Using Internal CA with Intel EMA

Refuge · ‎04-10-2026

Hello,

I've checked on this forum prior and the most relevant thread I found was from 5 years ago so I thought I'd check for an update.

I was able to get AMT Provisioned via Intel EMA with a godaddy cert but we wanted to try with a custom cert issued from our internal CA, is this supported?

I've seen conflicting information across the internet, from 5 years ago the thread mentioned we had to import our cert directly to AMT, other places state that Intel EMA does that for us and is supported if AMT is a high enough version.

I've set up the certificate and the chain just like I did with godaddy but I end up with a "Warning:Failed to push activation certificate - CERT_VERIFY_FAILED :" after the certificates that I uploaded are pushed.

Does this mean that AMT does not trust our cert?

Arun_Intel1 · ‎04-10-2026

Hello Refuge,

We see that you trying to use the custom certificate issued by the Internal certificate CA and are getting an error "Warning:Failed to push activation certificate - CERT_VERIFY_FAILED :"

Unfortunately, there is no official support provided for the custom certificate due to its complexity of its security and firmware updates that is required other challenges.

Rather we would recommend you to continue using the certificate from one of the authorized certificate providers, or proceed with the adoption method according to the article shared below, for a smaller environment with less number of endpoints.

https://www.intel.com/content/www/us/en/support/articles/000097538.html

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Refuge · ‎04-11-2026

Hello, I appreciate your response.

The reason I wanted to go with an internal/custom cert is because of the Public Certificate changes coming reduce renewal times to 47 days by 2029, and I really don't want to make managing certificates for Intel AMT almost a monthly occurrence.

We have mostly HP machines and I can see the option to add a certificate hash in the MEBx settings, I believe if I added our Root cert hash there it would add to the list of trusted cert providers (Like Godaddy, etc). I just need a method of doing this at scale since I have about 300 machines.

Even your option, while a certificate is not needed, still requires me to manually go to each machine to "Enable Network Access". Do you have any tools I can use to remotely push the setting to "Enable Network Access" (Or add a certificate hash for that matter) within the MEBx?

Alternatively, if you know of a way to automate certificate renewals/updates within Intel EMA using public certs I would love to hear it, otherwise this whole situation seems very clunky and hard to work with beyond something like 10-15 machines. As it stands, uploading a PFX isn't straightforward since it often uploads the chain out of order and I have to work with tools like openSSL to properly reorder it for our Intel EMA server to recognize/advertise the correct chain to the endpoints.

Any insight would be greatly helpful.

Thanks

Arun_Intel1 · ‎04-13-2026

Hi Refuge,

The Self-certificate requires access to the MEBx; and so does the adoption method as well where the PFX file creation is complex; making the certificate chain challenging.

However DigiCert and GoDaddy offer a tool to build the PFX file, and it is free, therefore OpenSSL is not necessary.

For these 3 options, you may have to create the PFX file on the EMA server itself. Therefore Automating this process is out of scope for us as the cert belongs to the third-party companies.

We would also like to inform you that Intel is aware of this limitations, and is working with the endpoint manufacturers (OEM) and Certificates. In the future, the Certificate validation will change, and the process will be easier. Details will be distributed later. The estimated date for release would be around Q2 or Q3 of 2027, which may be extended.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Refuge · ‎04-15-2026

Understood, due to the limitations of the self-signed cert, specifically in its lack of manageability at scale, we've decided to go with a public cert.

One last question.

I believe in order to provision any machine a few things need to happen

1) AMT Needs to be enabled in the BIOS
2) A MEBx password needs to be set

"Summary

In order for an Intel AMT device to be remotely managed, it requires configuration to communicate over the corporate network. At the very minimum, the device must have an AMT Master Digest Password (User: Admin) assigned and the local network connection information applied to the firmware. Until this has been accomplished, remote management cannot occur."

We have a way to manage number 1 but I haven't found a way to remotely/at scale manage setting the password on multiple devices. Can this really only be done physically at the machine one by one?

