Solved: Intel AMT PKI certificate

VeeDub · ‎10-09-2023

Hello,

Both the video and the documentation do not explain clearly what is the process to obtain an Intel AMT PKI certificate?

Is this a certificate that I can create myself? (my impression is that it isn't).

If not, what are the requirements for the certificate?

I've had a look at section 3.5.1 of the Admin and Usage Guide and I am not much the wiser having read that section.

If I need to purchase a certificate, which seems possible / likely, then I want to understand the certificate requirements so that I don't waste money or any more time than is necessary in obtaining a certificate.

The statement:

"The certificate file needs to have the full certificate chain"

Means what exactly?

Can I suggest that documentation be written in "plain English", with examples where appropriate (like in this instance), so that potentially complicated topics may be more easily understood.

May I also suggest that you have your documentation and videos reviewed by someone who is not intimately familiar with setting up and using EMA; so that you can refine your guides, before releasing them to the general public.

Thanks

VW

VeeDub · ‎12-04-2023

Hello Victor,

When I attempted to re-add the Christine-P3660 endpoint into EMA, it didn't appear.

I decided at this point that as I had experienced a lot of issues with EMA, I decided to look for an alternative.

I managed to find an installer for MeshCommander.

I was able to get MeshCommander installed and connected to Christine-P3660 with the KVM in around 5 minutes.

I've decided that MeshCommander is more suitable for my needs.

I do appreciate your on-going assistance.

However, I think Intel EMA is more "enterprise" focussed than what I need and unfortunately not as easy to deploy as I would have expected.

Regards,

Vaughan

View solution in original post

Victor_G_Intel · ‎10-10-2023

Hello VeeDub,

Thank you for posting on the Intel® communities.

We appreciate your feedback. In regards to the certificate you can purchase it from a certified vendor, in the link below you will find the vendors we have validated.

Intel® Active Management Technology Implementation

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html

Additionally, please bear in mind that you only need a PKI certificate to eventually be able to provision the endpoints in Admin control mode (ACM) which doesn’t require any user consent for a remote KVM connection; however, if you want to proceed without the certificate you can; nevertheless, the endpoints will be provisioned in client control mode (CCM) which does require user consent to establish a remote KVM connection. You can find more information on this in our guide in the link below (section 1.2.7 Intel® AMT Provisioning/Setup Flow in Intel® EMA, page 6).

Intel® Endpoint Management Assistant (Intel® EMA) Administration and Usage Guide

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=11

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-10-2023

Hello Victor,

Our Active Directory domain is not accessible externally and uses a: .local suffix.

Is it possible to create a self-signed PKI certificate?

Thanks

VW

Victor_G_Intel · ‎10-11-2023

Hello VeeDub,

Thank you for your response.

To answer your question yes, it is possible to create a self sign cert; however, it is a more time consuming process since you will need to add the hash manually to every system’s MEBx. You can find more information in the link below.

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-12-2023

Hello Victor,

In the instructions for creating a self-signed certificate.

In step 2, in the MMC it says add the Certificate Templates plug-in.

In my MMC, I have a Certificates plug-in, but not a Certificate Templates plug-in.

Regards,

VW

VeeDub · ‎10-12-2023

Hello,

Worked this out, needed to install the AD Certificate role.

VW

Eduardo_B_Intel · ‎10-13-2023

Hello VeeDub,

I am really glad to check that was sorted out.

Please let me know if something else is needed.

Best regards,

Eduardo B

Intel Customer Support.

VeeDub · ‎10-16-2023

Hello Eduardo,

In these instructions

I am not able to complete step 16.

I'm trying to work out what version of Certificate Templates that I have installed, but it's not easy to tell.

The OS is Windows Server 2019 and it is up-to-date in terms of Microsoft updates etc.

This is what I see.

Regards,

VW

Victor_G_Intel · ‎10-17-2023

Hello VeeDub,

Thank you for your response.

You might not have the certificates template plug-in installed, please try the steps below and let me know if it works for you (Section 10.5.1 Creating a Certificate Template, page 213, step 2).

