Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2996 Discussions

I am new to vPro & when i was provisioning AMT on a device I got these errors.

Vvinn
Beginner
‎10-20-2015 11:38 AM
2,686 Views

Exit with code 33. Details: Failed to configure this Intel(R) AMT device. Initial connection to the Intel(R) AMT device failed. A valid PKI certificate was not found in Certificate Store of the user running the Remote Configuration Service.

Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

I know that inorder to provision a device i should have have LMS installed & running. But what is the other error about?

Thanks in advance

0 Kudos

Link Copied

4 Replies
AP16
Valued Contributor III
‎10-20-2015 02:05 PM
1,772 Views

You need to have a valid public certificate, from supported by Intel CA, to authorize on remote machines. Read example doc https://downloadcenter.intel.com/download/21742 https://downloadcenter.intel.com/download/21742 of how to achive that, also note a

https://downloadcenter.intel.com/download/21849 https://downloadcenter.intel.com/download/21849

.

Copy link
Dariusz_W_Intel
Employee
‎10-21-2015 07:25 AM
1,772 Views

Hi, please check AMT Implementation and Reference Guide at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/rootcertificatehashes.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/rootcertificatehashes.htm

 

for list of Public trusted Root CA of which Root cert hashes are embeded in AMT FW so they are trusted by AMT FW.

You will need AMT Provisioning certificte (see requirements at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/acquiringanintelvprocertificate.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/acquiringanintelvprocertificate.htm and https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm

Please note that up to AMT 5.x it supports SHA-1 ONLY - you will need all certificates in the chain to be SHA-1 (you have to request it explicite from CA).

AMT 6.0 or newer added suport for SHA-2 so both SHA-1 & SHA-2 certificates will work. see more details https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/hardwareplatformarchitecture1.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/hardwareplatformarchitecture1.htm

rgds

darek

0 Kudos
Copy link
TKrem1
New Contributor I
‎10-27-2015 02:50 AM
1,772 Views
In response to Dariusz_W_Intel

Hi,

just as an Info.

SHA-2 certificates may be supported with AMT 6.0 or higher, but they don't work, because the Hash-Values in the AMT-mebx only

 

points to the SHA-1 Certificate-Hashes.

We tried to use a Verysign/Symantec SHA-2 Certificate and got an Error moving the device to Admin-Mode.

The Error Message was 'Signing the Nonce failed. This command is not supported on the operating System where the RCS is running.'

The operating System and Intel SCS are both on the latest Version so it should have worked.

After checking the Problem with the Intel Support we got the message that SHA 2 is supported but not implemented in Version 6.0 or higher.

(We tried it with a new Client with AMT-Version 8.0 and Version 9.0)

Because of this we had to revoke the SHA-2 Certificate and use a Verisign/Symantec SHA-1 private Certificate at the moment. They still offer this

method but you can't use it for Websites.

In response to Dariusz_W_Intel
0 Kudos
Copy link
Dariusz_W_Intel
Employee
‎12-02-2015 04:20 AM
1,772 Views
In response to TKrem1

Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.

SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.

Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.

all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.

and it works (checked it with other customers for AMT 8/9/10).

For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.

rgds

darek

In response to TKrem1
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.