Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2919 Discussions

Pre-loaded CA Hashes by version

IBrow1
Beginner
1,136 Views

I'm trying to find a reference document for the CA hashes that have been embedded as standard in the various versions of AMT.

I found this, but it only really details version 7,11 and 12. https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Frootcertificatehashes.htm

 

We need to replace the cert on our RCS server as it's coming up for expiry, and will need it to support both the newer and older boards. The implication in that document (if I'm reading it correctly) is that the version 11 and 12 firmwares on the newer boards only support the sha256 fingerprinted roots, and the older firmwares on the older boards will only support the sha1 fingerprinted roots.

0 Kudos
9 Replies
JoseH_Intel
Moderator
1,014 Views

Hello IBrow1,

 

Thank you for joining the community.

 

As you correctly state the document you found details the preloaded hashes for the 5 commercial CAs that AMT currently supports. It details versions 7, 11 and 12 because those are the main versions found recently. Versions 11 and 12 are the ones that come with the most recent systems and 7 because it implemented several changes from the original AMT visions that were 6 and earlier. Usually there are not that many pre version 11 systems found out there. What versions do you have?

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
IBrow1
Beginner
1,014 Views

We're running a site survey now. When you say there aren't many pre-version 11 systems out there, is there a reason for that? Looking at this wikipedia article, and the chipsets listed against versions 8, 9 and 10... I'm not getting why they'd be uncommon - apart from maybe version 10. Or is it that the boards released during the version 8, 9 and 10 period have all had upgrades to version 11?

https://en.wikipedia.org/wiki/Intel_AMT_versions

 

0 Kudos
JoseH_Intel
Moderator
1,014 Views

Hello IBrow1,

 

The reason for not seeing that many older AMT version systems (at least at support) is pretty much for equipment renovation process. Nothing particular. We know about some updates has been performed to mitigate some vulnerability issues for example v12 increased many security features like TLS 2.0 protocol

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
JoseH_Intel
Moderator
1,014 Views

Hello IBrow1,

 

Do you have any further details, updates, questions or comments in regards to this issue?

This thread will be marked as resolved automatically in the next 72 hours if no activity is received.

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
IBrow1
Beginner
1,014 Views

Hi,

The question hasn't really been answered. We have over 200 systems still running version 9.x, and maybe 30 running version 10.x. I'd really like to know what hashes were on those boards before committing to purchasing a new cert.

Thanks.

0 Kudos
JoseH_Intel
Moderator
1,014 Views

Hello IBrow1,

 

I will research on the preloaded hashes for such AMT versions. I will let you know as soon as I have updates.

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
JoseH_Intel
Moderator
1,014 Views

Hello IBrow1,

 

After researching on your question I found that all of the public CA's issuing remote configuration certificates will have the appropriate hashes for AMT in the certificate for the versions you have outlined.

 

Hope it helps

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
JoseH_Intel
Moderator
1,010 Views

Hello IBrow1,

 

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this ticket as resolved. This support interaction will be marked as resolved automatically in the next 72 hours if no activity is received. 

 

Regards

 

Jose A.

Intel Customer Support Technician

0 Kudos
JoseH_Intel
Moderator
1,010 Views

Hello IBrow1,

 

We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and create a new topic.

 

Jose A.

Intel Customer Support Technician

0 Kudos
Reply