Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2966 Discussions

Intel EMA server PKI certificate type

kluth67
Beginner
2,587 Views

Dear Sirs,

We are trying to use ACM control on our network with VPRO supporting mini computers. We managed to use VPRO  without a certificate, CCM control mode. The questions is the following, the PKI certificate on EMA server should be one out of the certificated listed in the MBEx BIOS of the mini computers.  Please refer to the photo for the liste certificates .

 

All the Best 

 

 

0 Kudos
18 Replies
Arun_Intel1
Employee
2,550 Views

Hi kluth67,


Greetings!


All the certificates shown in the picture are the TLS certificate vendors ( GoDaddy, Sectigo, DigiCert etc )

Hence you may have to check with the certificate vendors, and with your networking team, about which certificate you want to use.


Please find the steps given below for further assistance on the enabling the PKI DNS Suffix in the MEBx and for details about the certificate purchase and provisioning:


Step 2: Enable the PKI DNS Suffix in the MEBx of the Endpoint:

Restart the Endpoint - Press Ctrl+P (Or Ctrl + Alt + F1 on some units) to login to the MEBx

  1. Log into MEBx (default password = admin)
    1. For accessing MEBx, please refer to OEM guidance.
    2. If first time logging in, the password change is required
  2. Intel® AMT Configuration -> Remote Setup and Configuration -> TLS PKI -> PKI DNS Suffix
    1. If PKI DNS Suffix menu is not available, then AMT is currently configured
    2. Go back to Intel® AMT Configuration -> Unconfigure Network Access -> Full Unprovision
  3. Enter the value for PKI DNS Suffix to match the provisioning certificate
    1. For example, Intel.com (without quotes)
  4. Exit and Save


Link given below for Certificate purchase and configuration:

https://www.intel.com/content/www/us/en/support/articles/000055009.html


Best Regards

Arun_Intel



0 Kudos
kluth67
Beginner
2,497 Views

Hi Arun_ Intel,

 

Thank you very much for the quick answer.  We are doing an enterprise installation. We have to follow the above steps for every machine / computer mannually ? Is there any automated way to proceed?

 

Kluth67

 

 

0 Kudos
kluth67
Beginner
2,493 Views

Hi Arun_Intel,

Refering to  my first post and your reply, for example ,the certificate on the EMA server is "Sectigo" which is not listed on the computer MBEx , still this will work?

 

Thanks again for the help

 

kluth67

0 Kudos
Arun_Intel1
Employee
2,448 Views

Hi Kluth67,


Greetings!


There are 2 ways to provision the endpoints in ACM.

 

1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS.

 

2—When the endpoints are remote, Adding the Cert domain in the MEBx is a must. This is the way the endpoint validates the EMA server. And the server validates the endpoints.

 

Important Note:

EMA provisioning has an order.

Configure the EMA server

Paste and install the EMA Agent File on the endpoints.

Then, go to MEBx and add the Cert domain in the PKI DNS suffix field.

 

If the Cert domain is added to MEBx before installing the EMA agent file, EMA gives an error. EMA will say that the endpoint was previously provisioned by an earlier EMA instance. EMA shows the endpoint provisioned but CIRA as not connected.


Note: There are no ways to automatically add the PKI DNS suffix in the Mebx, for the endpoints which is out of band, and has to be done manually.


And in this case, you may use GoDaddy or DigiCert.

Sectigo is just one of the certificate vendor showed in the example.


Best Regards

Arun_intel




0 Kudos
kluth67
Beginner
2,432 Views

Thank you very much Arun_intel . We will follow the concrete steps described in your replies and we will update the thread .

 

All the Best

 

Kluth67

0 Kudos
Arun_Intel1
Employee
2,410 Views

Hi kluth67,


Greetings!


Sure, thanks for confirming!


Awaiting for your response.


Best Regards

Arun_intel


0 Kudos
kluth67
Beginner
2,313 Views

"1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS."

Dear Arun_Intel

Following the above instruction and using the Sectigo AAA certificate , refrer to the attached photos. We provisioned an endpoint with this TLS PKI certificate but the messages coming to Intel Managment Security Status, photos attached, are "configured and unconfigured" in a loop. Cira also is not working for this end point.

