate and private key I created.

 

screens1.PNG

 

 

However it doesn't seem to work very well.

 

screen2.PNG

 

 

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hi, 

 

Due to the fact you are doing this configuration over the BIOS, it is not necessary to use a CA. The CA is necessary when you are using the RCS Server or SCS Software for remote provisioning usually when you have more than 100+ systems. 

 

About the TLS it is separate from CA, you can enable it or not within Intel® MEBX even if you are not configured a CA. 

 

Regards,

 

Emeth O.

Intel Customer Support Technician.

Under Contract to Intel Corporation.

 

 

0 Kudos
JensD
Beginner
4,998 Views

​Hmm, where would the option to enable TLS be in the MEBX because I can't seem to find it.

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hi, 

 

This is OEM dependent. 

 

I found the following BIOS User Manual: 

https://cache.industry.siemens.com/dl/files/621/109760621/att_970884/v1/simatic_ipc_firmware_bios_user_manual_enUS_en-US.pdf

 

Nevertheless, seems like it does not have too much information about TLS Feature. 

 

My best recommendation for you will be to contact the manufacturer of the computer in order to make sure this information 

 

Regards,

 

Emeth O.

Intel Customer Support Technician

A Contingent Worker at Intel

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hi,

 

I am following up on this case and I would like to know if you still need help with this.

If so, please do not hesitate and let me know and I will be more than happy to assist you.

 

I will be waiting for your outcome in order to proceed with the next step.

 

Regards,

 

Emeth O.

Intel Customer Support Technician

A Contingent Worker at Intel

 

0 Kudos
JensD
Beginner
4,998 Views

​Hi,

 

Similar to the replay earlier I was eventually able to load a certificate to the ME using the ACU_Wizard.

After that remotely accessing the machine in the bowser with https on port 16993 worked fine.

TLS also worked when using Mesh Commander but still no luck when attempting to connect with IMC.

 

I always get the following error message:

imcException - A TLS connection could not be established.

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hi,

 

Thank you so much for the information provided.

 

Could you please share with me the options you are selecting when you are trying to set up the TLS on IMC?

 

Regards,

 

Emeth O.

Intel Customer Support Technician

A Contingent Worker at Intel

 

0 Kudos
Emeth_O_Intel
Moderator
4,998 Views

Hi,

 

I am following up on your thread in order to see if you have any other questions, or if you still need help on this.

If so, please do not hesitate and contact us back and we will be more than happy to assist you.

 

Regards,

 

Emeth O.

Intel Customer Support Technician

A Contingent Worker at Intel

 

0 Kudos
Reply