Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2957 Discussions

Intel EMA server PKI certificate type

kluth67
Beginner
1,782 Views

Dear Sirs,

We are trying to use ACM control on our network with VPRO supporting mini computers. We managed to use VPRO  without a certificate, CCM control mode. The questions is the following, the PKI certificate on EMA server should be one out of the certificated listed in the MBEx BIOS of the mini computers.  Please refer to the photo for the liste certificates .

 

All the Best 

 

 

0 Kudos
13 Replies
Arun_Intel1
Employee
1,745 Views

Hi kluth67,


Greetings!


All the certificates shown in the picture are the TLS certificate vendors ( GoDaddy, Sectigo, DigiCert etc )

Hence you may have to check with the certificate vendors, and with your networking team, about which certificate you want to use.


Please find the steps given below for further assistance on the enabling the PKI DNS Suffix in the MEBx and for details about the certificate purchase and provisioning:


Step 2: Enable the PKI DNS Suffix in the MEBx of the Endpoint:

Restart the Endpoint - Press Ctrl+P (Or Ctrl + Alt + F1 on some units) to login to the MEBx

  1. Log into MEBx (default password = admin)
    1. For accessing MEBx, please refer to OEM guidance.
    2. If first time logging in, the password change is required
  2. Intel® AMT Configuration -> Remote Setup and Configuration -> TLS PKI -> PKI DNS Suffix
    1. If PKI DNS Suffix menu is not available, then AMT is currently configured
    2. Go back to Intel® AMT Configuration -> Unconfigure Network Access -> Full Unprovision
  3. Enter the value for PKI DNS Suffix to match the provisioning certificate
    1. For example, Intel.com (without quotes)
  4. Exit and Save


Link given below for Certificate purchase and configuration:

https://www.intel.com/content/www/us/en/support/articles/000055009.html


Best Regards

Arun_Intel



0 Kudos
kluth67
Beginner
1,692 Views

Hi Arun_ Intel,

 

Thank you very much for the quick answer.  We are doing an enterprise installation. We have to follow the above steps for every machine / computer mannually ? Is there any automated way to proceed?

 

Kluth67

 

 

0 Kudos
kluth67
Beginner
1,688 Views

Hi Arun_Intel,

Refering to  my first post and your reply, for example ,the certificate on the EMA server is "Sectigo" which is not listed on the computer MBEx , still this will work?

 

Thanks again for the help

 

kluth67

0 Kudos
Arun_Intel1
Employee
1,643 Views

Hi Kluth67,


Greetings!


There are 2 ways to provision the endpoints in ACM.

 

1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS.

 

2—When the endpoints are remote, Adding the Cert domain in the MEBx is a must. This is the way the endpoint validates the EMA server. And the server validates the endpoints.

 

Important Note:

EMA provisioning has an order.

Configure the EMA server

Paste and install the EMA Agent File on the endpoints.

Then, go to MEBx and add the Cert domain in the PKI DNS suffix field.

 

If the Cert domain is added to MEBx before installing the EMA agent file, EMA gives an error. EMA will say that the endpoint was previously provisioned by an earlier EMA instance. EMA shows the endpoint provisioned but CIRA as not connected.


Note: There are no ways to automatically add the PKI DNS suffix in the Mebx, for the endpoints which is out of band, and has to be done manually.


And in this case, you may use GoDaddy or DigiCert.

Sectigo is just one of the certificate vendor showed in the example.


Best Regards

Arun_intel




0 Kudos
kluth67
Beginner
1,627 Views

Thank you very much Arun_intel . We will follow the concrete steps described in your replies and we will update the thread .

 

All the Best

 

Kluth67

0 Kudos
Arun_Intel1
Employee
1,605 Views

Hi kluth67,


Greetings!


Sure, thanks for confirming!


Awaiting for your response.


Best Regards

Arun_intel


0 Kudos
kluth67
Beginner
1,508 Views

"1—When the endpoints are in the same LAN as the server (Office), it is possible to provision the endpoints remotely. The Cert must be installed in IIS or Certif Manager Console and then in the EMA settings tab. Finally, install the EMA agent file on the endpoints. It is not necessary to add the Cert domain to the PKI DNS suffix field of the MEBx BIOS."

Dear Arun_Intel

Following the above instruction and using the Sectigo AAA certificate , refrer to the attached photos. We provisioned an endpoint with this TLS PKI certificate but the messages coming to Intel Managment Security Status, photos attached, are "configured and unconfigured" in a loop. Cira also is not working for this end point.

Please note that Sectigo certificate is not listed in the BIOS MBEx section

 

All The Best

 

0 Kudos
vij1
Employee
1,432 Views

Hello Kluth67,

 

Can you confirm if the certificate is correctly installed in the "Local Computer" store under "Personal" and "Trusted Root Certification Authorities"?

 

Regards,

Vijay N.

 


0 Kudos
kluth67
Beginner
1,395 Views

Hello Vijay N. 

 

Thank you very much for the info supplied. We will check it and update

 

kluth67

0 Kudos
Arun_Intel1
Employee
1,381 Views

Hi kluth67,


Sure, thanks for the update!


Best Regards

Arun_intel


0 Kudos
Arun_Intel1
Employee
1,187 Views

Hi kluth67,


Please share your observation if you were able to confirm with the plan of action shared.


Best Regards

Arun_intel


0 Kudos
Arun_Intel1
Employee
1,010 Views

Hi kluth67,


Greetings!


Thank you for contacting Intel, please feel free to contact us for any further query!


Best Regards

Arun_intel


0 Kudos
kluth67
Beginner
748 Views

Hi Arun_Intel

I will update as soon as I got the answer from the people responsible for the Certificate installation. 

 

All the Best 

Kluth67

0 Kudos
Reply