Intel® vPro™ Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
Announcements
Intel® Endpoint Management Assistant (Intel® EMA) Cloud Start Tool for Azure* 2.0 is now available for download here.

The Intel® Manageability Commander 2.2 has been released! Learn more here.

The Intel® Endpoint Management Assistant, version 1.6.0 is now available for download here.

The Intel® Setup and Configuration Software tool will End of Life (EOL) on 12/31/2022. The Intel® Setup and Configuration Software Download will be available until March 31, 2021. For details, Please click here.
2563 Discussions

Internal Enterprise Root CA Cert Expiration

MFish7
Novice
1,327 Views

Hi all,

If we have setup an internal root ca and have been manually importing the hash into vPro ME, what happens when the cert expires...? All of our clients will be provisioned using an expired cert. What would be the process to add the renewed cert...would it have to be a manual process?

0 Kudos
1 Solution
idata
Community Manager
161 Views

Hello MikeFi,

Sorry that no one has responded to your post yet. Hopefully I can clarify the understanding of your internal provisioning certificate, however.

The lifetime of the Root CA hash you embedded in your Intel vPro clients' firmware is more or less correlated to the lifetime of your Enterprise Root CA's certificate. Since the hash that is validated, is the one from your root CA, and not the provisioning certificate itself, each time you rotate out your provisioning certificate (eg. every 1 year), the root CA's certificate hash will remain constant.

In short, look at the expiration date of your root CA certificate to determine the last date you can issue provisioning certificates under that root cert. If your root CA cert doesn't expire for another 20 years, then you can safely re-issue new provisioning certificates from your subordinate CA until that time, that chain up to the root CA.

I hope his helps, and also hope that I haven't confused things even more.

Cheers,

Trevor Sullivan

http://trevorsullivan.wordpress.com http://trevorsullivan.wordpress.com

View solution in original post

2 Replies
idata
Community Manager
162 Views

Hello MikeFi,

Sorry that no one has responded to your post yet. Hopefully I can clarify the understanding of your internal provisioning certificate, however.

The lifetime of the Root CA hash you embedded in your Intel vPro clients' firmware is more or less correlated to the lifetime of your Enterprise Root CA's certificate. Since the hash that is validated, is the one from your root CA, and not the provisioning certificate itself, each time you rotate out your provisioning certificate (eg. every 1 year), the root CA's certificate hash will remain constant.

In short, look at the expiration date of your root CA certificate to determine the last date you can issue provisioning certificates under that root cert. If your root CA cert doesn't expire for another 20 years, then you can safely re-issue new provisioning certificates from your subordinate CA until that time, that chain up to the root CA.

I hope his helps, and also hope that I haven't confused things even more.

Cheers,

Trevor Sullivan

http://trevorsullivan.wordpress.com http://trevorsullivan.wordpress.com

View solution in original post

MFish7
Novice
161 Views

Thats what i wanted to confirm; whether or not the hash stays the same upon a cert renewal.

Thanks!

Reply