Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Vvinn
Beginner
1,028 Views

I am new to vPro & when i was provisioning AMT on a device I got these errors.

Exit with code 33. Details: Failed to configure this Intel(R) AMT device. Initial connection to the Intel(R) AMT device failed. A valid PKI certificate was not found in Certificate Store of the user running the Remote Configuration Service.

Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

I know that inorder to provision a device i should have have LMS installed & running. But what is the other error about?

Thanks in advance

0 Kudos
4 Replies
AP16
Valued Contributor III
114 Views

You need to have a valid public certificate, from supported by Intel CA, to authorize on remote machines. Read example doc https://downloadcenter.intel.com/download/21742 https://downloadcenter.intel.com/download/21742 of how to achive that, also note a

https://downloadcenter.intel.com/download/21849 https://downloadcenter.intel.com/download/21849

.

Dariusz_W_Intel
Employee
114 Views

TKrem1
New Contributor I
114 Views

Hi,

just as an Info.

SHA-2 certificates may be supported with AMT 6.0 or higher, but they don't work, because the Hash-Values in the AMT-mebx only

 

points to the SHA-1 Certificate-Hashes.

We tried to use a Verysign/Symantec SHA-2 Certificate and got an Error moving the device to Admin-Mode.

The Error Message was 'Signing the Nonce failed. This command is not supported on the operating System where the RCS is running.'

The operating System and Intel SCS are both on the latest Version so it should have worked.

After checking the Problem with the Intel Support we got the message that SHA 2 is supported but not implemented in Version 6.0 or higher.

(We tried it with a new Client with AMT-Version 8.0 and Version 9.0)

Because of this we had to revoke the SHA-2 Certificate and use a Verisign/Symantec SHA-1 private Certificate at the moment. They still offer this

method but you can't use it for Websites.

Dariusz_W_Intel
Employee
114 Views

Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.

SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.

Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.

all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.

and it works (checked it with other customers for AMT 8/9/10).

For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.

rgds

darek