- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are implementing AMT provisioning on our own without a solution like EMA.
We encountered a problem while implementing Secure Host-Based Configuration to support CSME 19 or higher.
1. Registered the AMT CA certificate.
> rpc amtinfo
Version : 15.0.47
Build Number : 2521
SKU : 16392
Features : AMT Pro Corporate
Control Mode : pre-provisioning state
DNS Suffix : 192.168.1.10
> rpc amtinfo -cert
---Certificate Hashes---
...
Our AMT CA (Active)
SHA256: cabc80186952320c73691e6c4d62379a7d9a52ca246e34881b83ad1a51b9ac12
2. StartConfigurationHBased
StartConfigurationHBased was called as follows.
StartConfigurationHBased(
ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA256,
ServerCertHash [SHA_512_KEY_SIZE]byte = SHA 256 HASH of Provisioning Certificate,
HostVPNEnable = False,
SuffixListLen = 0,
NetworkDnsSuffixList [320]byte
)
3. The Provisioning server is connected to 127.0.0.1:16993.
But TLS Handshake Failure.
- Both the provisioning certificate and the CA certificate have been sent.
- The hashes of the CA certificate and provisioning certificate are the same as those sent in steps 1 and 2.
Provisioning Certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:8d:7c:e8:91:6a:64:14:68:54:96:b8:98:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Our AMT CA, C = KR
Validity
Not Before: Feb 6 05:33:52 2024 GMT
Not After : Feb 3 05:33:52 2034 GMT
Subject: CN = 192.168.1.10, OU = Intel(R) Client Setup Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, 2.16.840.1.113741.1.2.3
X509v3 Subject Alternative Name:
DNS:192.168.1.10
X509v3 Subject Key Identifier:
58:CE:02:47:70:49:8C:C1:7B:DB:9E:FA:DE:C0:3D:8D:76:9A:5C:CA
X509v3 Authority Key Identifier:
B7:FE:10:B2:C9:C8:E8:64:92:6E:17:D5:21:B1:40:72:66:A7:CF:89
Netscape Cert Type:
SSL Server
Signature Algorithm: sha256WithRSAEncryption
Signature Value: ...
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, jic5760,
I noticed there is a similar post open; the title is What is AMTCertHash in StartConfigurationHBased?
The developer team is reviewing your request; please be patient. Custom Intel® AMT configurations require further investigation and tests.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's just that the AMT Device cannot be verified.
Would it be helpful if I could give you a sample program?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, jic5760,
We appreciate your post regarding the questions about the certificates. Being that this is a support forum for Intel® EMA, AMT, Management Engine, and your question is more for development; the best place to get the appropriate response would be our developer's forum. Please re-post your question for visibility with the appropriate community:
https://community.intel.com/t5/Developer-Software-Forums/ct-p/developer-software-forums
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, jic5760,
Thank you for your comprehension. I am closing the forum.
Regards,
Miguel C.
Intel Customer Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page