Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2943 Discussions

Intel AMT TLS PKI Provisioning Option Missing in Endpoint Management Assistant

CaptainMoloSFW
Beginner
1,462 Views

I have stood up an Intel EMA server and can deploy agents to endpoints and manage them via Client Control Mode. I'd like to switch to using Admin Control Mode. I've uploaded our cert, issued by GoDaddy and it includes the private key. In reading the setup guide, it says that TLS PKI Provisioning should now be an option when configuring Intel EMT Autosetup, but only Host Based Provisioning is available. What am I missing to enable TLS PKI Provisioning as an option?

0 Kudos
14 Replies
Arun_Intel1
Employee
1,424 Views

Hi CaptainMoloSFW,


Greetings!


We see that you are able to set up an EMA server and have configured the endpoints in the CCM, and wanted to switch to ACM where you have purchased the GoDaddy certificate as well.


Before we proceed, please let us know the details asked below:


How many endpoints are there in total that you have provisioned.

And how many endpoints, do you want to provision in the ACM mode, and are those endpoints with in the domain or OOB.


Please share the AMT version, EMA version and the BIOS version as well.


Best Regards

Arun_Intel


0 Kudos
CaptainMoloSFW
Beginner
1,423 Views

Only 3 endpoints at the moment since I am testing.

Ideally I'd like about ~1000 endpoints in ADM and ~200 in CCM.

The endpoints will be a mix of AD Domain Joined and Entra ID Joined devices.

The device I'm testing with is AMT v12.0.94, BIOS is Dell Inc. 1.30.0, 4/1/2024

EMA v1.13.1.0

0 Kudos
Suneesh
Employee
1,354 Views

Hello Ben,


Greetings of the day.


Thank you for sharing the information.


Intel® AMT PKI certificates are required if you want to provision Intel AMT on your endpoints in Admin Control Mode (ACM), which allows configuration of user consent requirements. Without a PKI certificate, Intel® EMA provisions Intel® AMT in Client Control Mode (CCM), which requires user consent for remote operations on each endpoint. The certificate file needs to have the full certificate chain. Also, it needs to be issued with the supported OID 2.16.840.1.113741.1.2.3 (this is the unique Intel AMT OID).


Please follow the steps in Section 3.5 Upload Certificates.

Roles: Tenant Administrator

This section describes how to upload various certificates, including Enterprise Root Certificates and Intel

AMT PKI certificates.

To upload a certificate:

1. From the navigation pane at left, click Settings, then select Server Settings > Certificates. A list of certificates available for use is displayed.

2. Click Upload.

3. The Certificate dialog is displayed.

4. Enter the Entry Name then click Choose File. Certificate files ending in .CER do not require a Password.

Certificate files ending in .PFX require a Password. Note that the certificate file to be uploaded must be less

than 1MB.

5. In the Certificate dialog, click Upload.

The certificate is stored in the Intel EMA database and loaded into memory for optimal performance. If an updated

certificate file (which includes any of the certificates in the certificate chain) is re-uploaded with a change, it may

take up to 15 minutes for the change to be processed and reflected for usage.

You can also download and delete certificates. Note that if the certificate is still used by another certificate (in the

certificate chain), or if it is used in an Intel AMT Profile or Intel AMT setup, it cannot be deleted.

If you are performing an initial Tenant setup, proceed to section 3.6 to enable Intel AMT auto setup.


https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=26


Regards,

Suneesh


0 Kudos
CaptainMoloSFW
Beginner
1,340 Views

A few questions on that:

When you say the full certificate chain, does that mean it needs to be combined with the intermediate certificate issued by GoDaddy?

Does it need the private key as well, or no private key is needed?

How do I issue it with OID 2.16.840.1.113741.1.2.3? I don't think there's an option for that from GoDaddy, is that something you can do with Openssl?

0 Kudos
Arun_Intel1
Employee
1,313 Views

Hi CaptainMoloSFW,


Greetings!


Yes, you may use the intermittent certificate as said, the intermittent Cert should be configured as said.


And for the OID 2.16.840.1.113741.1.2.3, please refer to the reference guide link given below for configuration.


https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Facquiringanintelvprocertificate.htm


Please feel free to revert for any further queries.


Best Regards

Arun_Intel


0 Kudos
pujeeth
Employee
1,191 Views

Hello CaptainMoloSFW,


Greeting from intel!

Hope you are doing well,


This is the first follow-up regarding the issue you reported to us.