Please note that Sectigo certificate is not listed in the BIOS MBEx section

 

All The Best

 

0 Kudos
vij1
Employee
2,237 Views

Hello Kluth67,

 

Can you confirm if the certificate is correctly installed in the "Local Computer" store under "Personal" and "Trusted Root Certification Authorities"?

 

Regards,

Vijay N.

 


0 Kudos
kluth67
Beginner
2,200 Views

Hello Vijay N. 

 

Thank you very much for the info supplied. We will check it and update

 

kluth67

0 Kudos
kluth67
Beginner
651 Views

Dear Vijay N.

Sorry for the delay for my reply . Yes we confirm that the certificate is installed under the "Trusted Root Certification Authorities"

Please check the attached image, is a screenshot from a computer we have access to remotely to desktop but we have no access to hardware since CIRA is not connected . Any help how to proceed is welcomed

 

Kluth67

 

0 Kudos
Arun_Intel1
Employee
2,186 Views

Hi kluth67,


Sure, thanks for the update!


Best Regards

Arun_intel


0 Kudos
Arun_Intel1
Employee
1,992 Views

Hi kluth67,


Please share your observation if you were able to confirm with the plan of action shared.


Best Regards

Arun_intel


0 Kudos
Arun_Intel1
Employee
1,815 Views

Hi kluth67,


Greetings!


Thank you for contacting Intel, please feel free to contact us for any further query!


Best Regards

Arun_intel


0 Kudos
kluth67
Beginner
1,553 Views

Hi Arun_Intel

I will update as soon as I got the answer from the people responsible for the Certificate installation. 

 

All the Best 

Kluth67

0 Kudos
kluth67
Beginner
650 Views

Dear Arun_Intel and Vinjay N. 

Sorry for the delay for my reply . Yes we confirm that the certificate is installed under the "Trusted Root Certification Authorities"

Please check the attached image, is a screenshot from a computer we have access to remotely to desktop but we have no access to hardware since CIRA is not connected . Any help how to proceed is welcomed

 

Kluth67

 

0 Kudos
Jimmy_Wai_Intel
Employee
597 Views

Hi Kluth67,

 

Please check the thread below and see if you have similar issue with your provisioning certificate.

 

https://community.intel.com/t5/Intel-vPro-Platform/Issues-Getting-Endpoint-to-Provision-for-Admin-Control-Mode/m-p/1659616

 

In addition, it seems Intel AMT is already provisioned on one your PCs. Please unprovision it first and try again. Intel AMT cannot switch from Client Control Mode (host-based Configuration) to Admin Control Mode (certification-based configuration) without going thru the unprovisioning. If you had entered PKI DNS suffix into MEBx, please re-enter it after unprovisioning but provisioning the PC again.

0 Kudos
kluth67
Beginner
576 Views

Hi Jimmy_wai_Intel,

Thank you for your repoly. I would like to add some information. Till now we can remotely " see desktop, send message to end point, restart or shutdown the endpoints" what we do not reach is hardware /BIOS . Please find attached the screenshot of the certificates location on the server, some names were deleted for security

 

Kluth67

0 Kudos
Jimmy_Wai_Intel
Employee
531 Views

Hi kluth67,

Those working features are provided by the EMA Agent. It is not related to Intel AMT. Since you have not successfully provisioned Intel AMT, the hardware-based feature (access to BIOS, etc) are not working yet. The certificate location you shared in screen captures are not important. The certificate store is only where the provisioning certificate you purchased is initially created and stored. Intel EMA only looks for the certificate you uploaded via the web UI, which is stored in the Intel EMA SQL database. Have you followed the steps in the other thread I linked above to make sure the certificate and the entire certificate chain are correctly uploaded to the SQL database?

You should also look into the manageability server log stored at C:\Program Files (x86)\Intel\Platform Manager
\EMALogs on the Intel EMA server. You can find in the log file what error is causing Intel AMT provisioning to fail.

 

Regards,

Jimmy Wai

Technical Sales Specialist

0 Kudos
Reply