Solved: How to verify an Intel PTT endorsement key certificate

dhdj · ‎06-02-2024

My cpu is a i9-14900K I've exported the ek cert using the powershell commands

$a=Get-TpmEndorsementKeyInfo
$a.manufacturerCertificates|Export-Certificate -filepath "D:\Downloads\test.cer"

but it is a self signed certificate signed with the private ek, I've also tried computing the pub hash and using https://ekop.intel.com/ekcertservice/ but it returned

{"message":"Forbidden"}

I've noticed CN = CSME ADL PTT 01SVN but I have no idea where to find the certificate for this. How should I verify the certificate chain on the intel ptt ek certificate?

for example on AMD they have http://ftpm.amd.com/pki/aia/ and their ek cert comes with authority info that points to their certificate chain and easily verifiable.

liranper · ‎07-10-2024

Hello @dhdj and @Andox

Starting 11th gen core, Intel PTT Endorsement Keys are certified using the Intel ODCA (On Die Certificate Authority) and no longer through EK Online Provisioning server (EKOP).

In order to walk through the certification path, you will need to obtain the embedded intermediate CAs (EICA) as described in
TCG's EK Credential Profile section 2.2.1.5.2 "Handle Values for EK Certificate Chains".

The PTT's EKs are signed by the PTT EICA (as you saw "CSME ADL PTT 01SVN")

The PTT CA is signed by the CSME Kernel EICA, the Kernel EICA is signed by the CSME ROM EICA which finally contains an AIA URL to it's issuer as you used to..

As seen in the TCG EK Credential Profile, you will find the PTT, Kernel and ROM EICA in the NV range allocated for EK chain.

On windows you can use the optional tpmdiagnostics feature to read the embedded intermediate chain:

# Install TPM Diagnostic tool optional windows feature:
PS C:\> tpmtool oc add

# Check EICAs exists in NV:
PS C:\> tpmdiagnostics ekchainnv

# Read certificates as text (read all indices in chain range and stop when NV index is not defined, in your ADL device, 0x01c00101 should not be defined since the chain fit into one TPM NV index):

PS C:\> tpmdiagnostics ReadNVIndex 0x01c00100 > nv_0x01c00100.txt
PS C:\> tpmdiagnostics ReadNVIndex 0x01c00101 > nv_0x01c00101.txt

Note that the above will output the certificate chain (concatenated ROM || Kernel || PTT EICAs) in text and not in DER/PEM. and will need some hex editor to convert.

another option is to look in the registry under:
“HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\IntermediateCACertStore\Certificates”

Please let me know if this information helps and if you have more questions

View solution in original post

Andox · ‎06-05-2024

I have the same question. If you have figured it out, please share how you obtained the issuer certificate(s).

ACarmona_Intel · ‎06-13-2024

Hello Andox,

Thank you for posting in our communities.

You may continue monitoring this case to keep you updated or file a new case so that we can properly support you.

Intel Support: https://www.intel.com/content/www/us/en/support.html

Thank you for your understanding, and have a great day ahead.

Best regards,
Carmona A.
Intel Customer Support Technician

ACarmona_Intel · ‎06-05-2024

Hello Dhdj,

Thank you for posting in our communities.

I will raise the case with our engineers so we can provide you with the appropriate answer to your query.

Thank you for your patience!

Best regards,

Carmona A.

Intel Customer Support Technician

LaserLord · ‎06-10-2024

Hello Intel,

I too am experiencing tremendous frustration with this issue. Has there been any update on this?

Thanks

Laser Lord

ACarmona_Intel · ‎06-13-2024

Hello LaserLord,

Thank you for posting in our communities.

The same advice that I have provided to @Andox is that you may continue monitoring this case to keep you updated or file a new case so that we can properly support you.

Intel Support: https://www.intel.com/content/www/us/en/support.html

Thank you for your understanding, and have a great day ahead.

Best regards,
Carmona A.
Intel Customer Support Technician

ACarmona_Intel · ‎06-13-2024

Hello Dhdj,

Thank you so much for patiently waiting on our response.

Could you kindly provide the make and model of your motherboard? since the Trusted Platform Module (TPM) is a critical security component that can be either physically present on your motherboard or integrated within your processor. It's possible that the TPM has been disabled in the firmware settings by the manufacturer. Since your processor is compatible with Intel® Trusted Execution Technology, enabling the TPM may be necessary for optimal security performance.

For further information, we also recommend reviewing the following articles, which offer detailed insights into TPM and its functionalities:

We will be waiting for your response!

Best regards,

Carmona A.

Intel Customer Support Technician

dhdj · ‎06-14-2024

motherboard: ASUS ROG STRIX Z790-E GAMING WIFI (Nuvoton NCT6789D)
tpm (intel ptt) is enabled, secure boot is enabled, bitlocker is enabled.

As you can see the certificate is issued by Intel and it does not have a certificate chain.

PS C:\Users\dhdj> Get-TpmEndorsementKeyInfo -HashAlgorithm SHA256

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : b42b7600978cb39723cdd2508ec63796c21618651f0a0f96f98258b29caa21fb
ManufacturerCertificates : {[Subject]
                             TPMVersion=id:02580012, TPMModel=ADL, TPMManufacturer=id:494E5443

                           [Issuer]
                             CN=CSME ADL PTT  01SVN

                           [Serial Number]
                             7A0A82DDA276FE1C32098160606822AC

                           [Not Before]
                             6/22/2021 7:00:00 PM

                           [Not After]
                             12/31/2049 5:59:59 PM

                           [Thumbprint]
                             9ADE39C8C3D255417DEBFBFC77B2CAE81148D83C
                           }
AdditionalCertificates   : {}

The Common Name of the Issuer is CSME ADL PTT 01SVN which resembles something from intel, but there is no way to obtain this certificate thus the certificate chain is not verfiable.

