Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2947 Discussions

TLS Alert (Certificate Unknown) occurs during the Secure Host Based Configuration process.

jic5760
New Contributor I
2,072 Views

Hello,

 

We are implementing AMT provisioning on our own without a solution like EMA.

We encountered a problem while implementing Secure Host-Based Configuration to support CSME 19 or higher.

 

1. Registered the AMT CA certificate.

> rpc amtinfo
Version : 15.0.47
Build Number : 2521
SKU : 16392
Features : AMT Pro Corporate
Control Mode : pre-provisioning state
DNS Suffix : 192.168.1.10


> rpc amtinfo -cert
---Certificate Hashes---
...
Our AMT CA (Active)
SHA256: cabc80186952320c73691e6c4d62379a7d9a52ca246e34881b83ad1a51b9ac12

2. StartConfigurationHBased

StartConfigurationHBased was called as follows.

StartConfigurationHBased(
  ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA256,
  ServerCertHash [SHA_512_KEY_SIZE]byte = SHA 256 HASH of Provisioning Certificate,
  HostVPNEnable = False,
  SuffixListLen = 0,
  NetworkDnsSuffixList [320]byte
)

 

3. The Provisioning server is connected to 127.0.0.1:16993.
But TLS Handshake Failure.

 

jic5760_0-1707198035159.png

jic5760_1-1707198162098.png

- Both the provisioning certificate and the CA certificate have been sent.

- The hashes of the CA certificate and provisioning certificate are the same as those sent in steps 1 and 2.

 

Provisioning Certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8d:7c:e8:91:6a:64:14:68:54:96:b8:98:b1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Our AMT CA, C = KR
        Validity
            Not Before: Feb  6 05:33:52 2024 GMT
            Not After : Feb  3 05:33:52 2034 GMT
        Subject: CN = 192.168.1.10, OU = Intel(R) Client Setup Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, 2.16.840.1.113741.1.2.3
            X509v3 Subject Alternative Name: 
                DNS:192.168.1.10
            X509v3 Subject Key Identifier: 
                58:CE:02:47:70:49:8C:C1:7B:DB:9E:FA:DE:C0:3D:8D:76:9A:5C:CA
            X509v3 Authority Key Identifier: 
                B7:FE:10:B2:C9:C8:E8:64:92:6E:17:D5:21:B1:40:72:66:A7:CF:89
            Netscape Cert Type: 
                SSL Server
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: ... 

 

 

0 Kudos
5 Replies
MIGUEL_C_Intel
Moderator
2,035 Views

Hello, jic5760,


I noticed there is a similar post open; the title is What is AMTCertHash in StartConfigurationHBased?

https://community.intel.com/t5/Intel-vPro-Platform/What-is-AMTCertHash-in-StartConfigurationHBased/m-p/1568585#M11167


The developer team is reviewing your request; please be patient. Custom Intel® AMT configurations require further investigation and tests.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
jic5760
New Contributor I
2,018 Views
Even if ignore the differences in AMTHash, there will be no problem in operation.
It's just that the AMT Device cannot be verified.

Would it be helpful if I could give you a sample program?
0 Kudos
MIGUEL_C_Intel
Moderator
2,011 Views

Hello, jic5760,


We appreciate your post regarding the questions about the certificates. Being that this is a support forum for Intel® EMA, AMT, Management Engine, and your question is more for development; the best place to get the appropriate response would be our developer's forum. Please re-post your question for visibility with the appropriate community:

https://community.intel.com/t5/Developer-Software-Forums/ct-p/developer-software-forums


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
1,966 Views

Hello, jic5760,


Thank you for your comprehension.  I am closing the forum.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply