We received new Lenovo models (T16 G1 and X1 Yoga 7) both with a AMT 16 firmeware. Both seem to have a provlem with our Digicert AMT certificate. The certificate is from DigiCert Global Root CA. It works flawlessly with older firmware (including a Lenovo X12 with FW 15). 

We use CIRA-only mode and Certificate Provisioning. 

I found an info, that AMT 16 stopped supporting sha1 certificates. But the hashes in the amt FW were sha256 for some time and the amt certificate as well as intermediate certificate is sha256. 

Is there a known problem with Digicert AMT certificates or FW 16? How can we verify the reason for this certificate error?

We also tried provisioning the machines with Intel SCS but face the same problem (certificate error). 

EMA 1.8 loggs:

2022-12-27 16:18:03.0531|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Get mesh information (Tenant) : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.0571|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Attempting host based admin provisioning : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.0571|INFO||5112|26|StartRouter - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Starting Mesh Router 56151 -> E3FF20E4:16992, SYSTEM
2022-12-27 16:18:03.2622|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Creating DotNetWSManClient object : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4431|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4431|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4900|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4900|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - amt.kt.lunet.ch : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.5681|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert SHA2 Secure Server CA : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.6463|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert Global Root CA : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.7244|WARN||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (AQ3DG,E3FF20E4).

Here is the log for a HW with older Firmware on the same day using the same EMA server:

2022-12-27 16:34:52.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8937|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8937|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - amt.kt.lunet.ch : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.0031|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert SHA2 Secure Server CA : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.1125|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert Global Root CA : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - ChainComplete : (ANNFU,E5BDBCA0).