vPro Self Cert PKI not available

Gio2023 · ‎06-13-2023

Hello!

I just set up Intel EMA in my current lab environment. I was able to also generate a self signed cert from our rootCA on prem.

I was able to upload it into IIS certificate and into EMA but i am still not able to see the option for TLS under Intel AMT autosetup for the activation method. I am only seeing the host based provisioning.

Option 15 is also set for the DNS Suffix for the network that the device is currently on.

Would i need to include the Root and Intermediate certs into IIS as well? We made sure to follow the template from here. I am also able to see all 3 lines for the cert chain.

How to Create a Self-Certificate Hash for Intel® Active...

Intel EMA Version 1.0.1.0

Windows Server 2019 VM

Intel AMT Version: 11.8.92 and 14.1.67

Any direction or help with this is appreciated!

EDIT: I was able to get the PKI cert to show up. The only other issue i am seeing is that now the device i am trying to configure continues to show Configure and Unconfigure without any additional information.

Victor_G_Intel · ‎06-14-2023

Hello Gio2023,

Thank you for posting on the Intel® communities.

To provide you with the required assistance we will need you to provide the following information:

1-How many endpoints are you planning to have in your deployment?

2-Is the endpoint in your lab environment in the same network as the EMA server?

3-We will require some pictures of the certificate you are using with EMA, in specific we will require a screenshot showing the full enhanced key usage tab, the full certification path tab, and the OID. Additionally, you will have to make sure all the certificates found in the certificate path of the EMA certificate are SHA256.

4-Please provide the following report from one of your test endpoints.

Intel® EMA configuration tool

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Double-click the .msi file and follow the prompts.

Run:

a- Open a command prompt as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe -filename XXXX –verbose

5-We will also require the following logs:

EMA logs from Server:

[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs

EMA log from the endpoint:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog

Best regards,

Victor G.

Intel Technical Support Technician

Gio2023 · ‎06-14-2023

I will be deploying this to over 1500 endpoints.

The devices are currently on 2 separate networks.

Here is the following information cert information.

I also included the log files on here as well. I did take a look at logs on the platform manager and found this.

6/14/2023 3:44:01 PM 01 : Message:Requesting ME administrator account : (Test05,E366C4AE).

6/14/2023 3:44:01 PM 01 : Message:Connecting to Swarm Server : (Test05,E366C4AE).

6/14/2023 3:44:01 PM 01 : Message:Sending Agent Stop Remote Configuration Message : (Test05,E366C4AE).

6/14/2023 3:44:01 PM 01 : Message:Setup computer name Test05.domain name : (Test05,E366C4AE).

6/14/2023 3:44:01 PM 01 : Message:Starting PKI Setup process for endpoint: (Test05,E366C4AE) ComputerName: Test05.domain name

6/14/2023 3:44:01 PM 01 : Get Mesh information (Tenant) : (Test05,E366C4AE).

6/14/2023 3:44:01 PM 01 : Attempting phase 1 PKI provisioning : (Test05,E366C4AE).

6/14/2023 3:42:32 PM 01 : Failed PKI provisioning : (Test05,E366C4AE).

6/14/2023 3:42:32 PM 01 : Warning: Failed Intel AMT SetupAdmin activation : (Test05,E366C4AE).

6/14/2023 3:42:32 PM 01 : Warning:Unable to get Intel ME administrator account : (Test05,E366C4AE).

6/14/2023 3:42:32 PM 01 : Message:Disconnecting Swarm Server : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Message:Requesting ME administrator account : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Message:Connecting to Swarm Server : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Message:Sending Agent Stop Remote Configuration Message : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Message:Setup computer name Test05.domain name : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Message:Starting PKI Setup process for endpoint: (Test05,E366C4AE) ComputerName: Test05.domain name

6/14/2023 3:41:01 PM 01 : Get Mesh information (Tenant) : (Test05,E366C4AE).

6/14/2023 3:41:01 PM 01 : Attempting phase 1 PKI provisioning : (Test05,E366C4AE).

Victor_G_Intel · ‎06-15-2023

Hello Gio2023,

Thank you so much for your response.

You mentioned that you followed the article below when you were creating the self-sign certificate. Can you please confirm if you followed the last step that prompt you to follow the instructions on how to install the Hash manually?

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

Additionally, we will require a picture of how your PKI certificate looks and how it looks in MEBx.

Best regards,

Victor G.

Intel Technical Support Technician

Gio2023 · ‎06-15-2023

Hello!

The last part of that How to was not followed. Would it be required to essentially manually install the hash on the workstations when using a self signed certificate?

Here is a screenshot of the certificate in Intel EMA.

Gio2023 · ‎06-16-2023

I created a USB with the appropriate hash and it looks like it am still seeing an error on the console for PKI, Cert_Verified_Failed.

6/16/2023 9:26:22 AM 01 : Failed PKI provisioning : (Test-PC,7D8FB6F4).

6/16/2023 9:26:22 AM 01 : Warning: Failed Intel AMT SetupAdmin activation : (Test-PC,7D8FB6F4).

