Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Avisos
For support on Altera products please visit the Altera Community Forums.
3077 Discusiones

TLS certificate error "Unable to get activation certificate from database"

SiW
Novato
‎04-28-2021 09:39 AM
5.454 Vistas
Resuelto Ir a la solución

Hi, I have setup EMA, 1.4.0.0, got our domain and the server all publicly setup, all access sorted on the firewall. I have got a SSL cert with the AMT OID, and all aligned to the server, converted and installed .cer file in completing CSR on IIS.

Exported the new import as .pfx, then installed in IIS.

Setup new endpoint group, created Wi-Fi profile, installed certs into settings, setup AMT profile, all good.

CIRA deployment test works fine, but the TLS part fails with "enable to get activation certificate from database". I am a little stumped, it all looks good, and if I check the appropriate SQL table the cert is listed. 

Has anyone seen this please?

Regards, Si

0 kudos
1 Solución
SiW
Novato
‎05-05-2021 02:13 AM
5.385 Vistas
Resuelto Ir a la solución
En respuesta a JoseH_Intel

Jose,

The version of EMA is 1.4.0.0, however I managed to fix this. I was looking at the SSL certificates, and although I'd re-assembled the chain of certs and imported into EMA, successfully (publicly issued SSL cert) for some reason the intermediate and root cert didn't appear in the list. So I converted those to .cer files and imported those as 'non PKI' certificates and it's all working. 

When I built my last platform I'm not sure if I did the same, but we did have lots of issues on that one as the SSL supplier issued my first certificate without the Intel AMT OID, so it had to be re-created. 

Anyway, good news is now working, so it was just the certs that were the issue in the end thankfully, just couldn't work out why I was getting the message. I presume that the TLS provisioning needs all 3 certificates in the chain to be imported and visually present int he EMA configuration GUI to reflect they are in the DB and working, and all three need to be there (i.e. Root-Intermediate-Device).

 

Regards,

 

Simon

Ver la solución en mensaje original publicado

En respuesta a JoseH_Intel
0 kudos
Copiar enlace

Enlace copiado

4 Respuestas
JoseH_Intel
Moderador
‎04-28-2021 07:42 PM
5.441 Vistas
Resuelto Ir a la solución

Hello Beginner,


Thank you for joining the Intel community.


Are you using a commercially available certificate or are you trying to implement your own certificate?


We'll look forward for your updates.


Regards


Jose A.

Intel Customer Support Technician


0 kudos
Copiar enlace
SiW
Novato
‎04-28-2021 10:20 PM
5.433 Vistas
Resuelto Ir a la solución
En respuesta a JoseH_Intel

Hi JoseH,

It's a Sectigo supplied cert with the Intel AMT specific OID. It has worked on another platform I setup inthe same way, it's just this one for some reason is giving this error. I setup the first platform on 1.3 version of EMA, this I installed as 1.4.0.0, but apart from that it's all the same. I have had the cert re-issued, and un-installed/re-installed all elements including SQL/IIS etc.

Regards,

SW

En respuesta a JoseH_Intel
0 kudos
Copiar enlace
JoseH_Intel
Moderador
‎04-29-2021 09:22 PM
5.428 Vistas
Resuelto Ir a la solución

Hello Beginner,

 

Thank you for the update. Could you tell the OEM and AMT version of this particular system showing the error? Are you using remote configuration to try to provision it?

 

Regards

 

Jose A.

Intel Customer Support Technician

 

0 kudos
Copiar enlace
SiW
Novato
‎05-05-2021 02:13 AM
5.386 Vistas
Resuelto Ir a la solución
En respuesta a JoseH_Intel

Jose,

The version of EMA is 1.4.0.0, however I managed to fix this. I was looking at the SSL certificates, and although I'd re-assembled the chain of certs and imported into EMA, successfully (publicly issued SSL cert) for some reason the intermediate and root cert didn't appear in the list. So I converted those to .cer files and imported those as 'non PKI' certificates and it's all working. 

When I built my last platform I'm not sure if I did the same, but we did have lots of issues on that one as the SSL supplier issued my first certificate without the Intel AMT OID, so it had to be re-created. 

Anyway, good news is now working, so it was just the certs that were the issue in the end thankfully, just couldn't work out why I was getting the message. I presume that the TLS provisioning needs all 3 certificates in the chain to be imported and visually present int he EMA configuration GUI to reflect they are in the DB and working, and all three need to be there (i.e. Root-Intermediate-Device).

 

Regards,

 

Simon

En respuesta a JoseH_Intel
0 kudos
Copiar enlace
Responder

La asistencia de la comunidad se proporciona de lunes a viernes. Existen otros métodos de contacto disponibles aquí.

Intel no verifica todas las soluciones, como las transferencias de archivos, entre otras, que puedan aparecer en esta comunidad. Por consiguiente, Intel renuncia a todas las garantías expresas e implícitas, incluidas, entre otras, las garantías implícitas de comerciabilidad, idoneidad para un propósito particular y cumplimiento, así como cualquier garantía derivada del transcurso de la ejecución, de la negociación o del uso en el comercio.

Para obtener información más completa sobre las optimizaciones del compilador, consulte nuestro Aviso de optimización.