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=220

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-17-2023

Hello Victor,

I have already completed steps 1 - 14.

From my understanding of the instructions, step 16, 17 is performed from the Certificate Authority, which is opened in step 15.

As I have shown you in my previous reply, I don't have the option to: New -> Certificate Template to Issue.

I have the options which you can see.

Regards,

VW

VeeDub · ‎10-17-2023

Hello Victor,

I have worked out what the problem was.

After installing the AD Certificate Role (see earlier) there were some post installation steps that needed to be completed.

I can now see: New -> Certificate Template to Issue

For setting up a self-signed certificate, while the documentation is OK, it would be better to have a video of the entire process.

There are required steps outside of what is covered in this documentation, so if you're not familiar with the process, it is possible to not complete all the necessary steps.

The annual cost of a signed PKI AMT certificate is such, that for smaller organisations that are looking to implement VPro, you could find many organisations going down this path.

VeeDub · ‎10-17-2023

Hello Victor,

I am unable to complete step 1 of section 10.5.2

I think a possible work-around is to use the Certificates snap-in instead.

But, at the moment, I'm not able to access the template (Intel_EMA) which I created in the earlier steps.

Victor_G_Intel · ‎10-18-2023

Hello VeeDub,

Thank you for your response.

The only steps you need to follow are the ones included in the article below:

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

The steps you are following in section 10.5.2 are meant to be used for an already decommissioned tool.

Please continue with the final part of the article if you have completed successfully steps 1 through 19 as specified in the link above.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-18-2023

Hello Victor,

I have downloaded the Active Management Technology SDK.

The relevant zip archive appears to be: USB_File_Module.zip

The readme does not (or at least I can't see where it does) provide instructions on how to install the hash manually on the 'client' computers.

Can you provide, or refer me to a set of instructions that describe step-by-step (in a manner similar to the instructions I have followed to create the Certificate Template), to configure the USB drive to install the hash.

The readme that I am looking at is a general-purpose reference document, it is not a set of instructions to install the hash manually.

Thanks

VW

Victor_G_Intel · ‎10-19-2023

Hello VeeDub,

Thank you for your response.

Please let me review this information internally, and kindly wait for an update.

Once we have more information to share, we will post it on this thread.

Regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎10-23-2023

Hello VeeDub,

Thank you so much for your patience.

Instead of doing the USB tool method with your self-sign certificate we have come up with a different set of steps for you to follow please find them below:

1-Go into MEBX and under Intel AMT Configuration, Network Access State choose Network Activate (Note: The language may vary slightly from OEM to OEM. We used a Lenovo in this test).

2-Also, you will want to change user Consent in MEBX to NONE. This will allow you to do OOB KVM without any user interaction.

3-Next, you will want to set up a profile with CIRA mode and other desired settings. If you already have a profile with CIRA or TLS with the settings if you prefer you can skip this step and just create an endpoint configuration and associate the profile to it.

4-Create a new adoption end-point.

5-Enable AMT autosetup and choose the right profile.

6-Since you don't have a cert he will need to choose HBP (Host Base Provisioning) and also don't use a randomized password but one you can remember or document. It is ok that you use HBP in autosetup because it doesn't overwrite what has been set in MEBX. That said if you use this endpoint configuration on a new system that hasn't been set up in MEBX by choosing activate network then it will be provisioned into CCM NOT ACM.

7-Proceed to download the EMA API. You will use the adopted scripts to pull the endpoint into EMA.

https://www.intel.com/content/www/us/en/download/19693/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html

8-Install the EMA agent onto the laptop and it should show in the WebUI and provisioned into ACM. However, it will show as provisioned by another tool. That is because it has already been provisioned manually in MEBX.

9-The easiest way to adopt a single system is to use the Adopt-AMTSetupBySearch PS script.

10-Run the search and fill out the CLI request or you can do it all with PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop.

11-The Powershell script has examples in it for future scripting purposes.

