Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Intel EMA Certificate Chaining Issue

RyomaFujiki
Beginner
11,888 Views


Hello.
I am in the process of setting up EMA in Admin Control Mode, but I am unable to provision AMT with TLS-PKI.
I can see the following error in the Platform Manager
Error Message: Unable to get activation certificate chain from the database.

I have tried the following article on this, but it did not resolve the issue.
https://www.intel.co.jp/content/www/jp/ja/support/articles/000090529/software/manageability-products.html

I can connect to CIRA without any problem.
The version of EMA is 1.7.1.
I am using GoDaddy's certificate.

If you know of any solutions, please let me know.

0 Kudos
48 Replies
Victor_G_Intel
Moderator
7,841 Views

Hello RyomaFujiki,


Thank you for posting on the Intel® communities.


To further assist you, please provide the following:


1-For documentation purposes please provide us a picture of the error code received.


2-You mentioned that you were following the article: Intel® Endpoint Management Assistant (Intel® EMA) Version 1.7 Certificate Chaining Issue. Can you please confirm if you were able to follow all the steps included within it?


3-Can you please let us know if this is a new implementation or if this is being done on an already functional deployment?


4-How many systems are being affected?


5-Please share with us the AMT version being used.


6-Can you please share with us a picture of all the certificates being used with EMA?


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
RyomaFujiki
Beginner
7,826 Views

Hello Victor G,

Thank you for your response.

1-For documentation purposes please provide us a picture of the error code received.
Please check "1.ErrorMesssage.png" in the attached image.

2-You mentioned that you were following the article: Intel® Endpoint Management Assistant (Intel® EMA) Version 1.7 Certificate Chaining Issue. Can you please confirm if you were able to follow all the steps included within it?
I followed the steps in the article and verified that "ORDER BY [Certificate]" was entered in the specified location. Please check "2.Follow all the steps.png" in the attached image.

3-Can you please let us know if this is a new implementation or if this is being done on an already functional deployment?
It is a new implementation; we have never been able to provision in Admin Control Mode.

4-How many systems are being affected?
Since this is a trial implementation, there are no systems affected.

5-Please share with us the AMT version being used.
The following are the versions. Please check "5.AMT_Version.png" in the attached image.
v12.0.40
v12.0.81
v12.0.49

6-Can you please share with us a picture of all the certificates being used with EMA?
Please check "6.CertficateChain.png" in the attached image.

Regards,

Ryoma Fujiki

0 Kudos
Victor_G_Intel
Moderator
7,803 Views

Hello RyomaFujiki,


Thank you so much for your response.


To continue with our internal investigation, please provide the following:


We are going to need a picture/screenshot of the enhanced key usage and the certification path of your root certificate.


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
RyomaFujiki
Beginner
7,778 Views

Hello Victor G,

Thank you for your response.

I have attached the specified image.
Please take a moment to review it.

Regards,

Ryoma Fujiki

 
0 Kudos
Victor_G_Intel
Moderator
7,744 Views

Hello RyomaFujiki,

 

Thank you so much for your response.

 

To continue further we need to verify your PKI certificate; therefore, please provide two pictures just like the one attached to this message, one showing the certification path and one showing the enhanced key usage.

 

Best regards,

 

Victor G.

Intel Technical Support Technician

 

0 Kudos
RyomaFujiki
Beginner
7,722 Views

Hello Victor G,

Thank you for your response.

I have attached the specified image again.
Thank you for your confirmation.

Regards,

Ryoma Fujiki

0 Kudos
Victor_G_Intel
Moderator
7,707 Views

Hello RyomaFujiki,


Thank you for your response.


Please let me review this information internally, and kindly wait for an update.


Once we have more information to share, we will post it on this thread.


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Moderator
7,688 Views

Hello RyomaFujiki,


Thank you so much for your patience.


Based on our investigation this seems to be a certificate issue; however, we need to verify a few things before jumping to any conclusions. To continue, we can see that the certificate you have is issued to ematest.f5.si; however, what domain are the endpoints on? The domain should match the certificate in order for provisioning to work.


Additionally, please send us a screenshot of what exactly appears in MEBx BIOS for the following fields:  Option 15 and DNS Suffix.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
RyomaFujiki
Beginner
7,659 Views

 

Hello Victor G,

Thank you for your response.

 

I have attached the specified image.
Please check it for us.

We did not have Option15 configured.
But even if we did set it up, we could not provision with ACM in version 1.7.1.
However, when we set it up with version 1.6.1, we were able to provision it with ACM.

We want to use OCR so we need to be on 1.7.1.

 

Regards,

Ryoma Fujiki

0 Kudos
Victor_G_Intel
Moderator
7,651 Views

Hello RyomaFujiki,


Thank you so much for your response.


Please let me review this information internally, and kindly wait for an update.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Moderator
7,558 Views

Hello RyomaFujiki,

 

Thank you for your patience.

 

Based on our investigation, it doesn't look like the .si domain that you are trying to use is supported by AMT, in other words, it isn't going to work. Therefore, please see the Intel AMT Implementation and Ref Guide for the domain details and let us know if it is within your possibilities to try to use a validated domain.

 

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

 

Additionally, since you guys mentioned not having this problem with EMA 1.6 can you please confirm if the same certificate was used with EMA 1.6 is the same one used now with EMA 1.7?

 

Regards,

 

Victor G.

