Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Failed PKI provisioning - Failed to push activation certificate

AndrewMcN
Beginner
‎10-13-2021 02:40 PM
4,573 Views
Solved Jump to solution

Hi, EMA noob here. Just setting up for the first time.

 

Produced a cert using our Windows AD CS. Uploaded the PFX. EMA seemed to ingest it ok. New template with required Intel OID used.

Rolled out to the first client and it seems to be in a loop of attempting to configure itself. I can see the logs showing it attempting to apply the cert, the intermediate and the root. Then it says:

 

Warning:Failed to push activation certificate - UNKNOWN

...

Warning: Failed Intel AMT SetupAdmin activation

Warning:-- Failed PKI provisioning

 

There is also some of this:

 

Warning:Error (2) - Intel.Manageability.WSManagement.WSManException: The underlying connection was closed: The connection was closed unexpectedly. ---> System.Net.WebException: The underlying connection was closed: The connection was closed unexpectedly.
at Intel.Manageability.WSManagement.DotNetWSManClient.HttpSendReceive(MemoryStream postData, XmlDocument& resp)
at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
--- End of inner exception stack trace ---
at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
at Intel.Manageability.WSManagement.DotNetWSManClient.Get(Uri resourceUri, IEnumerable`1 selectors)
at Intel.Manageability.Cim.Untyped.CimObject.Get(CimKeys keys)

 

I saw that this unexpectedly closed error might mean EMA is trying to setup before ME is ready or something but ME is never getting ready, if that's the case as it's stuck in this loop.

 

The DNS seems fine.

 

I updated the ME firmware and it didn't help (to 11.8.x). The BIOS is up-to-date. It's an HP 800 G2.

 

Any thoughts on what's wrong? Thanks in advance.

0 Kudos
1 Solution
JoseH_Intel
Moderator
‎10-13-2021 07:18 PM
4,540 Views
Solved Jump to solution

Hello AndrewMcN,

 

Thank you for joining the community

 

You started saying that you produced a cert using Windows AD CS. So, is this a custom generated certificate? If this is the case then EMA won't accept that unfortunately. You want to purchase a commercial CA from 5 different vendors that are already preinstalled into the ME firmware. Here are instructions for them:

 

How to Purchase and Install GoDaddy* Certificates for Intel® Active...

How to Purchase and Install DigiCert* Certificates for Intel® AMT...

How to Purchase and Install Comodo* Certificates for Intel® AMT Setup...

How to Purchase and Install Sectigo* Certifcates for Intel vPro®...

How to Purchase and Install Entrust* Certificates for Setup and... (intel.com)

 

For instructions on how to upload the AMT PKI cert, you want to follow the instructions from section 3.3 of the Intel EMA Administration guide: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=25

 

Hope this helps

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

View solution in original post

0 Kudos
Copy link

Link Copied

8 Replies
JoseH_Intel
Moderator
‎10-13-2021 07:18 PM
4,541 Views
Solved Jump to solution

Hello AndrewMcN,

 

Thank you for joining the community

 

You started saying that you produced a cert using Windows AD CS. So, is this a custom generated certificate? If this is the case then EMA won't accept that unfortunately. You want to purchase a commercial CA from 5 different vendors that are already preinstalled into the ME firmware. Here are instructions for them:

 

How to Purchase and Install GoDaddy* Certificates for Intel® Active...

How to Purchase and Install DigiCert* Certificates for Intel® AMT...

How to Purchase and Install Comodo* Certificates for Intel® AMT Setup...

How to Purchase and Install Sectigo* Certifcates for Intel vPro®...

How to Purchase and Install Entrust* Certificates for Setup and... (intel.com)

 

For instructions on how to upload the AMT PKI cert, you want to follow the instructions from section 3.3 of the Intel EMA Administration guide: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=25

 

Hope this helps

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

0 Kudos
Copy link
AndrewMcN
Beginner
‎10-13-2021 11:33 PM
4,509 Views
Solved Jump to solution
In response to JoseH_Intel

Ok. I wish it had been spelled-out clearer in the docs that you must use one from these vendors.

It would be good if Intel had supported a non-profit/free option like Let’s Encrypt. Yes they have a 90-day renewal which would be a burden.

We have an account with Sectigo but it doesn’t appear to include AMT. I’ll go see if I can change that or start the red-tape to get some cash from the boss.

In response to JoseH_Intel
0 Kudos
Copy link
JoseH_Intel
Moderator
‎10-14-2021 08:49 PM
4,426 Views
Solved Jump to solution

Hello AndrewMcN,


Thank you for the feedback. Back in the days of SCS (precursor of EMA) a custom generated CA was accepted. It was not the easiest way to provision the systems as per you needed to inject the cert hash manually on every single device MEBx prior to attempt the mass deployment. So it was possible but not practical, and I think that is why the feature was removed from EMA, because any ways, few people really used it.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
AndrewMcN
Beginner
‎10-14-2021 11:38 PM
4,406 Views
Solved Jump to solution
In response to JoseH_Intel

Thanks Jose. Our Sectigo contract did include AMT. It's just not available in the self-service system.

 

Just dealing with some stability issues now. I'm starting with some of our older machines because they need a TPM upgrade. They're running ME 11.8.x. The Manageability Commander bit sometimes just isn't loading. I haven't had time to research possible causes, etc.

 

I'm pleased to say at least I was able to remotely disable "Physical Presence Interface" and watch my first ever fully automated TPM upgrade.

In response to JoseH_Intel
0 Kudos
Copy link
MarcinW
Beginner
‎04-06-2022 12:39 AM
2,631 Views
Solved Jump to solution
In response to JoseH_Intel

Hello

Can you describe the whole procedure with example how to generate own certificate on DC CA, write hash into Vpro bios and using this how to provision client computer into ACM (admin control mode) ? I know that I have to phisically touch the computer and put hash into vpro vbios.  I was trying with "dell out of band" application which allows me to prepare pendrive with hash and put it into vpro bios. Unfortunatelly my computer still can't connect to EMA server or to SCS sever.  I don't want to use commercial certificate because of our security policy. 

In response to JoseH_Intel
Preview file
128 KB
0 Kudos
Copy link
AndrewMcN
Beginner
‎04-06-2022 01:44 AM
2,603 Views
Solved Jump to solution
In response to MarcinW
Intel advised it’s not possible not to use a commercial certificate. It’s hardwired to require one.
In response to MarcinW
0 Kudos
Copy link
MarcinW
Beginner
‎04-06-2022 02:10 AM
2,598 Views
Solved Jump to solution
In response to AndrewMcN

Can you give  me please the link to this information? 

In response to AndrewMcN
0 Kudos
Copy link
JoseH_Intel
Moderator
‎10-17-2021 05:51 PM
4,187 Views
Solved Jump to solution

Hello AndrewMcN,


Its good to hear that you were able to overcome the cert and the user consent issue both at the same time. About the IMC you could try the Open Software Projects - MeshCommander. It works pretty similar and probably would be more stable.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.