Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

The certificate chain could not be built. Intel SCS 12.2.0.150

SysArch
New Contributor I
2,002 Views

Hello 

We are Using SCS to automatically deploy Intel AMT Configuration and Certificates. The AMT Devives, get their Config from a SCS Profile where the CA Server is available and a valid template is used. 

When a configuration request comes in the SCS builds the request and sends it to the CA. The CA sings the request and sends the certificate back. The SCS receives it and then fails to build the Chain with error: "The certificate chain could not be built. Please make sure that the root certificate is installed properly."

Extract from the Log:

2020-11-05 09:41:31: Thread:1184(INFO) : RCS Server , Category: Source: c:\buildagent\work\b66b95229891d8f9\products\scs\components\rcsserver\src\cathread.cpp : CARetrieveCertThread::run Line: 79: Starting CAThread
2020-11-05 09:41:31: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::GetCertificate Line: 224: Step into GetCertificate
2020-11-05 09:41:32: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::CheckValidity Line: 710: Step in CheckValidity
2020-11-05 09:41:32: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::CheckValidity Line: 781: Step out CheckValidity
2020-11-05 09:41:32: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::HandleDisposition Line: 816: Step in HandleDisposition
2020-11-05 09:41:32: Thread:1184(ERROR) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal error Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::HandleDisposition Line: 941: The certificate chain could not be built. Please make sure that the root certificate is installed properly. (0x100).
2020-11-05 09:41:32: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::HandleDisposition Line: 1019: Step out HandleDisposition
2020-11-05 09:41:32: Thread:1184(ERROR) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal error Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::GetCertificate Line: 264: The certificate chain could not be built. Please make sure that the root certificate is installed properly. (0x100).
2020-11-05 09:41:32: Thread:1184(DETAIL) : 03C00218-044D-0572-EE06-3A0700080009, Category: CAInterfaceInternal Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\cainterfaceinternal.cpp : CAInterfaceNamespace::CAInterfaceInternal::GetCertificate Line: 307: Step out GetCertificate
2020-11-05 09:41:32: Thread:2060(ERROR) : %FQDNDEvice%, Category: Operation Error Source: c:\buildagent\work\b66b95229891d8f9\products\scs\modules\cainterface\certificaterequestinterface.cpp : CertificateRequestInterface::RequestCertificate Line: 362: Failed to get the certificate from the CA. (Certificate ID: 4207431952).

So I checked all local certificates and all the Root and Intermediate CA certificates are stored as Trusted Root Certificates in the computer account. 

When I get a certificate with the same template via windows mmc the certificate is successfully installed. There were changes in the Root CA but not to the certificates itself. To be sure I also reinstalled the Root Certificates.

While checking everything there was something else I saw.

The RCS is Runnig as Network Service. When binding the Certificate (from another CA) to the RCS Server via RCSUtils. I get the message that they are added successfully but cannot view it.

RCSUtils.exe /Certificate Add C:\cert.pfx Password /RCSUser NetworkService /Log File C:\IntelRcsCertificate.log

05.11.2020 09:14:42: -------------------------------------------------------------------------------
05.11.2020 09:14:42: Intel(R) SCS Utils log, running user: POP\myuser
05.11.2020 09:14:42: -------------------------------------------------------------------------------
05.11.2020 09:14:43: Adding the Certificate succeeded.
05.11.2020 09:14:43: -------------------------------------------------------------------------------
05.11.2020 09:14:43: Exit status for the running user POP\myuser:
05.11.2020 09:14:43: Failed to add the certificate to the user certificate store - Access is denied.

RCSUtils.exe /Certificate View /RCSUser NetworkService /Log File C:\IntelRcsCertificate.log

05.11.2020 09:45:28: -------------------------------------------------------------------------------
05.11.2020 09:45:28: Intel(R) SCS Utils log, running user: POP\myuser
05.11.2020 09:45:28: -------------------------------------------------------------------------------
05.11.2020 09:45:28: Waiting for the task scheduler to run the requested task using the Network Service account (can take up to 60 seconds).
05.11.2020 09:45:30: -------------------------------------------------------------------------------
05.11.2020 09:45:30: Intel(R) SCS Utils log, running user: NT AUTHORITY\SYSTEM
05.11.2020 09:45:30: -------------------------------------------------------------------------------
05.11.2020 09:45:30: Getting the certificates from the user NT AUTHORITY\SYSTEM personal Certificate store
05.11.2020 09:45:30: Enumerating the user certificate store succeeded.
No certificates found in the store.

05.11.2020 09:45:30: -------------------------------------------------------------------------------
05.11.2020 09:45:30: Exit status for the running user NT AUTHORITY\SYSTEM:
05.11.2020 09:45:30: Success.
05.11.2020 09:45:34: -------------------------------------------------------------------------------
05.11.2020 09:45:34: Exit status for the running user POP\myuser:
05.11.2020 09:45:34: Success.

Had the issue also with 12.2.139, so I decided to update. And now opening this case.

To my opinion it seems that either the certificates are not correctly set, eventough following the documentation. RCS is searching in the wrong stores for a Certificate or an Issue in the software itself.

What else can I check? Or are there Solutions to this issue?

Best Regards

Andy

 

 

 

0 Kudos
1 Solution
SysArch
New Contributor I
1,796 Views

There was an Issue with the CRL check on our Root Certificate. Intermediate and everything else was fine. By fixing the CRL Issue - the case could be solved

View solution in original post

0 Kudos
6 Replies
JoseH_Intel
Moderator
1,979 Views

Hello SysArch,


Thank you for joining the Intel community


First let me ask you what CA did you purchase the certificate from or if you are trying to use your own certificate. If the later is true then you want to follow the steps shown in the SCS User Guide section 10.5

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf#page=220


If not then let me know so we can further investigate on your issue


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SysArch
New Contributor I
1,959 Views

Hello Jose

Thank you for taking care of this issue.

We are using our own certificat for RCS which is setup by this guideline and added to the firmware of the devices. (The whole system has worked before)

As far as I understood this certificate is only for the secure communication between the AMT Client and RCS servers. So the clients can connect and start to receive their profile. It then fails when they request the certificate defined in the profile.

SysArch_0-1604906183502.png

 

Thank you for your help.

Best regards,

Andy

0 Kudos
JoseH_Intel
Moderator
1,947 Views

Hello SysArch,


So what has changed recently since you say the whole system has worked before?

Please take a look at the following guide in order to add a certificate chain :

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Faddcertificatechain.htm


Let me know if it works


Jose A.

Intel Customer Support Technician


0 Kudos
SysArch
New Contributor I
1,940 Views

Hello Jose

Thank you for your Response. 

To clarify - we have 2 different CA's at Work.

1. CA-A which is providing the certificate for the RCS Server and is bound to the RCS Service. This CA was added to the Firmware of the AMT Devices. And as I interpreted this was the link you added

2. CA-B which is providing the certificates used by the AMT client by its web service (Configured via RCS Profile and automatically deployed via microsoft CA)

There was a update of the crl in CA-B (Not the URL - but the CRL itself)

May I share a full log file with you in private?

All the best

Andy

0 Kudos
JoseH_Intel
Moderator
1,933 Views

Hello SysArch,


I sent you an email directly. You can share the log by replying to it.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
SysArch
New Contributor I
1,797 Views

There was an Issue with the CRL check on our Root Certificate. Intermediate and everything else was fine. By fixing the CRL Issue - the case could be solved

0 Kudos
Reply