Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Valid certificate for PKI configuration not found. (0xc00007e5)

idata
Employee
‎10-11-2012 08:08 AM
3,080 Views

Hello everyone,

we are currently implementing SCS and are haveing issues with the Certificate Setup.

This is the Environment:

- We deployed one RCS Server "scs.europe.example.corp" with SCS 8.1.4.16 with a database hosted on another machine. The RCS Service is running as the User "rcsuser".

 

- We created a Server Certificate with IIS, stating a CN of "scs.europe.example.corp" and OU=Intel(R) Client Setup Certificate.

 

- The Server Certificate was signed by a Microsoft CA by using the Web Server Template.

 

- The Certificate Chain contains one Root CA ("Example Corp Root CA1"), followed by an issuing CA ("Example Corp Issuing CA1").

 

- The Server Certificate was installed (with private key) into the Certificate Store of the "rcsuser" Profile on the "scs.europe.example.corp" Server.

 

- Same with the Certificate Chain.

 

- The RCS Server runs on Windows Server 2008 R2.

 

- The Test Client is a HP EliteBook 8440p with BIOS V22 and AMT Firmware Version 6.2.0.1022, and runs Windows 7 Enterprise SP1 32-Bit. The HECI Driver is at version 6.0.0.1179.

 

- We inserted both Certificate SHA1 Hashes into the AMT ROM of the Test Client by using the usbfile Tool: usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -hash "CA2.cer" "Example Corp Issuing CA1" -v 2.1

When we now run ACUconfig on the Test Client (ACUConfig /verbose /output console ConfigviaRCSonly scs.europe.example.corp Example_EU_Clients /AbortonFailure), we get an error stating that there is an SSL issue:

An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f) ((ExecMethod WMI_ConfigAMT) Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). Valid certificate for PKI configuration not found. (0xc00007e5). (0xc000521f). )

The SCS Console logs tha same error.

Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

ACUconfig logs that the Certificate Hashes have successfully been imported:

Active certificate hashes have the following names: (0xc000005a)

 

15

 

[...]

 

Example Corp Root CA1

 

Example Corp Issuing CA1

So... did we miss anything?

Kind regards

0 Kudos

Link Copied

5 Replies
idata
Employee
‎10-12-2012 01:20 AM
1,366 Views

Hello everyone,

in the meantime, I set up a testing environment, where I was able to provision an AMT5 system without problems.

As soon as I leave away the Hash values for our CAs, I can provoke the error mentioned im my previous post.

So, it seems that out HP Elitebook 8440p laptops are ignoring the certificate Hashes...!? Has anybody else stumbled across this issue?

By the way... is there a matrix or something that explains each of those error codes (0xc00007e5, 0xc000521f and so on)?

Kind regard

0 Kudos
Copy link
idata
Employee
‎10-25-2012 08:14 AM
1,366 Views
In response to idata

Hello again,

we found als resolved the issue:

The Client has a split DNS infrastructure - the A Record of a Host points to another Domain as the PTR does.

We could fix the issue by adding the DNS suffix of the primary domain "example.com" to the AMT configuration.

(usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -dns "example.com" -v 2.1)

I also can confirm that only the Root CA Hash is necessary.

Kind regards

In response to idata
0 Kudos
Copy link
idata
Employee
‎10-25-2012 09:54 PM
1,366 Views

Hello Sleepw4lker,

 

I to try implemented SCS environment, and have a bit experience. Have you shure PSK certificate on user that running RSC server in Personal store?
0 Kudos
Copy link
Terry_C_Intel
Employee
‎10-26-2012 03:09 PM
1,366 Views

One of the following items is likely causing the error:

  • The internal self-signed root hash was not properly set in the firmware
  • The self-signed certificate is not loaded in the correct certificate store for "rcsuser"
  • The self-signed certificate is missing private key or correct certificate details\settings

On the HP laptop, run "ACUconfig SystemDiscovery". The resulting XML file should include your custom root hash as an "Enabled" indicator next to it.

Additional insights on using Self-Signed Certificates shown in document for McAfee Community. My intent in directing you to this article is to re-use a recent posted\validate document, not necessarily to advocate on console\solution over another. See section for "Using a self-signed remote configuration certificate" at https://community.mcafee.com/docs/DOC-4211 https://community.mcafee.com/docs/DOC-4211.

- TC

0 Kudos
Copy link
JHoug
Novice
‎12-17-2014 10:43 AM
1,366 Views
In response to Terry_C_Intel

In my case this was the solution: The self-signed certificate is not loaded in the correct certificate store for "rcsuser" I had recently changed this login and forgot to update the cert permissions.

In response to Terry_C_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.