I hope someone can enlighten me with this. I've new to this company of mine and is still quite unfamiliar with most of their IT SOPs here. Please mind that I'm also quite new to implementation of Intel AMT/ vpro Recently my manager asked me if I could help him find a solution to the question below:
We have a SCCM system and it used to be able to remotely provision Intel AMT / vPro clients. Our system is running with a internal name(mydomain.local), but as SSL certificates does not allow renewal of internal names anymore, we were unable to do purchase of new certificates.
Does anyone have a solution for this?
Thanks in advance!
You are right, actually nobody is able to issue public certificates for internal domain anymore, for https://www.digicert.com/internal-names.htm security reasons.
In case that you have used Microsoft SCCM 2007/2012, you probably will face problems to provision machines with Intel vPro (with ME >=9.0 version) - read this http://myitforum.com/myitforumwp/2013/09/06/using-configuration-manager-with-intel-amt/ blog. Based on my experience, I would suggest you shift the provision mechanism to http://www.intel.com/content/www/us/en/software/setup-configuration-software.html Intel SCS, and integrate it with Microsoft SCCM using this https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24010 add-on. As far you use a local domain and will not be able to issue 3rd party certificate, I would suggest adopt /community/itpeernetwork/vproexpert/blog/2011/03/07/intel-amt-7-introduces-host-based-configuration HBC as your primarily provision mechanism, and in cases that having Admin Control Mode is imperative, inject into ME the hash of your internal root CA to make it available to be provisioned using an internal provisioning certificate.