We wanted to inquire whether you had the opportunity to review the plan of action (POA) we provided.

 

Feel free to reply to this email, and we'll be more than happy to assist you further.

 

Regards,

Pujeethl;


0 Kudos
CaptainMoloSFW
Beginner
1,185 Views

Thank you, I will try this on Wednesday.

0 Kudos
pujeeth
Employee
1,183 Views

Hello CaptainMoloSFW,


Greeting from intel!

Hope you are doing well,


Thank you for update, kindly keep us posted.


Regards

Pujeeth_intel


0 Kudos
CaptainMoloSFW
Beginner
1,093 Views

So the OID would have been defined when issuing the certificate, it's not something that can be added later? I've never had to set OIDs before.

The Extended Key Usage (EKU) field is a list of OIDs separated by commas. It must contain the “SSL Server” OID (an IANA pre-defined OID). It must also contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3), unless the OU value in the Subject field is “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly.

Same thing with the OU, we would be unable to use a pre-existing certificate with this, correct?

0 Kudos
pujeeth
Employee
1,073 Views

Hi CaptainMoloSFW,

 

The OID number needs to be added when you are issuing the Certificate. The self-certificate has limitations, you will need physical access to all the endpoints, the SHA256 hash needs to be added manually. Remote provisioning is not possible.

 

If you buy a Certificate from our authorized vendors, the remote provisioning is possible if all the endpoints are in the same domain of the EMA server. The hash is already installed on the firmware of the vPRO endpoints.

 

I would request you to review the link below to install the certificates.

How To Purchase and Install Go Daddy* Certificates for (intel.com)


IIS – Replace the Temporary Web TLS Certificate

The Web TLS certificate is used for HTTPS communications between the Web browser and the Web + AJAX Server. A temporary self-signed Web TLS certificate is created during installation. This certificate can be replaced at any time. We recommend that you use a valid HTTPS certificate issued from a valid trusted Certificate Authority.

NOTE

This TLS certificate can also be used for the Platform Manager TLS certificate if you are running Platform Manager on the same system as the IIS server. Refer Configuring the Intel® EMA Platform Manager Service on page 70.

For the self-signed website TLS certificate (and the Intel® EMA settings certificate), Intel® EMA grants the default IIS DefaultAppPool account read access to the private key. If you change the account that the IIS default application pool will run under, you must also change the access control accordingly.

To replace the temp Web TLS Certificate:

1. Install the new certificate in the Local Machine\Personal certificate store.

2. Run the IIS Manager on the Web Server (IIS Server).

3. Place the certificate in the Server Certificates.

4. Edit the Bindings section in the Default Website dialog box to use the new

certificate.


For your previous question:

we would be unable to use a pre-existing certificate with this, correct? Yes, it is not possible to use a pre-exiting certificate

 

Regards

Pujeeth_intel

 


0 Kudos
pujeeth
Employee
931 Views

Hello CaptainMoloSFW,


This is the first follow-up regarding the issue you reported to us.

We wanted to inquire whether you had the opportunity to review the plan of action (POA) we provided.

 

Feel free to reply to this email, and we'll be more than happy to assist you further.


Regards

Pujeeth_Intel


0 Kudos
pujeeth
Employee
852 Views

Hello CaptainMoloSFW,


This is the second follow-up regarding the issue you reported to us.

We wanted to inquire whether you had the opportunity to review the plan of action (POA) we provided.

 

Feel free to reply to this email, and we'll be more than happy to assist you further.


Regards

Pujeeth_Intel


0 Kudos
CaptainMoloSFW
Beginner
434 Views

So I was able to get the appropriate cert from GoDaddy. However, in this document: How To Purchase and Install Go Daddy* Certificates for, Step 5 calls for logging in to the server as the service account running EMA. However, my service account running the EMA service is a GMSA, which can't login interactively. I can connect as a servcice account and I can load the Intel EMA service, but when I go to upload the intermediate cert, I am only prompted to install it to the Local Machine, User Account is greyed out. Is this step compatible with GMSAs?

0 Kudos
CaptainMoloSFW
Beginner
157 Views

Following up on this, does Intel EMA support GMSAs? If so, how can we import and combine the intermediate certificate  if the Certificates snap-in needs to be launched as Local Machine, not User, which GMSAs can't do?

If GMSAs are not supported, how can I change the service to run as a user on the server? I tried to stop it and change the login type, but the options are greyed out.

0 Kudos
Reply