12-Bring up Platform Manager and verify if everything went smoothly. Also, verify in the EMA WebUI. The endpoint should have now been adopted in ACM since that was set up in MEBX, despite the auto-setup specifying HBP.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-23-2023

Hello Victor,

I am confused about some of the steps above.

They appear to be for Client Control Mode (possibly without user interaction) rather than Admin Control Mode.

If my assessment is correct, what will be the effective differences in practice in what is being proposed versus Admin Control Mode?

Regards,

VW

VeeDub · ‎11-02-2023

Hello Victor,

I am having trouble following these instructions.

Some screenshots would be handy.

3-Next, you will want to set up a profile with CIRA mode and other desired settings. If you already have a profile with CIRA or TLS with the settings if you prefer you can skip this step and just create an endpoint configuration and associate the profile to it.

Are you referring to creating an Endpoint Group?

If so, I have done this.

4-Create a new adoption end-point.

??

5-Enable AMT autosetup and choose the right profile.

??

6-Since you don't have a cert he will need to choose HBP (Host Base Provisioning) and also don't use a randomized password but one you can remember or document. It is ok that you use HBP in autosetup because it doesn't overwrite what has been set in MEBX. That said if you use this endpoint configuration on a new system that hasn't been set up in MEBX by choosing activate network then it will be provisioned into CCM NOT ACM.

I think there is configuration that I need to do, where a step-by-step guide would be helpful.

Victor_G_Intel · ‎10-24-2023

Hello VeeDub,

Thank you for your response.

Please let me review this information internally once again since these are new steps even for us and we would like to be as clear as possible with them. We will contact you as soon as possible.

Regards,

Victor G.

Intel Technical Support Technician

Victor_G_Intel · ‎10-27-2023

Hello VeeDub,

Thank you so much for your patience.

To answer your question about the steps, these will allow you to have your endpoints be recognized in ACM, it’s a different procedure to the one previously discussed involving a self sign certificate, but this one is easier and we believe faster to do as well; however, you still need to do the configuration manually on each endpoint.

While you are running the command please have into consideration the information below:

PS> ./Adopt-AMTSetupBySearch.ps1 -emaServerURL EMAServer.demo.com -searchMethod hostnameStart -searchString laptop -adoptedEndpointsFilePath C:\temp\adoptedEndpointList.txt -Verbose

EMAServer.demo.com: with FQDN of EMA instance

searchMethod: with hostnameStart

searchString: with PC name

When you enter the command and you hit enter a screen will be shown and you will have to enter your Tenant credentials.

Best regards,

Victor G.

Intel Technical Support Technician

VeeDub · ‎10-27-2023

Hello Victor,

Thanks for the clarification.

I am only at this site on a Friday, and I have other tasks to attend to as well, so there may be a delay before my next update.

However, I am committed to get this working, so I will either have more questions when I try to follow these steps, or I will confirm that I have it working.

I have to say this is a _LOT_ more complicated than the earlier generation of VPro (pre-EMA) where you just configured the MBEX in the client and then used a Windows client like VNC Plus.

I can see that this new generation of VPro / EMA has more features, but you have to be committed to get it working.

For SMB organisations (like my client) my feeling is that the current EMA approach is "over the top" in terms of complexity.

FWIW I think there should be consideration of the type's of organisations that will be considering using VPro.

Enterprise. Sure EMA, the features makes sense (and the overhead in implementing is the "cost").

SMB. Personally, I think the pre-EMA approach makes far more sense. Where you could implement VPro by configuring MEBX and then using VNC Plus.

And yes, I can see that there are potential security issues with this approach. But that can be addressed by clear warnings at the outset.

In other words, if you go for "VPro lite", there is no SSL, and that means that passwords etc. will be transmitted in clear text. And that may not be appropriate for some organisations.

But equally, for many SMB organisations, it won't matter. And at the moment, there will be many who don't implement EMA / VPro, because it is way too difficult. So, its another demonstration of the classic trade-off between security and convenience.

It's a good thing that your forum support is decent, because without it I would have no hope of getting this working.

Thanks

VW