Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT & Manageability Commander)
2662 Discussions

PKI Certificate Error with AMT FW 16

JRüeg
New Contributor I
139 Views

We received new Lenovo models (T16 G1 and X1 Yoga 7) both with a AMT 16 firmeware. Both seem to have a provlem with our Digicert AMT certificate. The certificate is from DigiCert Global Root CA. It works flawlessly with older firmware (including a Lenovo X12 with FW 15). 

We use CIRA-only mode and Certificate Provisioning. 

I found an info, that AMT 16 stopped supporting sha1 certificates. But the hashes in the amt FW were sha256 for some time and the amt certificate as well as intermediate certificate is sha256. 

Is there a known problem with Digicert AMT certificates or FW 16? How can we verify the reason for this certificate error?

We also tried provisioning the machines with Intel SCS but face the same problem (certificate error). 

EMA 1.8 loggs:

2022-12-27 16:18:03.0531|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Get mesh information (Tenant) : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.0571|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Attempting host based admin provisioning : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.0571|INFO||5112|26|StartRouter - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Starting Mesh Router 56151 -> E3FF20E4:16992, SYSTEM
2022-12-27 16:18:03.2622|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Creating DotNetWSManClient object : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4431|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4431|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4900|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.4900|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - amt.kt.lunet.ch : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.5681|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert SHA2 Secure Server CA : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.6463|INFO||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert Global Root CA : (AQ3DG,E3FF20E4).
2022-12-27 16:18:03.7244|WARN||5112|26|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (AQ3DG,E3FF20E4).

 

Here is the log for a HW with older Firmware on the same day using the same EMA server:

2022-12-27 16:34:52.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if unprovisioned : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Checking if the admin control mode is allowed : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8937|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - NotStarted : (ANNFU,E5BDBCA0).
2022-12-27 16:34:52.8937|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - amt.kt.lunet.ch : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.0031|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert SHA2 Secure Server CA : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.1125|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Pushing activation certificate - DigiCert Global Root CA : (ANNFU,E5BDBCA0).
2022-12-27 16:34:53.8469|INFO||5112|50|HostBasedAdminUpdate - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.8.0.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Current certificate chain status - ChainComplete : (ANNFU,E5BDBCA0).

0 Kudos
1 Reply
Victor_G_Intel
Moderator
117 Views

Hello JRüeg,


Thank you for posting on the Intel® communities.


You are correct from AMT version 16 and forward all of your certificates related to AMT/EMA must be SHA256. If one of them is not SHA256 you will have to contact the vendor and request an upgrade of the specific one that doesn’t meet this requirement.


Regards,


Victor G.

Intel Technical Support Technician  


Reply