Community
cancel
Showing results for 
Search instead for 
Did you mean: 
AndrewMcN
Beginner
795 Views

Failed PKI provisioning - Failed to push activation certificate

Jump to solution

Hi, EMA noob here. Just setting up for the first time.

 

Produced a cert using our Windows AD CS. Uploaded the PFX. EMA seemed to ingest it ok. New template with required Intel OID used.

Rolled out to the first client and it seems to be in a loop of attempting to configure itself. I can see the logs showing it attempting to apply the cert, the intermediate and the root. Then it says:

 

Warning:Failed to push activation certificate - UNKNOWN

...

Warning: Failed Intel AMT SetupAdmin activation

Warning:-- Failed PKI provisioning

 

There is also some of this:

 

Warning:Error (2) - Intel.Manageability.WSManagement.WSManException: The underlying connection was closed: The connection was closed unexpectedly. ---> System.Net.WebException: The underlying connection was closed: The connection was closed unexpectedly.
at Intel.Manageability.WSManagement.DotNetWSManClient.HttpSendReceive(MemoryStream postData, XmlDocument& resp)
at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
--- End of inner exception stack trace ---
at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
at Intel.Manageability.WSManagement.DotNetWSManClient.Get(Uri resourceUri, IEnumerable`1 selectors)
at Intel.Manageability.Cim.Untyped.CimObject.Get(CimKeys keys)

 

I saw that this unexpectedly closed error might mean EMA is trying to setup before ME is ready or something but ME is never getting ready, if that's the case as it's stuck in this loop.

 

The DNS seems fine.

 

I updated the ME firmware and it didn't help (to 11.8.x). The BIOS is up-to-date. It's an HP 800 G2.

 

Any thoughts on what's wrong? Thanks in advance.

0 Kudos
1 Solution
JoseH_Intel
Moderator
762 Views

Hello AndrewMcN,

 

Thank you for joining the community

 

You started saying that you produced a cert using Windows AD CS. So, is this a custom generated certificate? If this is the case then EMA won't accept that unfortunately. You want to purchase a commercial CA from 5 different vendors that are already preinstalled into the ME firmware. Here are instructions for them:

 

How to Purchase and Install GoDaddy* Certificates for Intel® Active...

How to Purchase and Install DigiCert* Certificates for Intel® AMT...

How to Purchase and Install Comodo* Certificates for Intel® AMT Setup...

How to Purchase and Install Sectigo* Certifcates for Intel vPro®...

How to Purchase and Install Entrust* Certificates for Setup and... (intel.com)

 

For instructions on how to upload the AMT PKI cert, you want to follow the instructions from section 3.3 of the Intel EMA Administration guide: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-...

 

Hope this helps

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

View solution in original post

5 Replies
JoseH_Intel
Moderator
763 Views

Hello AndrewMcN,

 

Thank you for joining the community

 

You started saying that you produced a cert using Windows AD CS. So, is this a custom generated certificate? If this is the case then EMA won't accept that unfortunately. You want to purchase a commercial CA from 5 different vendors that are already preinstalled into the ME firmware. Here are instructions for them:

 

How to Purchase and Install GoDaddy* Certificates for Intel® Active...

How to Purchase and Install DigiCert* Certificates for Intel® AMT...

How to Purchase and Install Comodo* Certificates for Intel® AMT Setup...

How to Purchase and Install Sectigo* Certifcates for Intel vPro®...

How to Purchase and Install Entrust* Certificates for Setup and... (intel.com)

 

For instructions on how to upload the AMT PKI cert, you want to follow the instructions from section 3.3 of the Intel EMA Administration guide: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-...

 

Hope this helps

 

Regards

 

Jose A.

Intel Customer Support Technician

 

 

View solution in original post

AndrewMcN
Beginner
731 Views

Ok. I wish it had been spelled-out clearer in the docs that you must use one from these vendors.

It would be good if Intel had supported a non-profit/free option like Let’s Encrypt. Yes they have a 90-day renewal which would be a burden.

We have an account with Sectigo but it doesn’t appear to include AMT. I’ll go see if I can change that or start the red-tape to get some cash from the boss.

JoseH_Intel
Moderator
648 Views

Hello AndrewMcN,


Thank you for the feedback. Back in the days of SCS (precursor of EMA) a custom generated CA was accepted. It was not the easiest way to provision the systems as per you needed to inject the cert hash manually on every single device MEBx prior to attempt the mass deployment. So it was possible but not practical, and I think that is why the feature was removed from EMA, because any ways, few people really used it.


Regards


Jose A.

Intel Customer Support Technician


AndrewMcN
Beginner
628 Views

Thanks Jose. Our Sectigo contract did include AMT. It's just not available in the self-service system.

 

Just dealing with some stability issues now. I'm starting with some of our older machines because they need a TPM upgrade. They're running ME 11.8.x. The Manageability Commander bit sometimes just isn't loading. I haven't had time to research possible causes, etc.

 

I'm pleased to say at least I was able to remotely disable "Physical Presence Interface" and watch my first ever fully automated TPM upgrade.

JoseH_Intel
Moderator
409 Views

Hello AndrewMcN,


Its good to hear that you were able to overcome the cert and the user consent issue both at the same time. About the IMC you could try the Open Software Projects - MeshCommander. It works pretty similar and probably would be more stable.


Regards


Jose A.

Intel Customer Support Technician


Reply