Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Microsoft CA Certificate Template Limitations?

Zieri__Sascha
Beginner
2,140 Views

Hi there,

 

As we are right now work over our internal Microsoft certificate authority structure, also splitting it to a offline root and intermediate enterprise ca,  i'm too reviewing the certificate templates for vpro.

 

We have installed Intel EMA v 1.10.0.0 and our CA's are on Windows Server 2022 Standard.

 

I already looked over the latest EMA and SCS documents but found only very little information what limitations for the template exists. Further google the case, brought not very actual information too, unfortunately most information available is from around 2010 and earlier.

 

Is there any information what actually can be used and what are the limitations for a 802.1x certificate template?

- Whats the maximum compatibility?

- What maximum settings can be used in Cryptography Settings (KSP or CSP, algorythms, key size)?

Unfortunately the only official  information i could get out of the documentation was on Page 80 of the "Intel(R)_EMA_Server_Installation_and_Maintenance_Guide" that it should be based on the "Workstation Authentication" Template and if still accurate there are some hints on "Intel® AMT SDK Implementation and Reference Guide". In the SCS Documentation where only references on what SCS supports and not whats available for the different vPro AMT Hardwareversions.

 

I would really appreaciate if you could give me some hints in the right direction.

 

Thanks for reply

 

Sascha Zieri

 

 

 

 

 

 

0 Kudos
7 Replies
Victor_G_Intel
Employee
2,118 Views

Hello Zieri__Sascha,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Employee
2,077 Views

Hello Zieri__Sascha,


Thank you so much for your patience.


Is the information in the link below what you are looking for?


https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/detaileddescription161.htm


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Zieri__Sascha
Beginner
2,052 Views

Hello Victor G.

 

Thank you for the reply, i found that description too, it gives only information about key length, certificate size and what algorithms can be used, also i was not shure if the information was still accurate. Unfortunately it gives no info about what compatibility level can be used or what provider (i added some screenshots for better understanding).

 

In the EMA Server Installation Guide on Sites 79 - 80 it's only discribed what Template to copy, how to handle the subject name and when to make the private key exportable or not.

 

Our new root and intermediate CA's are on "Windows Server Standard 2022" so i would suspect the Certification Authority Compatibility could be on Windows Server 2016? But for the Certificate recipient level im not shure at all about what can be used?

 

If you can use higher then 2003 then also the question comes up if only the "Legacy Cryptographic Service Provider" can be used or  "Key Storage Provider" also could work?

 

A smal note about the Case i described in Re: Re:Provisioning Problem with ME V15.0.41.2142 - Intel Communities  - By the way this problem is still persistent - Even with the most up to date Firmwares from HP and the most recent Version of EMA, but i found out, it only happens when provisioning with a certificate (at some part when moving to the new CA i had a problem with the EMA Configuration not putting in the Certs and then anything what didn't need 802.11x worked.

 

that's the reason i really would like the right information to make that template to probably prevent that problem too.

 

Thanks for Reply

 

Greetings,

 

Sascha Zieri

 

 

0 Kudos
Victor_G_Intel
Employee
2,039 Views

Hello Zieri__Sascha,

 

We appreciate your response.

 

Please allow us some more time to look into this, we will reach out as soon as possible.

 

Regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Victor_G_Intel
Employee
1,892 Views

Hello Zieri__Sascha,


Thank you so much for your patience.


If we understood your request correctly you are asking us for the 802.1x template requirements. On our end we only provide the template as an example, you will need to use whatever certificate is required to authenticate against your 802.1x infrastructure (i.e. Cisco ISE). Additionally, this is not a requirement of EMA, you can use any 802.1x cert as far as EMA cares, it is his 802.1x requirements that must be satisfied to authenticate a user to the network.


Best regards,


Victor G.

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Employee
1,859 Views

Hello Zieri__Sascha,


Were you able to check the previous post?  


Please let me know if you need further assistance.  

 

Regards,


Victor G. 

Intel Technical Support Technician  


0 Kudos
Victor_G_Intel
Employee
1,801 Views

Hello Zieri__Sascha,


We have not heard back from you.


If you need any additional information, please submit a new question as this thread will no longer be monitored.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Reply