Intel® vPro™ Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
Announcements
Intel® Endpoint Management Assistant (Intel® EMA) Cloud Start Tool for Azure* 2.0 is now available for download here.

The Intel® Manageability Commander 2.2 has been released! Learn more here.

The Intel® Endpoint Management Assistant, version 1.6.0 is now available for download here.

The Intel® Setup and Configuration Software tool will End of Life (EOL) on 12/31/2022. The Intel® Setup and Configuration Software Download will be available until March 31, 2021. For details, Please click here.
2562 Discussions

Intel EMA - Incorrect certificate binding to Intel AMT WebPage

Horgster
New Contributor I
967 Views

Hi!

Have installed Intel EMA and have provisioned Intel AMT with on-prem PKI computer certificate.
When entering the https://"ipadress  or machinename":16993 we get certificate error since "Intel EMA" has enrolled computer certificate issued by "MeshRoot-355549D0".

Why is Intel EMA doing this?

Intel EMA has also enrolled Computer Certificate from out internal Microsoft CA and uses that fine for 802.1x authentication. That sertificate contains also http/dnsname:16993 in Subject Alternative name.

It should not be necessary that Intel EMA bind and issue a certificate issued by "MeshRoot-355549D0" when we are using our internal Microsoft CA.

Please fix this!

0 Kudos
1 Solution
Horgster
New Contributor I
786 Views

Hi @MichaelA_Intel 

I am afraid you are mixing this with another case.

According to Intel, this is by design as certificates used in TLS is generated by Intel EMA's own built certificate authority. The exception to this is when you are using 802.1x authentication, then Intel EMA uses your own internal on-premises CA.

I hope Intel will add this on the roadmap to use internal CA for the TLS and WebPage binding also.
It do not make any sense that Intel EMA shall use it's own built in CA when the customer has its internal Microsoft CA PKI infrastructure.

 

 

View solution in original post

4 Replies
SergioS_Intel
Moderator
938 Views

Hello Horgster,


Thank you for contacting Intel Customer Support.


We are going to email you answering all your questions.


Best regards,

Sergio S.

Intel Customer Support Technician




MichaelA_Intel
Moderator
801 Views

Community - the post below was inaccurate and mis-posted by me and was a response for a different thread.  The post below from Horgster is most accurate.

 

To close on this thread for the community, we met with customer for troubleshooting and found that TLS was disabled by the OEM on the systems exhibiting the issues with AMT v.9xx

 

Horgster
New Contributor I
787 Views

Hi @MichaelA_Intel 

I am afraid you are mixing this with another case.

According to Intel, this is by design as certificates used in TLS is generated by Intel EMA's own built certificate authority. The exception to this is when you are using 802.1x authentication, then Intel EMA uses your own internal on-premises CA.

I hope Intel will add this on the roadmap to use internal CA for the TLS and WebPage binding also.
It do not make any sense that Intel EMA shall use it's own built in CA when the customer has its internal Microsoft CA PKI infrastructure.

 

 

View solution in original post

MichaelA_Intel
Moderator
770 Views

Horgster,

Thank you for pointing this out and bringing to my attention.  Your description is accurate and I will mark it as such.  Just a note that this is in our backlog for future versions of EMA, however, there is no ETA as to when it will be implemented.

Regards,
Michael

Reply