Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2839 Discussions

Intel EMA in Admin Control Mode. Issue with autosigned certificate from internal Server CA - Solved

xevi
Beginner
‎08-01-2023 08:48 AM
759 Views

Hello everyone, I am writing again for two reasons.


First I want to expose the steps that have led us to the complete operation in Admin Control Mode.
Maybe they will help someone.

 

We started from correct operation in Client Control Mode. The steps to function in ACM:

 

-Generate the certificate in our CA server as explained in the documentation with the appropriate OID.
-Upload it to EMA server. There are really two certificates, one from EMA (PKI) and the other from our internal CA.
This worked from the first moment and for the first time.


-With the USBFile utility, generate the CA certificate to embed in the Bios MEBx submenu.
Our minimal command to create the 'setup.bin':
USBFile.exe -create setup.bin passwordMEBx passwordMEBx -amt -hash OUR_CA.cer OUR_CA sha256

 

And now with everything ready (client side):

-In the MEBx menu, two things must be entered:
>Remote Setup and Configuration -> Provisioning server FQDN -> hostnameserver.domain.com
>Remote Setup and Configuration > TLS PKI -> PKI DNS Suffix -> domain.com
-Reboot with pen-usb with 'setup.bin' file -> 'Found USB Key for provisioning' message will appear -> Y

-Run ema agent from windows from admin console
-Check if there is a line in the 'hosts' file:
127.0.0.1 machinename # LMS Generated Line
If it exists, delete it.


At this point it should work fine in ACM mode!

 

To consider:


When you enter the MEBx menu for the first time, you are forced to change the password.
If you configure on the server in 'Intel MEBX Password Configuration', 'Set a random password per endpoint (recommended)' you will have a serious problem on the client machine.
The MEBx bios will be with a random password different from the one shown by the server and the one you entered manually.
You will not be able to access it again unless you remove the bios battery and/or battery from the machine.
Set: 'Do not set the password (not recommended)'

 

The second, they asked me for information about our system and told me things that didn't make much sense.
But yes, a lot of links and documentation.
What I cannot agree with is the fact that they closed the case without my consent and without providing a real solution.
It doesn't look professional.

Regards,

 Xevi

0 Kudos

Link Copied

1 Reply
Eduardo_B_Intel
Employee
‎08-02-2023 10:06 AM
721 Views

Hello Xevi,


Thank you for contacting Intel Customer Support again.


I would like to thank you for your feedback and putting the effort to share it with additional users in the hope that it becomes useful. Every feedback and new elements are taken to improve our support in an continuous effort. If there are additional details you'd like to add, feel free to reach us. I hope you have a great Wednesday, Sir.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.