Community
cancel
Showing results for 
Search instead for 
Did you mean: 
GMadi1
Beginner
1,078 Views

Need help: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable

We need some help. We are receiving an SSL error when attempting to remote configure our Dell notebooks

We have a Go Daddy CA for provisioning our Dell notebooks. However, we are still unable to remote configure our vPro equipped systems.

Lan Setup:

Our Active Directory suffix is mycompany.corp (.corp is our AD Zone)

Our DHCP option 14 issues a suffix of pb.mycompany.com (.com is our Unix based zone)

Our Go Daddy CA is pb.mycompany.com

Our RCS server is pbvproap01.pb.mycompany.com

Error message from one of our notebooks:

Operation: Configuration

 

Date and Time: 8/22/2016 11:13:55 AM

 

Error Code: 3221246495

 

Severity: Failure

 

UUID: 4C4C4544-0030-3810-8047-C2C04F565931

 

Intel AMT FQDN: Notebook1.pb.mycompany.com

 

Intel AMT IPv4: 192.168.164.5

 

Server Name: pbvproap01.mycompany.corp

 

Description: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

 

Failed while calling

 

WS-Management call

 

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

 

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

 

Valid certificate for PKI configuration not found.
0 Kudos
1 Reply
Dariusz_W_Intel
Employee
46 Views

Please check your GoDaddy certificate:

  1. Is it installed in certificate store of user running RCS Service (if RCS is run as Network Service it will be Computer certificate store)
  2. Is it Intel AMT Provisionig certificate?It should contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3) in EKU if possible. It must contain the "SSL Server" OID (an IANA pre-defined OID). (this is what GoDaddy inserts into EKU when you select "certificate for Intel vPro"

     

    — OR —

     

    The OU value in the Subject field must be "Intel(R) Client Setup Certificate". This OU value is case-sensitive and must be entered exactly (without quotation marks). (this is used by other Root CAs)

     

     

  3. If it was issued recenly it is SHA256 certificate for sure. SHA256 certificates are supported by Intel AMT FW 6.0x or newer only.
  4. Does its trust chain start with Go Daddy Class 2 CA with SHA1 Fingerprint: ‎27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4?

     

    Newer Go Daddy Root CA-G2 is supported by Intel AMT 11, and updated/recent versions of AMT FW 8,9.x,10. Those updated versions may be not made available by Dell for your HW.

     

    You may need to install GoDaddy G1 to G2 Cross Certificate https://certs.godaddy.com/repository/gdroot-g2_cross.crt gdroot-g2_cross.crt to rebuild trust chain to Go Daddy Class 2 CA (and Restart RCS).

 

Dariusz Wittek

 

Intel EMEA Biz Client Solution Architect