- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have an AMT provisioning certificate that is about to expire, so we have requested a new certificate based on the old cert and have received this cert, created PFX file and upoloaded in to Intel EMA. However, I am not seeing the blue 'PKI Certificate' notification foir this certificate.
We are running Intel EMA 1.10.1.0
I have followed the same process that was used for the original cert and was also following what was outlined in this Intel EMA support document; https://www.intel.com.au/content/www/au/en/support/articles/000088905/software/manageability-products.html
I provided a new Entry Name (appended cert renewal month and year). I've checked this new cert against the existing cert and can see everything the same (other than certificate validaity period) and can confirm the new cert start period has passed, so it is currently valid
I have attached screen shots of the EMA Console and also of both the new and old certs (old cert on left) and you can see that the required Intel OID is present in both using OU "Intel(R) Client Setup Certificate"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Victor,
Thanks for the quick reply
It appears I have resolved the issue and there may be a bug in the Intel code.
In the first attempt that failed I used the same Entry name as the certificate that I was renewing and just appended a suffix of the renewal month and year ie. '<certificateFQDN>-June2023', so I could differentiate between the certificates.
However, if I append the same entry as a suffix to the Entry name ie. 'June2023-<certificateFQDN>', then the certificate is recognised and the 'blue' 'PKI Certiciate' appears. I believe there may be a limit on the number of characters in the Entry name that are being checked against existing certificates to determine whether it's valid. For example if the Entry Name only checks the first 32 characters, then this would have caused the failure as the suffix '-June2023' is appended at the 36th character.
Please refer the two screen shots of the failed and successful imports of the exact same certificate, but with a different entry name ie. suffix/prefix.
regards,
Neil...
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello neilbrin,
Thank you for posting on the Intel® communities.
To provide you with assistance please provide the following:
1-What EMA version are you currently using?
2-How many endpoints do you have in your deployment?
3-In regards to the certificate are you currently seeing any issues with EMA after you successfully install the new certificate?
4-You mentioned not having the blue PKI certificate title in the EMA web GUI next to the new certificate; however, is this affecting the use of EMA in any way or you were just curious about why is not there?
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Victor,
Thanks for the quick reply
It appears I have resolved the issue and there may be a bug in the Intel code.
In the first attempt that failed I used the same Entry name as the certificate that I was renewing and just appended a suffix of the renewal month and year ie. '<certificateFQDN>-June2023', so I could differentiate between the certificates.
However, if I append the same entry as a suffix to the Entry name ie. 'June2023-<certificateFQDN>', then the certificate is recognised and the 'blue' 'PKI Certiciate' appears. I believe there may be a limit on the number of characters in the Entry name that are being checked against existing certificates to determine whether it's valid. For example if the Entry Name only checks the first 32 characters, then this would have caused the failure as the suffix '-June2023' is appended at the 36th character.
Please refer the two screen shots of the failed and successful imports of the exact same certificate, but with a different entry name ie. suffix/prefix.
regards,
Neil...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Victor,
As an addition to my previous post, due to the certificate now being recognised, I can now select and save this new certificate in the AMT Autosetup screen for the endpoint group that we use this certificate for (see attached screenshot) and therefore we can now continue to auto-provision the AMT on our devices without interruption ie. certificate expiry
regards,
Neil...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello neilbrin,
Thank you so much for your responses.
We appreciate the feedback on this process and we will do our best to discuss this internally with our team for future inquiries. We hope your response can help community peers facing the same problem you went through.
Best regards,
Victor G.
Intel Technical Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page