6/16/2023 9:26:22 AM 01 : Message:Deactivation completed : (Test-PC,7D8FB6F4).

6/16/2023 9:26:22 AM 01 : Clearing credentials from ema agent : (Test-PC,7D8FB6F4).

6/16/2023 9:26:22 AM 01 : Disconnecting Swarm Server : (Test-PC,7D8FB6F4).

6/16/2023 9:26:22 AM 01 : Message:Requesting ME unprovisionning : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Connecting to Swarm Server : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Warning:Unable to go to admin mode, rolling back out of client mode : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Warning:Failed to push activation certificate - CERT_VERIFY_FAILED : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Pushing activation certificate - OOT-CA-CA : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Pushing activation certificate - IntermediateIssuingCA : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Pushing activation certificate - Test-Cert : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Current certificate chain status - NotStarted : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Checking if the admin control mode is allowed : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Checking if unprovisioned : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Creating DotNetWSManClient object : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Starting Mesh Router 54136 -> 7D8FB6F4:16992, SYSTEM

6/16/2023 9:26:21 AM 01 : Attempting host based admin provisioning : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Get mesh information (Tenant) : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Current Control mode - Client : (Test-PC,7D8FB6F4).

6/16/2023 9:26:21 AM 01 : Message:Checking if unprovisioned : (Test-PC,7D8FB6F4).

6/16/2023 9:26:20 AM 01 : Message:Creating DotNetWSManClient object : (Test-PC,7D8FB6F4).

6/16/2023 9:26:20 AM 01 : Message:Starting Mesh Router 54131 -> 7D8FB6F4:16992, SYSTEM

6/16/2023 9:26:20 AM 01 : Message:Attempting host based admin provisioning: (Test-PC,7D8FB6F4).

6/16/2023 9:26:20 AM 01 : Message:Getting mesh information (Tenant) : (Test-PC,7D8FB6F4).

MIGUEL_C_Intel · ‎06-16-2023

Hello, Gio2023,

I hope this post finds you well.

The admin control mode requires a certificate. The hash of the validated OEM - Intel® AMT Certificates are included in the BIOS of the Intel® vPro motherboards. We need to install the Certificate into the EMA server and install the EMA agent file into the endpoint machines. The EMA software will automatically configure the provisioning service.

Self-Certificate requires the hash installation manually into the MEBx BIOS. (It is necessary to repeat the process in all the endpoints)

It is necessary to follow all the steps of article 000059996

How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

https://www.intel.com/content/www/us/en/support/articles/000059996/software.html

If you already perform these steps; please review if the PKI DNS suffix is in MEBx.

For this process, you can run Intel® EMA Configuration Tool

https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html

Installation:

Double-click the .msi file and follow the prompts.

Run:

a-Open a command prompt (alternatively, you can run the tool from within Windows PowerShell*) as administrator.

b-Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c-Run the command: EMAConfigTool.exe --verbose

If not yet, access MEBx and include the PKI DNS suffix.

From the MEBx Main Menu, click MEBx Login, and type your password, it was created while you set the EMA configuration.

Click over Intel® AMT Configuration

Scroll down and select Remote Setup and Configuration

Select TLS PKI

Select PKI DNS Suffix, hit enter

Type your PKI DNS Suffix, hit Enter

The new Window will display the new PKI DNS Suffix

Then, keep pressing Exit until you close MEBX.

I hope my explanation clarifies the advantages and disadvantages of the self-certificate.

Regards,

Miguel C.

Intel Customer Support Technician

Gio2023 · ‎06-19-2023

Would this be the same on vPro version 11?

I do have a device on version 14 but i am not seeing the options after the USB provisioning.

On the Version 11 i do see the PKI cert and the cert chains as well.

MIGUEL_C_Intel · ‎06-19-2023

Hello, Gio2023,

Do you mind giving us more details of your questions?

Please include pictures of both endpoints at AMT 11 and 14. EMA is supported on systems with AMT 11.8 and higher.

Regards,

Miguel C.

Intel Customer Support Technician

Gio2023 · ‎06-19-2023

Hello!

Here is all the information i have so far.

I was able to create a USB for MEBx with SHA26. I included the complete Cert chain as well. I was also able to verify the PKI DNS suffix in the MEBx login just in case, also verified the information and saw the ROOTCa, Intermediate and the client Cert as well.

I was able to verify connectivity on the devices and installed the EMA-Agent with the appropriate group and settings.

On the managebility console i am still seeing the following.
This is for Test02 on the logs below.
- HBA Set Up Failed
- As Well as Unable to go to Admin Mode
- "Failed PKI Provisioning"

I feel like i am very close to solving these issues.

6/19/2023 11:31:13 AM 01 : Phase 1 PKI - No valid route to endpoint (Test09,1BEE649A), routing 0.

6/19/2023 11:31:10 AM 01 : Failed PKI provisioning : (Test02,689436CE).

6/19/2023 11:31:10 AM 01 : Warning: Failed Intel AMT SetupAdmin activation : (Test02,689436CE).

