Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2879 Discussions

Renewed AMT Provisioning cert is not showing up as 'blue'

neilbrin
New Contributor I
1,569 Views

We have an AMT provisioning certificate that is about to expire, so we have requested a new certificate based on the old cert and have received this cert, created PFX file and upoloaded in to Intel EMA. However, I am not seeing the blue 'PKI Certificate' notification foir this certificate.

We are running Intel EMA 1.10.1.0


I have followed the same process that was used for the original cert and was also following what was outlined in this Intel EMA support document; https://www.intel.com.au/content/www/au/en/support/articles/000088905/software/manageability-products.html

https://www.intel.com/content/www/us/en/support/articles/000094572/software/manageability-products.html

 

I provided a new Entry Name (appended cert renewal month and year). I've checked this new cert against the existing cert and can see everything the same (other than certificate validaity period) and can confirm the new cert start period has passed, so it is currently valid

I have attached screen shots of the EMA Console and also of both the new and old certs (old cert on left) and you can see that the required Intel OID is present in both using OU "Intel(R) Client Setup Certificate"



0 Kudos
1 Solution
neilbrin
New Contributor I
1,538 Views

Hi Victor,

 

Thanks for the quick reply

 

It appears I have resolved the issue and there may be a bug in the Intel code.

In the first attempt that failed I used the same Entry name as the certificate that I was renewing and just appended a suffix of the renewal month and year ie. '<certificateFQDN>-June2023', so I could differentiate between the certificates. 

However, if I append the same entry as a suffix to the Entry name ie. 'June2023-<certificateFQDN>', then the certificate is recognised and the 'blue' 'PKI Certiciate' appears. I believe there may be a limit on the number of characters in the Entry name that are being checked against existing certificates to determine whether it's valid. For example if the Entry Name only checks the first 32 characters, then this would have caused the failure as the suffix '-June2023' is appended at the 36th character.

 

Please refer the two screen shots of the failed and successful imports of the exact same certificate, but with a different entry name ie. suffix/prefix.

 

regards,

Neil...



 

View solution in original post

0 Kudos
4 Replies
Victor_G_Intel
Employee
1,548 Views

Hello neilbrin,

 

Thank you for posting on the Intel® communities.

 

To provide you with assistance please provide the following:


1-What EMA version are you currently using?


2-How many endpoints do you have in your deployment?


3-In regards to the certificate are you currently seeing any issues with EMA after you successfully install the new certificate?


4-You mentioned not having the blue PKI certificate title in the EMA web GUI next to the new certificate; however, is this affecting the use of EMA in any way or you were just curious about why is not there?

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
neilbrin
New Contributor I
1,539 Views

Hi Victor,

 

Thanks for the quick reply

 

It appears I have resolved the issue and there may be a bug in the Intel code.

In the first attempt that failed I used the same Entry name as the certificate that I was renewing and just appended a suffix of the renewal month and year ie. '<certificateFQDN>-June2023', so I could differentiate between the certificates. 

However, if I append the same entry as a suffix to the Entry name ie. 'June2023-<certificateFQDN>', then the certificate is recognised and the 'blue' 'PKI Certiciate' appears. I believe there may be a limit on the number of characters in the Entry name that are being checked against existing certificates to determine whether it's valid. For example if the Entry Name only checks the first 32 characters, then this would have caused the failure as the suffix '-June2023' is appended at the 36th character.

 

Please refer the two screen shots of the failed and successful imports of the exact same certificate, but with a different entry name ie. suffix/prefix.

 

regards,

Neil...



 

0 Kudos
neilbrin
New Contributor I
1,535 Views

Victor,

 

As an addition to my previous post, due to the certificate now being recognised, I can now select and save this new certificate in the AMT Autosetup screen for the endpoint group that we use this certificate for (see attached screenshot) and therefore we can now continue to auto-provision the AMT on our devices without interruption ie. certificate expiry

regards,
Neil...

0 Kudos
Victor_G_Intel
Employee
1,486 Views

Hello neilbrin,


Thank you so much for your responses.


We appreciate the feedback on this process and we will do our best to discuss this internally with our team for future inquiries. We hope your response can help community peers facing the same problem you went through.


Best regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Reply