we are currently implementing SCS and are haveing issues with the Certificate Setup.
This is the Environment:
- We deployed one RCS Server "scs.europe.example.corp" with SCS 18.104.22.168 with a database hosted on another machine. The RCS Service is running as the User "rcsuser".
- We created a Server Certificate with IIS, stating a CN of "scs.europe.example.corp" and OU=Intel(R) Client Setup Certificate.
- The Server Certificate was signed by a Microsoft CA by using the Web Server Template.
- The Certificate Chain contains one Root CA ("Example Corp Root CA1"), followed by an issuing CA ("Example Corp Issuing CA1").
- The Server Certificate was installed (with private key) into the Certificate Store of the "rcsuser" Profile on the "scs.europe.example.corp" Server.
- Same with the Certificate Chain.
- The RCS Server runs on Windows Server 2008 R2.
- The Test Client is a HP EliteBook 8440p with BIOS V22 and AMT Firmware Version 22.214.171.1242, and runs Windows 7 Enterprise SP1 32-Bit. The HECI Driver is at version 126.96.36.1999.
- We inserted both Certificate SHA1 Hashes into the AMT ROM of the Test Client by using the usbfile Tool: usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -hash "CA2.cer" "Example Corp Issuing CA1" -v 2.1
When we now run ACUconfig on the Test Client (ACUConfig /verbose /output console ConfigviaRCSonly scs.europe.example.corp Example_EU_Clients /AbortonFailure), we get an error stating that there is an SSL issue:
An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f) ((ExecMethod WMI_ConfigAMT) Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). Valid certificate for PKI configuration not found. (0xc00007e5). (0xc000521f). )
The SCS Console logs tha same error.
Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.
ACUconfig logs that the Certificate Hashes have successfully been imported:
Active certificate hashes have the following names: (0xc000005a)
Example Corp Root CA1
Example Corp Issuing CA1
So... did we miss anything?
in the meantime, I set up a testing environment, where I was able to provision an AMT5 system without problems.
As soon as I leave away the Hash values for our CAs, I can provoke the error mentioned im my previous post.
So, it seems that out HP Elitebook 8440p laptops are ignoring the certificate Hashes...!? Has anybody else stumbled across this issue?
By the way... is there a matrix or something that explains each of those error codes (0xc00007e5, 0xc000521f and so on)?
we found als resolved the issue:
The Client has a split DNS infrastructure - the A Record of a Host points to another Domain as the PTR does.
We could fix the issue by adding the DNS suffix of the primary domain "example.com" to the AMT configuration.
(usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -dns "example.com" -v 2.1)
I also can confirm that only the Root CA Hash is necessary.
One of the following items is likely causing the error:
- The internal self-signed root hash was not properly set in the firmware
- The self-signed certificate is not loaded in the correct certificate store for "rcsuser"
- The self-signed certificate is missing private key or correct certificate details\settings
On the HP laptop, run "ACUconfig SystemDiscovery". The resulting XML file should include your custom root hash as an "Enabled" indicator next to it.
Additional insights on using Self-Signed Certificates shown in document for McAfee Community. My intent in directing you to this article is to re-use a recent posted\validate document, not necessarily to advocate on console\solution over another. See section for "Using a self-signed remote configuration certificate" at https://community.mcafee.com/docs/DOC-4211 https://community.mcafee.com/docs/DOC-4211.