Intel Technical Support Technician

 

0 Kudos
RyomaFujiki
Beginner
7,548 Views

Hello Victor G,

Thank you for your response.

It certainly seems that .si domains are not supported.
However, we are able to make ACM connections with EMA 1.6.1 using the same certificates that we use with EMA 1.7.1.

Is there any other possible cause?

Regards,

Ryoma Fujiki

0 Kudos
Victor_G_Intel
Moderator
7,541 Views

Hello RyomaFujiki,


Thank you for your response.


Please allow us some more time to investigate other possibilities with the information we have at the moment. As soon as possible we will be reaching you back.


Regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Moderator
7,519 Views

Hello RyomaFujiki,


Thank you so much for your patience.


In order to move forward with this situation and so we can understand better the type of support that you guys are looking for, can you please clarify exactly what you guys are trying to achieve on your end?


1-Additionally, we would like to know if you guys change the ematest portion of the DNS?


Note: Even capitalization or lack thereof will make a difference (i.e. EMAtest vs ematest) Those are different according to EMA, it is case sensitive.


2-Please capture a screenshot of your EMA WebUI setting page with the cert chain on it. In addition, please share a screenshot of your cert chain in the Cert store.


3-For further analysis, we will be requiring you to provide the manageability logs from your end. In order to get the logs out please look at them at the following locations:


Manageability logs


EMA logs from Server

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs


EMA log from the endpoint:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


Installation log:

<installer Directory>/EMALog-Intel EMAInstaller.txt


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
RyomaFujiki
Beginner
7,509 Views

Hello Victor G,

Thank you for your response.


1-Additionally, we would like to know if you guys change the ematest portion of the DNS?

We do not plan to change the domain name (ematest).


2-Please capture a screenshot of your EMA WebUI setting page with the cert chain on it. In addition, please share a screenshot of your cert chain in the Cert store.

We have prepared it. Please confirm.

3-For further analysis, we will be requiring you to provide the manageability logs from your end. In order to get the logs out please look at them at the following locations:

It has been prepared. Please confirm.
EmaAgent.log was obtained from PC name: DESKTOP-49CB8C7.


Regards,

0 Kudos
SergioS_Intel
Moderator
7,502 Views

Hello RyomaFujiki,


Thank you for waiting for our updates.


Please help us by providing some additional information: 


1. Are you trying to create a self-signed cert based off of a public DDNS service?

2. Did you change the EMA test portion of the DNS?

3. Please provide us a screenshot of your EMA WebUI setting page with the cert chain on it. 

4. Please share a screenshot of your cert chain in the Cert store. 

5. Finally, please share with us the manageability logs.


Looking forward to your updates.



Best regards,

Sergio S.

Intel Customer Support Technician


0 Kudos
RyomaFujiki
Beginner
7,479 Views

Hello Sergio S,

Thank you for your response.

1. Are you trying to create a self-signed cert based off of a public DDNS service?
In setting up EMA, we do not create self-signed certificates.

2. Did you change the EMA test portion of the DNS?
We have never changed the DNS (ematest.f5.si).

3. Please provide us a screenshot of your EMA WebUI setting page with the cert chain on it.
Please check "3.EMA_WebUI_Setting.png" in the attached image.

4. Please share a screenshot of your cert chain in the Cert store.
Please check "4.CertChain.png" in the attached image.

5. Finally, please share with us the manageability logs.
Please check "5.ManagebilityLog.png" and "5.ManageabilityLog.zip" in the attached File.

Regards,

Ryoma Fujiki

0 Kudos
Victor_G_Intel
Moderator
7,471 Views

Hello RyomaFujiki,


Thank you for both of your latest responses.


Please allow us some more time to continue with our investigation. We will let you know once we have any news on our end.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Moderator
7,455 Views

Hello RyomaFujiki,

 

Thank you so much for your patience.

 

Based on the information that you provided it seems that when you are exporting the certificate is not being exported correctly, once you have exported the certificate correctly, on the endpoint the certificate chain should end up having three lines one for the PKI certificate, one for the secure certificate and the last one for the root certificate (Please see attached image for an example).

 

On the link below on page 23 and forward you can find the steps that you need to take in order to successfully export the certificate.

 

https://www.intel.com/content/dam/support/us/en/documents/software/software-applications/how_to_purchase_and_install_godaddy_certificates_for_setup_and_configuration.pdf

 

Best regards,

 

Victor G.

Intel Technical Support Technician  

 

0 Kudos
RyomaFujiki
Beginner
7,414 Views

Hello Victor G,

Thank you for your response.

Your advice has partially solved the problem. Thank you very much.
But we have a new problem.

 

We had already looked at the GoDaddy guide you deployed.
However, we were using the .pfx file we got in step "4. Prepare the Certificate" and uploaded it to the EMA WebUI.
By using the .pfx file exported from the Cert store, we were able to add four lines of certificates and ACM provisioning with EMA 1.7.1.

 

However, for some reason we are not able to provision only one PC that supports OCR.
The AMT on that PC is v16.0.15.

It is on the same network as the other provisioned PCs and I installed EMAAgent using the same procedure.

That PC was provisioned with EMA 1.6.1 and a single line certificate with no problems.
I have attached a Log that may be helpful.

I would like to check the OCR so we can resolve this issue.
Any advice would be appreciated.

 

Regards,

Ryoma Fujiki

0 Kudos
Reply