Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Vpro activation question

idata
Employee
1,760 Views

Hi, we have been buying vpro technology enabled desktop and laptops for a few years now with the intention of enabling it down the road, well we are now down that road :O)

I went through the training video and intend on enabling this through sccm.

My question is: I intended to use internal provisioning certs from our CA but have not gotten our Dell and HP vendors to include our root cert hash into the vpro firmware from scratch. From what i read there is no easy way to copy it to all our clients. Am i screwed as far as internal provisioning certs go. Am I forced to go with an external cert?

We have about 2300 clients out there.

thank you

0 Kudos
8 Replies
Bruno_Domignues
Employee
711 Views

Stéphane,

The easiest method is use an external certificate, and is not expensive, you can buy one for less than $100 dollars/year.

You have also the possibility to use USBFile.exe tool to generate a USB Key with your cert hash and touch each machine to insert the CA hash (i.e. you must restart the vPro machine with USB key plugged), for 2300 machine is time consuming.

You still need a internal PKI in order to issue certificates to each one of these 2.300 machines due TLS requirement.

You can find further details about the whole process in this http://www.intel.com/en_US/Assets/PDF/general/cg_MicrosoftConfigMgr_vPro.pdf guide

Best Regards!

--bruno

idata
Employee
711 Views

cool cool, much appreciated.

my web server cert template is already setup on my CA

do you recommend verisign over godaddy?

verisign seems to have a better rep but the price difference is just insane

not sure which one to pick

please advise

thanks man

0 Kudos
Bruno_Domignues
Employee
711 Views

Stéphane,

In fact it's used only internally, so there no technically big difference between those two CAs.

However, if you are issuing certificated to .gov outside US/Canada, only Verisign is able to issue.

Best Regards and have a Great Weekend!

--bruno

0 Kudos
idata
Employee
711 Views

ok, thanks.

I have chosen verisign, however the first step is to follow the verisign Certificate Signing Request (CSR) Generation Instructions - Microsoft IIS 6.0

which are as follows

1. Click Start > All Programs > Administrative Tools > Internet Services Manager (IIS) Manager

 

2. Double-click the Server Name > Web Sites folder

 

3. Under Web Sites, right-click the corresponding Web site you wish to secure, and select Properties.

 

4. Click Directory Security tab

 

5. Under Secure communications, click Server Certificate

 

6. Select Create a new certificate  Note: If you are renewing an SSL certificate, select Renew the current certificate. This will generate a CSR based on the information of the certificate currently installed on the server.

 

7. Select Prepare the request now, but send it later 8. Enter a name for the certificate. Please note that this is not the Common Name of the certificate request.

 

9. Select the bit length of 2048 for the certificate

 

Note: Do not check the box for Select cryptographic service provider (CSP) for this certificate

 

10. Complete the information requested by the IIS Certificate Wizard to create a private key that is stored locally on your server and a Certificate Signing Request that you will use during the enrollment process. The Wizard will prompt for the following X.509 attributes of the certificate:

 

- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.

 

- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.

 

- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.

 

- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

 

- Organizational Unit (OU): This field is the name of the department or organization unit making the request.

 

- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".

VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

 

11. Click Finish to exit the IIS Certificate Wizard. A CSR file has been generated.12. https://ssl-tools.verisign.com/checker Verify your CSR My CA server sits on server A and sccm sits on server B. I want to configure amt to work within sccm, so in step 10 under common name is it best to create a dns alias and use that in case the server name ever changes? Also, were should i point the alias...to server A (my CA) or server B (sccm). Looking at this it seems to be logical to point it to server B?? I am a bit confused and i don't want to screw up my certificate request. thanks Stéphane
0 Kudos
Bruno_Domignues
Employee
712 Views

Hi Stéphane,

You should use the FQDN of SCCM in common name field... in fact, you must generate the CSR in the SCCM server to work.

Best Regards!

--bruno

0 Kudos
idata
Employee
712 Views

Hi, perfect thank you.

small network question now. In the guide you attached it mentions about doing the following to routers and firewalls.

"open intel vpro technology related ports on routers and firewalls on 9971 and 16992 through 16995-out of band management ports"

I need to request this work to be done through our network department. Is there any more detailed info available somewheres or is this sufficient for them to process my request? seems vague.

thanks again

Stéphane

0 Kudos
Bruno_Domignues
Employee
712 Views

Stéphane,

9971 is the port used for provisioning

16992 - Out of Band Management (w/o TLS)

16993 - Out of Band Management (w TLS)

16994 - IDEr without TLS

16995 - IDEr with TLS

Best Regards!

--bruno

0 Kudos
idata
Employee
712 Views

Thanks Bruno,

Another question,

In the guide under section 2.3 Summary of prerequisites required for OOB management

its says the following:

"3rd Party Remote Configuration Certificate on each OOB Service Point to provision Intel vPro

 

technology-based systems"

I need a little bit of clarification on this if possible

In our organisation we have a central primary site called A and a primary child site called B and a bunch of secondary branch sites used for package distribution points. Questions is should i be able to get all clients from all branches and site B provisioned through the central primary site A with one verisign certificate sitting on central primary site A or do i need another provisioning certificate elsewhere as well?

thanks you have been great help.

Stéphane

0 Kudos
Reply