Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

provisioning certificate to provision child domains .local

BMull
Novice
‎11-09-2012 10:06 PM
41,695 Views

Hi everyone,

I'm hoping you can help me with a question.

I have read the Domain Suffix guide at http://communities.intel.com/docs/DOC-4903 http://communities.intel.com/docs/DOC-4903

Say I have a domain that's called bamits.local and I have a child domain called dev.bamits.local and I want to provision systems in the both domains.

My top level domain (TLD) is .local and is not in the list and Option 15 in the top domain would return bamits.local and in the child domain it would return dev.bamits.local

I want to use the same provisioning certificate to provision .bamits.local and dev.bamits.local. how many labels will it need to match? Will the configuration certificate only need to match 2 labels to provision the systems and not need to go back to dev?

I have been told that so long as the DNS suffix (DHCP option 15) matches the cert top level domain, then it will work. If that was true it would only need to goto .local and not worry about bamits.

My concern is that option 15 actually returns dev.bamits.local in the child domain and the certificate is for bamits.local

Could somebody help clarify this for me?

Thanks

Blair

0 Kudos

Link Copied

2 Replies
idata
Employee
‎11-13-2012 02:24 PM
40,435 Views

Hi Blair,

The .local is not on our Top Level Domain list, therefore, the configuration certificate will need to also match the dev label.

For support of clients in bamits.local and dev.bamits.local your options are 2 standard certs for each domain, a multi-domain certificate that includes the two domains, or a wild card certificate.

What does this mean?

Top Level Domain AMT support list:

.EDU .GOV .ORG .BG .CH .CL

.CZ .DE .DK .COM .NET

.ARPA .AR .AT .BE .BR .CA

.CN .CO .EE .ES .FI .FR

.GR .HK .HR .HU .IE .IL

.IN .LT .MX .NL .NO .NZ

.PL .PT .RO .RU .SE .SG

.TH .TR .TW .UA .UK .ZA

Customers owning a DNS under domains on this list can utilize a single standard SSL certificate to provision the entire vPro fleet including all sub-domains in their organization (Intel Advanced Management Technology firmware will treat this certificate as a wildcard certificate)

In other words, if the domain is not on this list the customer would have to resort to Wildcard or Multi-Domain certificates to cover all existing sub-domains to be able to provision AMT in each one.

Example of a domain not on the list:

A Standard SSL certificate for domain "bamits.local" will only support AMT clients in this domain to configure. AMT clients in "dev.bamits.local" or "test.bamits.local" for example will be rejected. This would work with a wildcard cert of " *.bamits.local" or multiple domain certificates.

Copy link
BMull
Novice
‎11-14-2012 01:24 AM
40,435 Views
In response to idata

Thanks Minh,

You have explained it very well.

Regards,

Blair

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.