Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
All support for Intel NUC 7 - 13 systems has transitioned to ASUS. Read latest update.
2816 Discussions

provisioning certificate to provision child domains .local


Hi everyone,

I'm hoping you can help me with a question.

I have read the Domain Suffix guide at

Say I have a domain that's called bamits.local and I have a child domain called dev.bamits.local and I want to provision systems in the both domains.

My top level domain (TLD) is .local and is not in the list and Option 15 in the top domain would return bamits.local and in the child domain it would return dev.bamits.local

I want to use the same provisioning certificate to provision .bamits.local and dev.bamits.local. how many labels will it need to match? Will the configuration certificate only need to match 2 labels to provision the systems and not need to go back to dev?

I have been told that so long as the DNS suffix (DHCP option 15) matches the cert top level domain, then it will work. If that was true it would only need to goto .local and not worry about bamits.

My concern is that option 15 actually returns dev.bamits.local in the child domain and the certificate is for bamits.local

Could somebody help clarify this for me?



0 Kudos
2 Replies

Hi Blair,

The .local is not on our Top Level Domain list, therefore, the configuration certificate will need to also match the dev label.

For support of clients in bamits.local and dev.bamits.local your options are 2 standard certs for each domain, a multi-domain certificate that includes the two domains, or a wild card certificate.

What does this mean?

Top Level Domain AMT support list:









Customers owning a DNS under domains on this list can utilize a single standard SSL certificate to provision the entire vPro fleet including all sub-domains in their organization (Intel Advanced Management Technology firmware will treat this certificate as a wildcard certificate)

In other words, if the domain is not on this list the customer would have to resort to Wildcard or Multi-Domain certificates to cover all existing sub-domains to be able to provision AMT in each one.

Example of a domain not on the list:

A Standard SSL certificate for domain "bamits.local" will only support AMT clients in this domain to configure. AMT clients in "dev.bamits.local" or "test.bamits.local" for example will be rejected. This would work with a wildcard cert of " *.bamits.local" or multiple domain certificates.


Thanks Minh,

You have explained it very well.



0 Kudos