Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

TLS certificate error "Unable to get activation certificate from database"

SiW
Novice
3,842 Views

Hi, I have setup EMA, 1.4.0.0, got our domain and the server all publicly setup, all access sorted on the firewall. I have got a SSL cert with the AMT OID, and all aligned to the server, converted and installed .cer file in completing CSR on IIS.

Exported the new import as .pfx, then installed in IIS.

Setup new endpoint group, created Wi-Fi profile, installed certs into settings, setup AMT profile, all good.

CIRA deployment test works fine, but the TLS part fails with "enable to get activation certificate from database". I am a little stumped, it all looks good, and if I check the appropriate SQL table the cert is listed. 

Has anyone seen this please?

Regards, Si

0 Kudos
1 Solution
SiW
Novice
3,773 Views

Jose,

The version of EMA is 1.4.0.0, however I managed to fix this. I was looking at the SSL certificates, and although I'd re-assembled the chain of certs and imported into EMA, successfully (publicly issued SSL cert) for some reason the intermediate and root cert didn't appear in the list. So I converted those to .cer files and imported those as 'non PKI' certificates and it's all working. 

When I built my last platform I'm not sure if I did the same, but we did have lots of issues on that one as the SSL supplier issued my first certificate without the Intel AMT OID, so it had to be re-created. 

Anyway, good news is now working, so it was just the certs that were the issue in the end thankfully, just couldn't work out why I was getting the message. I presume that the TLS provisioning needs all 3 certificates in the chain to be imported and visually present int he EMA configuration GUI to reflect they are in the DB and working, and all three need to be there (i.e. Root-Intermediate-Device).

 

Regards,

 

Simon

View solution in original post

0 Kudos
4 Replies
JoseH_Intel
Moderator
3,829 Views

Hello Beginner,


Thank you for joining the Intel community.


Are you using a commercially available certificate or are you trying to implement your own certificate?


We'll look forward for your updates.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SiW
Novice
3,821 Views

Hi JoseH,

It's a Sectigo supplied cert with the Intel AMT specific OID. It has worked on another platform I setup inthe same way, it's just this one for some reason is giving this error. I setup the first platform on 1.3 version of EMA, this I installed as 1.4.0.0, but apart from that it's all the same. I have had the cert re-issued, and un-installed/re-installed all elements including SQL/IIS etc.

Regards,

SW

0 Kudos
JoseH_Intel
Moderator
3,816 Views

Hello Beginner,

 

Thank you for the update. Could you tell the OEM and AMT version of this particular system showing the error? Are you using remote configuration to try to provision it?

 

Regards

 

Jose A.

Intel Customer Support Technician

 

0 Kudos
SiW
Novice
3,774 Views

Jose,

The version of EMA is 1.4.0.0, however I managed to fix this. I was looking at the SSL certificates, and although I'd re-assembled the chain of certs and imported into EMA, successfully (publicly issued SSL cert) for some reason the intermediate and root cert didn't appear in the list. So I converted those to .cer files and imported those as 'non PKI' certificates and it's all working. 

When I built my last platform I'm not sure if I did the same, but we did have lots of issues on that one as the SSL supplier issued my first certificate without the Intel AMT OID, so it had to be re-created. 

Anyway, good news is now working, so it was just the certs that were the issue in the end thankfully, just couldn't work out why I was getting the message. I presume that the TLS provisioning needs all 3 certificates in the chain to be imported and visually present int he EMA configuration GUI to reflect they are in the DB and working, and all three need to be there (i.e. Root-Intermediate-Device).

 

Regards,

 

Simon

0 Kudos
Reply