Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Manager
1,799 Views

Valid certificate for PKI configuration not found. (0xc00007e5)

Hello everyone,

we are currently implementing SCS and are haveing issues with the Certificate Setup.

This is the Environment:

- We deployed one RCS Server "scs.europe.example.corp" with SCS 8.1.4.16 with a database hosted on another machine. The RCS Service is running as the User "rcsuser".

 

- We created a Server Certificate with IIS, stating a CN of "scs.europe.example.corp" and OU=Intel(R) Client Setup Certificate.

 

- The Server Certificate was signed by a Microsoft CA by using the Web Server Template.

 

- The Certificate Chain contains one Root CA ("Example Corp Root CA1"), followed by an issuing CA ("Example Corp Issuing CA1").

 

- The Server Certificate was installed (with private key) into the Certificate Store of the "rcsuser" Profile on the "scs.europe.example.corp" Server.

 

- Same with the Certificate Chain.

 

- The RCS Server runs on Windows Server 2008 R2.

 

- The Test Client is a HP EliteBook 8440p with BIOS V22 and AMT Firmware Version 6.2.0.1022, and runs Windows 7 Enterprise SP1 32-Bit. The HECI Driver is at version 6.0.0.1179.

 

- We inserted both Certificate SHA1 Hashes into the AMT ROM of the Test Client by using the usbfile Tool: usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -hash "CA2.cer" "Example Corp Issuing CA1" -v 2.1

When we now run ACUconfig on the Test Client (ACUConfig /verbose /output console ConfigviaRCSonly scs.europe.example.corp Example_EU_Clients /AbortonFailure), we get an error stating that there is an SSL issue:

An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f) ((ExecMethod WMI_ConfigAMT) Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). Valid certificate for PKI configuration not found. (0xc00007e5). (0xc000521f). )

The SCS Console logs tha same error.

Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

ACUconfig logs that the Certificate Hashes have successfully been imported:

Active certificate hashes have the following names: (0xc000005a)

 

15

 

[...]

 

Example Corp Root CA1

 

Example Corp Issuing CA1

So... did we miss anything?

Kind regards

0 Kudos
5 Replies
Highlighted
Community Manager
85 Views

Hello everyone,

in the meantime, I set up a testing environment, where I was able to provision an AMT5 system without problems.

As soon as I leave away the Hash values for our CAs, I can provoke the error mentioned im my previous post.

So, it seems that out HP Elitebook 8440p laptops are ignoring the certificate Hashes...!? Has anybody else stumbled across this issue?

By the way... is there a matrix or something that explains each of those error codes (0xc00007e5, 0xc000521f and so on)?

Kind regard

0 Kudos
Highlighted
Community Manager
85 Views

Hello again,

we found als resolved the issue:

The Client has a split DNS infrastructure - the A Record of a Host points to another Domain as the PTR does.

We could fix the issue by adding the DNS suffix of the primary domain "example.com" to the AMT configuration.

(usbfile -create setup.bin admin NewPa$$w0rd -hash "CA1.cer" "Example Corp Root CA1" -dns "example.com" -v 2.1)

I also can confirm that only the Root CA Hash is necessary.

Kind regards

0 Kudos
Highlighted
Community Manager
85 Views

Hello Sleepw4lker,

 

I to try implemented SCS environment, and have a bit experience. Have you shure PSK certificate on user that running RSC server in Personal store?
0 Kudos
Highlighted
Employee
85 Views

One of the following items is likely causing the error:

  • The internal self-signed root hash was not properly set in the firmware
  • The self-signed certificate is not loaded in the correct certificate store for "rcsuser"
  • The self-signed certificate is missing private key or correct certificate details\settings

On the HP laptop, run "ACUconfig SystemDiscovery". The resulting XML file should include your custom root hash as an "Enabled" indicator next to it.

Additional insights on using Self-Signed Certificates shown in document for McAfee Community. My intent in directing you to this article is to re-use a recent posted\validate document, not necessarily to advocate on console\solution over another. See section for "Using a self-signed remote configuration certificate" at https://community.mcafee.com/docs/DOC-4211 https://community.mcafee.com/docs/DOC-4211.

- TC

0 Kudos
Highlighted
Novice
85 Views

In my case this was the solution: The self-signed certificate is not loaded in the correct certificate store for "rcsuser" I had recently changed this login and forgot to update the cert permissions.

0 Kudos