6/19/2023 11:31:10 AM 01 : Message:Deactivation completed : (Test02,689436CE).

6/19/2023 11:31:10 AM 01 : Clearing credentials from ema agent : (Test02,689436CE).

6/19/2023 11:31:10 AM 01 : Disconnecting Swarm Server : (Test02,689436CE).

6/19/2023 11:31:10 AM 01 : Message:Requesting ME unprovisionning : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Connecting to Swarm Server : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Warning:Unable to go to admin mode, rolling back out of client mode : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Warning:Host Based Admin Setup failed - AUTH_FAILED : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Attempting Host Based Admin Setup : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:ConfigurationServerFQDN - vPro.server.local : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Current certificate chain status - ChainComplete : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Pushing activation certificate - -ROOT-CA-CA : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Pushing activation certificate - -IssuingCA : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Pushing activation certificate - : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Current certificate chain status - ChainComplete : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Checking if the admin control mode is allowed : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:09 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Starting Mesh Router 59105 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:08 AM 01 : Attempting host based admin provisioning : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Get mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Current Control mode - Client : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Starting Mesh Router 59100 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:08 AM 01 : Message:Attempting host based admin provisioning: (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Getting mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Warning:Host Based Admin Setup (2nd try) - AUTH_FAILED : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Warning:Host Based Admin Setup failed - AUTH_FAILED : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Attempting Host Based Admin Setup : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:ConfigurationServerFQDN - vPro.server.local : (Test02,689436CE).

6/19/2023 11:31:08 AM 01 : Message:Current certificate chain status - ChainComplete : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Pushing activation certificate - -ROOT-CA-CA : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Pushing activation certificate - -IssuingCA : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Pushing activation certificate - Cert : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Current certificate chain status - ChainComplete : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Checking if the admin control mode is allowed : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Starting Mesh Router 59095 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:07 AM 01 : Attempting host based admin provisioning : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Get mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Current Control mode - Client : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:07 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Starting Mesh Router 59090 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:06 AM 01 : Message:Attempting host based admin provisioning: (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Getting mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Warning:Host Based Admin Setup (1st try) - AUTH_FAILED : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Warning:Host Based Admin Setup failed - AUTH_FAILED : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Attempting Host Based Admin Setup : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:ConfigurationServerFQDN - vPro.server.local : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Current certificate chain status - ChainComplete : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Pushing activation certificate - -ROOT-CA-CA : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Pushing activation certificate - -IssuingCA : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Pushing activation certificate - Cert : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Current certificate chain status - NotStarted : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Checking if the admin control mode is allowed : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:06 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Starting Mesh Router 59085 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:05 AM 01 : Attempting host based admin provisioning : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Get mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Current Control mode - Client : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Starting Mesh Router 59080 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:05 AM 01 : Message:Attempting host based admin provisioning: (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Getting mesh information (Tenant) : (Test02,689436CE).

6/19/2023 11:31:05 AM 01 : Message:Host Based Setup (1st try) - SUCCESS : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Performing Signed Host Based Client Mode Setup : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Attempting Host Based Admin Setup (EHBP) : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Check digest realm : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Fetching the digest realms : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Checking if the client control mode is enabled : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Checking if unprovisioned : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Creating DotNetWSManClient object : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Starting Mesh Router 59075 -> 689436CE:16992, SYSTEM

6/19/2023 11:31:04 AM 01 : Message:Attempting host based provisioning : (Test02,689436CE).

6/19/2023 11:31:04 AM 01 : Message:Disconnecting Swarm Server : (Test02,689436CE).

6/19/2023 11:31:03 AM 01 : Message:Requesting ME administrator account : (Test02,689436CE).

6/19/2023 11:31:03 AM Warning:Received stop remote configuration status from: 689436CE, status: INVALID_PT_MODE (3)

MIGUEL_C_Intel · ‎06-19-2023

Hello, Gio2023,

I reviewed the last log (6/19 11:34 AM) and the log of (6/16 09:30 AM,) and the issue is still present.

Please confirm if you already included the Root and the intermediate Certificate into IIS. If yes, please verify if the 3 sections are SHA2 from Details tab of each section.

If the self-Certificate was included properly in IIS and installed into the endpoint, we should be able to see the hash into the EMA Configuration Tool.

Please send me the ECT log and pictures.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎06-22-2023

Hello, Gio2023,

I hope this post finds you well.

By any chance, have you been able to work on my last request? I am adding a copy of my last suggestion.

-Please confirm if you already included the Root and the intermediate Certificate in IIS. If yes, please verify if the 3 sections are SHA2 from the Details tab of each section.

-If the self-Certificate was included properly in IIS and installed into the endpoint, we should be able to see the hash in the EMA Configuration Tool log.

If further assistance is necessary; please send me the ECT log and MEBx pictures.

Regards,

Miguel C.

Intel Customer Support Technician

MIGUEL_C_Intel · ‎06-26-2023

Hello, Gio2023,

I hope this email finds you well.

Do not hesitate to reply if further assistance is necessary.

Regards,

Miguel C.

Intel Customer Support Technician