- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sirs,
We are trying to use ACM control on our network with VPRO supporting mini computers. We managed to use VPRO without a certificate, CCM control mode. The questions is the following, the PKI certificate on EMA server should be one out of the certificated listed in the MBEx BIOS of the mini computers. Please refer to the photo for the liste certificates .
All the Best
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kluth67,
Greetings!
All the certificates shown in the picture are the TLS certificate vendors ( GoDaddy, Sectigo, DigiCert etc )
Hence you may have to check with the certificate vendors, and with your networking team, about which certificate you want to use.
Please find the steps given below for further assistance on the enabling the PKI DNS Suffix in the MEBx and for details about the certificate purchase and provisioning:
Step 2: Enable the PKI DNS Suffix in the MEBx of the Endpoint:
Restart the Endpoint - Press Ctrl+P (Or Ctrl + Alt + F1 on some units) to login to the MEBx
- Log into MEBx (default password = admin)
- For accessing MEBx, please refer to OEM guidance.
- If first time logging in, the password change is required
- Intel® AMT Configuration -> Remote Setup and Configuration -> TLS PKI -> PKI DNS Suffix
- If PKI DNS Suffix menu is not available, then AMT is currently configured
- Go back to Intel® AMT Configuration -> Unconfigure Network Access -> Full Unprovision
- Enter the value for PKI DNS Suffix to match the provisioning certificate
- For example, Intel.com (without quotes)
- Exit and Save
Link given below for Certificate purchase and configuration:
https://www.intel.com/content/www/us/en/support/articles/000055009.html
Best Regards
Arun_Intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Arun_ Intel,
Thank you very much for the quick answer. We are doing an enterprise installation. We have to follow the above steps for every machine / computer mannually ? Is there any automated way to proceed?
Kluth67
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Arun_Intel,
Refering to my first post and your reply, for example ,the certificate on the EMA server is "Sectigo" which is not listed on the computer MBEx , still this will work?
Thanks again for the help
kluth67
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kluth67,
Greetings!
There are 2 ways to provision the endpoints in ACM.
1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS.
2—When the endpoints are remote, Adding the Cert domain in the MEBx is a must. This is the way the endpoint validates the EMA server. And the server validates the endpoints.
Important Note:
EMA provisioning has an order.
Configure the EMA server
Paste and install the EMA Agent File on the endpoints.
Then, go to MEBx and add the Cert domain in the PKI DNS suffix field.
If the Cert domain is added to MEBx before installing the EMA agent file, EMA gives an error. EMA will say that the endpoint was previously provisioned by an earlier EMA instance. EMA shows the endpoint provisioned but CIRA as not connected.
Note: There are no ways to automatically add the PKI DNS suffix in the Mebx, for the endpoints which is out of band, and has to be done manually.
And in this case, you may use GoDaddy or DigiCert.
Sectigo is just one of the certificate vendor showed in the example.
Best Regards
Arun_intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much Arun_intel . We will follow the concrete steps described in your replies and we will update the thread .
All the Best
Kluth67
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS."
Dear Arun_Intel
Following the above instruction and using the Sectigo AAA certificate , refrer to the attached photos. We provisioned an endpoint with this TLS PKI certificate but the messages coming to Intel Managment Security Status, photos attached, are "configured and unconfigured" in a loop. Cira also is not working for this end point.
Please note that Sectigo certificate is not listed in the BIOS MBEx section
All The Best
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Kluth67,
Can you confirm if the certificate is correctly installed in the "Local Computer" store under "Personal" and "Trusted Root Certification Authorities"?
Regards,
Vijay N.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Vijay N.
Thank you very much for the info supplied. We will check it and update
kluth67
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kluth67,
Please share your observation if you were able to confirm with the plan of action shared.
Best Regards
Arun_intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kluth67,
Greetings!
Thank you for contacting Intel, please feel free to contact us for any further query!
Best Regards
Arun_intel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Arun_Intel
I will update as soon as I got the answer from the people responsible for the Certificate installation.
All the Best
Kluth67
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page