ACarmona_Intel · ‎06-16-2024

Hello Dhdj,

Thank you so much for the quick response and for providing us with the complete model of your motherboard along with other relevant information that will help in our investigation.

I will now raise the case again with our engineers so they can further guide us on our next steps. And I will update you as soon as I have our engineer's response.

Again, thank you so much for your patience!

Best regards,

Carmona A.

Intel Customer Support Technician

dhdj · ‎06-23-2024

and?

Andox · ‎06-25-2024

Any update on this issue? We need all the public root and intermediate certificates for 'CSME ADL PTT 01SVN' to be able to verify the certificate chain.

ACarmona_Intel · ‎06-26-2024

Hello Dhdj,

Thank you so much for patiently waiting on our response.

We recommend that you look up the "certification path" in the certificate".

Then, check out this article: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation."

If you have any questions, please let me know.

Best regards,

Carmona A.

Intel Customer Support Technician

ACarmona_Intel · ‎07-02-2024

Hello Dhdj,

We would like to know if you have any questions regarding the recommendation that we have provided.

If yes, please let me know. We would be happy to help.

Best regards,

Carmona A.

Intel Customer Support Technician

Andox · ‎07-02-2024

Hello!

The "Certificate Path" is only displaying the certificate itself with the Certificate Status: "The issuer of this certificate could not be found."

Just to iterate on the actual issue here. We need the public root and intermediate issuer certificates for "CSME ADL PTT 01SVN" to be able to verify the full certificate chain.

Best regards

ACarmona_Intel · ‎07-02-2024

Hello Andox,

Again, please file a new case so that we can properly support you.

Intel Support: https://www.intel.com/content/www/us/en/support.html

By the way, please share this thread with other moderators so they can easily understand your concern and provide you with an immediate recommendation.

Thank you for your understanding.

Best regards,
Carmona A.
Intel Customer Support Technician

ACarmona_Intel · ‎07-04-2024

Hello Dhdj,

Again, we would like to know if you have any questions regarding the recommendation that we have provided.

If yes, please let me know. We would be happy to help.

Best regards,

Carmona A.

Intel Customer Support Technician

dhdj · ‎07-04-2024

Thank you for your response, however it didn't address my problem.

Yes, on older intel cpus (like a Intel i7 7600u) there is a certificate path, but on 14900k at least there is no such thing, which is the problem that we've been having. As for evidence that it's missing please refer to the screenshot posted by @Andox

Is there a way for me to get direct contact with an intel engineer or is this the only place where I can ask? This entire thing looks like a big **** up by the intel engineering team to me.

Andox · ‎07-04-2024

Hello Acarmona!

Sorry to reply again, but it seems like you're not reading what Dhdj and I are writing. Your response, 'We recommend that you look up the "certification path" in the certificate,' is unclear. Could you expand on what you actually mean? For example, Dhdj wrote in the initial post, 'For example, on AMD they have http://ftpm.amd.com/pki/aia/ and their EK cert comes with authority info that points to their certificate chain and is easily verifiable.' They are referring to the fact that they want the certificate chain, but your reply was essentially 'please find the chain.'

Best regards

dhdj · ‎07-04-2024

Yeah lol basically

Me: "The certificate path is missing, how do I find it?"
Intel: "Just look for the certificate path?"
Me: "?"

ACarmona_Intel · ‎07-08-2024

Hello, @dhdj and @Andox,

Thank you so much for the response.

I will clarify the query that we have with our engineers and get back to you as soon as possible.

Thank you for your patience and understanding.

By the way, I appreciate that both of you are sharing your thoughts with us; they were all highly noted.

Best regards,

Carmona A.

Intel Customer Support Technician

liranper · ‎07-10-2024

Hello @dhdj and @Andox

Starting 11th gen core, Intel PTT Endorsement Keys are certified using the Intel ODCA (On Die Certificate Authority) and no longer through EK Online Provisioning server (EKOP).

In order to walk through the certification path, you will need to obtain the embedded intermediate CAs (EICA) as described in
TCG's EK Credential Profile section 2.2.1.5.2 "Handle Values for EK Certificate Chains".

The PTT's EKs are signed by the PTT EICA (as you saw "CSME ADL PTT 01SVN")

The PTT CA is signed by the CSME Kernel EICA, the Kernel EICA is signed by the CSME ROM EICA which finally contains an AIA URL to it's issuer as you used to..

As seen in the TCG EK Credential Profile, you will find the PTT, Kernel and ROM EICA in the NV range allocated for EK chain.

On windows you can use the optional tpmdiagnostics feature to read the embedded intermediate chain:

# Install TPM Diagnostic tool optional windows feature:
PS C:\> tpmtool oc add

# Check EICAs exists in NV:
PS C:\> tpmdiagnostics ekchainnv

# Read certificates as text (read all indices in chain range and stop when NV index is not defined, in your ADL device, 0x01c00101 should not be defined since the chain fit into one TPM NV index):

PS C:\> tpmdiagnostics ReadNVIndex 0x01c00100 > nv_0x01c00100.txt
PS C:\> tpmdiagnostics ReadNVIndex 0x01c00101 > nv_0x01c00101.txt

Note that the above will output the certificate chain (concatenated ROM || Kernel || PTT EICAs) in text and not in DER/PEM. and will need some hex editor to convert.

another option is to look in the registry under:
“HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\IntermediateCACertStore\Certificates”

Please let me know if this information helps and if you have more questions