- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exit with code 33. Details: Failed to configure this Intel(R) AMT device. Initial connection to the Intel(R) AMT device failed. A valid PKI certificate was not found in Certificate Store of the user running the Remote Configuration Service.
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
I know that inorder to provision a device i should have have LMS installed & running. But what is the other error about?
Thanks in advance
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to have a valid public certificate, from supported by Intel CA, to authorize on remote machines. Read example doc https://downloadcenter.intel.com/download/21742 https://downloadcenter.intel.com/download/21742 of how to achive that, also note a
https://downloadcenter.intel.com/download/21849 https://downloadcenter.intel.com/download/21849
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, please check AMT Implementation and Reference Guide at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/rootcertificatehashes.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/rootcertificatehashes.htm
for list of Public trusted Root CA of which Root cert hashes are embeded in AMT FW so they are trusted by AMT FW.
You will need AMT Provisioning certificte (see requirements at https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/acquiringanintelvprocertificate.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/acquiringanintelvprocertificate.htm and https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm
Please note that up to AMT 5.x it supports SHA-1 ONLY - you will need all certificates in the chain to be SHA-1 (you have to request it explicite from CA).
AMT 6.0 or newer added suport for SHA-2 so both SHA-1 & SHA-2 certificates will work. see more details https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/hardwareplatformarchitecture1.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/hardwareplatformarchitecture1.htm
rgds
darek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
just as an Info.
SHA-2 certificates may be supported with AMT 6.0 or higher, but they don't work, because the Hash-Values in the AMT-mebx only
points to the SHA-1 Certificate-Hashes.
We tried to use a Verysign/Symantec SHA-2 Certificate and got an Error moving the device to Admin-Mode.
The Error Message was 'Signing the Nonce failed. This command is not supported on the operating System where the RCS is running.'
The operating System and Intel SCS are both on the latest Version so it should have worked.
After checking the Problem with the Intel Support we got the message that SHA 2 is supported but not implemented in Version 6.0 or higher.
(We tried it with a new Client with AMT-Version 8.0 and Version 9.0)
Because of this we had to revoke the SHA-2 Certificate and use a Verisign/Symantec SHA-1 private Certificate at the moment. They still offer this
method but you can't use it for Websites.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, sorry for late answer. Please note this community is not actively monitored by Intel employees.
SHA-2 leaf certificates (AMT Provisioning certificates) are supported by Intel AMT 6.0 or newer.
Intel AMT up to AMT 10 has only SHA-1 CA root certificate hashes embeded in default AMT FW - so you will have to use CA vendor cross signing certificate for CA's SHA-2 root cert issued by CA's SHA-1 "old" root.
all such certificates shall be installed on RCS server so SHA-2 leaf (AMT Provisioning certificate) trust chain will lead via cross sign cert to "old" SHA-1 root from AMT FW list.
and it works (checked it with other customers for AMT 8/9/10).
For some CAs they have different Roots for SHA 1 and for SHA 2 and new one may not be cross signed - you will have to check it with CA.
rgds
darek

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page