Arun_Intel1 · ‎04-15-2026

Hi Refuge,

For accessing the Hardware manageability (Out of Band), we cand just provision the endpoint with Intel EMA either in CCM (with the user consent, Client Control Mode) or ACM (without the user consent, Admin Control Mode)

The difference is that the provisioning of the endpoint in CCM does not require the certificates (AMT, TLS/SSL, or self signed) and these certificates are only required for provisioning the endpoints in ACM where the user consent is not required to access the endpoints.

And as said for provisioning the endpoints, we would require the AMT enabled, as said however it is necessary to first provisioning the endpoints in CCM without the certificates (AMT, TLS/SSL, or self signed) and then follow the article given below to Adopt the endpoint in ACM which requires the MEBx access where you may have to touch the endpoint physically and there is no other option to get this done remotely for Adoption method and this method is convenient for a small environment with very few endpoints.

https://www.intel.com/content/www/us/en/support/articles/000097538/software.html

Else we may have to purchase an AMT provisioning certificate from an authorized service provider as discussed earlier.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Refuge · ‎04-15-2026

Sorry I should have been more clear, I have purchased an AMT provisioning certificate from an authorized service provider and have successfully provisioned 1 machine with it, but I had to enable AMT in the BIOS and also add the PKI Suffix in the MEBx.

We have a way, using vendor specific tools (HP, etc) to enable AMT in the BIOS but after that I am a bit unclear on how much of it we can automate/remotely manage with scripts.

For example, after enabling AMT (which allows me to boot to MEBx) do I need to change the password from the default before I can provision with EMA or does that not matter?

Arun_Intel1 · ‎04-16-2026

Hi Refuge,

Thanks for clarifying, as you have an AMT provisioning certificate and have added the PKI DNS Suffix in the MEBx, you should be able to access the endpoint in both inband (Desktop) and out of band (Hardware Manageability) without the user concern once the CIRA is connected.

However if you are looking for provision multiple endpoints, you may have to contact the tool support that you are using.

And if there are large number of endpoints, it would be difficult to touch each endpoint physically to add the PKI DNS Suffix, hence you may use the DHCP option 15 (DNS) to add the PKI DNS Suffix, if the endpoints are within the Companies domain.

Note:

Please refer to the document attached for adding the PKI DNS Suffix in the DHCP option 15.

And for changing the MEBx password, you can use the default password or change the password (Please make a note of the new password) according to your requirement.

Thanks & Regards

Arun

Intel Customer Support Techniciain

intel.com/vPro

Refuge · ‎04-16-2026

Thanks Arun,

As for setting the PKI Suffix, we are already using DHCP option 15 but it still does not seem to properly provision until we go into MEBx FW manually and add the PKI Suffix.

Arun_Intel1 · ‎04-16-2026

Hi Refuge,

Understood, please feel free to let us know if you need further assistance upon troubleshooting for the CIRA connection provisioned with DHCP option 15, we shall send out an email so that you may share the ECT log of the endpoint for further analysis.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Refuge · ‎04-17-2026

There is one last thing, and I think the rest of my issues hinge on this.

It seems nothing related to provisioning can be done without first initializing the MEBx with a new password. (Changing it from default)

Is this true?

If so, the only ways to change the default password is

1) Booting into mebx and logging in with that default password and it asks you to change it

Or

2) Using a provisioning USB with those settings, going around to each machine and changing MEBx (and whatever other settings) that way.

Or

3) Having the machine shipped with those settings OEM

Can you verify everything I've stated?

Arun_Intel1 · ‎04-17-2026

Hello Refuge,

If the issue is in regards to the MEBx password then we would request you to try with the default password with "Admin" or "admin" and if you are unable to access the MEBx with the default password, then you may try with the article given below:

https://www.intel.com/content/www/us/en/support/articles/000006328/technologies.html

If the issue still persists, we would recommend you to contact the OEM for further assistance upon this MEBx password issue.

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro

Arun_Intel1 · ‎04-22-2026

Hi Refuge,

Please feel free to revert for any further query!

Thanks & Regards

Arun

Intel Customer Support Technician

intel.com/vPro