Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2966 Discussions

Issues Getting Endpoint to Provision for Admin Control Mode - Intel EMA

RickyB
Beginner
1,489 Views

Hello Intel Community,

I'm having some trouble getting Admin Control Mode fully provisioned on an endpoint I have established through Intel EMA.

We've purchased a Deluxe SSL OV Certificate through GoDaddy and follow the steps from the "How To Purchase and Install GoDaddy* Certificates for Intel AMT Remote Setup and Configuration" document, and uploaded the certificate to Intel EMA. The certificate was created under the FQDN ema-server.drbsystems.com. Intel EMA seems to recognize the certificate as a valid vPro cert, but issues are still occurring when trying to provision.

I'm able to provision the endpoint in Client Control Mode using Host-Based Provisioning without issues, but if I try to include the certificate for Certificate Provisioning (TLS-PKI), I receive the following error in the EMALog-ManageabilityServer logs (log file attached):

  • Error: Unable to get activation certificate chain from the database

Additionally, I added the PKI DNS Suffix (of drbsystems.com, and even tried ema-server.drbsystems.com) onto the endpoint's MEBx - PKI DNS Suffix settings, but the unit still will not provision properly. 

I'd also like to add that we installed Intel EMA on our server using the Identity mode of "Use IP Address". This is the only way we can get the endpoint to be detected by the EMA server, and properly provision for CCM. When we try using "FQDN only" or "FQDN first", the Intel EMA will not detect the endpoint and it will not populate on our list of Endpoints on the EMA web-portal.

I'm not sure what I might be missing at this point. Any help would be greatly appreciated!

Please let me know if you need any additional information on our EMA configuration/setup.

Thank you,

-Ricky B.

 

0 Kudos
16 Replies
vij1
Employee
1,449 Views

Hello RickyB,

 

Greetings!

 

Please find the guidance below for addressing the reported issues:

 

  1. Error: Unable to Get Activation Certificate Chain from the Database
  2. We recommend following the steps outlined in the article:
  3. Intel® Endpoint Management Assistant (Intel® EMA) Certificate Chaining Issue
  4. Intel Support Article

This resource should assist in troubleshooting and resolving certificate chaining problems effectively.

 

  1. Hostname/FQDN or IP Address Configuration During Installation
  2. During the installation process, ensure the following:
  • Specify a resolvable value (hostname or IP address) for communication among components.
  • If using a hostname or FQDN, ensure it is resolvable by a DNS server in your network.
  • In the absence of a DNS server, use a fixed IP address.

Important Notes:

  • Incorrect hostname or IP configuration will cause Intel® EMA features to malfunction.
  • In distributed server architectures, if Active Directory is in use, ensure all related computers (including load balancers) are listed in Active Directory.

Usage of FQDN/IP Addresses in EMA:

  • Swarm Server Load Balancer FQDN/IP Address: Used in the agent configuration file for endpoint agents, Intel AMT, or Intel® Standard Manageability.
  • Ajax & Web Server Load Balancer FQDN/IP Address: Supports the primary Intel® EMA website HTTPS URL.
  • Recovery Server Load Balancer FQDN/IP Address: Facilitates One Click Recovery.

Critical Reminder:

  • These settings cannot be changed post-installation.
  • Ensure proper DNS resolution and consider using a dynamic DNS entry for flexibility when reconfiguring servers.

 

Let us know if further assistance is required.

 

Best regards,

Vijay N.

Intel Customer Support.

 


0 Kudos
RickyB
Beginner
1,422 Views

Hi Vijay,

 

Thank you for your reply.

 

I attempted the troubleshooting steps in the article provided on "Steps to resolve Intel® EMA v1.7 Certificate Chaining Issue", but this did not resolve our issue. 

 

Within SQL Server Management Studio, after accessing EMADatabase and navigating to the Security.Certificates_GetCertificatesByTenantId procedure, the ORDER BY [CertificateId] line is already included within the syntax. I tried to execute the procedure, but am still receiving the same error within the ManageabilitySever log, and provisioning will not succeed.

2025-01-23 15:23:29.5536|INFO||3112|8|AttemptPhase1_Pki - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Attempting phase 1 PKI provisioning : (SERVER,71814D91). 
2025-01-23 15:23:29.5536|INFO||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Get Mesh information (Tenant) : (SERVER,71814D91). 
2025-01-23 15:23:29.5692|INFO||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Starting PKI Setup process for endpoint: (SERVER,71814D91) ComputerName: SERVER 
2025-01-23 15:23:29.7410|ERROR||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error:Unable to get activation certificate chain from the database : (SERVER,71814D91). 

We are using the IP Address configuration method, so a DNS record should not be needed.

 

Is there anything else we can try to resolve this issue?

 

Thank you,

-RickyB

 

0 Kudos
vij1
Employee
1,408 Views

Hello Ricky B,

 

Greetings!

 

Thank you for your response. Upon reviewing your previous post, we noticed that the certificate was created under the FQDN ema-server.drbsystems.com.

 

We kindly request you to contact your certificate vendor and have the certificate re-issued under the domain name drbsystems.com instead of the FQDN.

 

Once you receive the updated certificate:

 

Reinstall the new certificate.

Share the output or any findings with us for further review.

 

Best regards,

Vijay N

Intel vPro Support Team.

 

 


0 Kudos
RickyB
Beginner
1,380 Views

Hi Vijay,

 

I'll contact my internal teams to see if this can be done, but perhaps I'm confused. All of Intel's instructional documentation states that we can use our full Common name/FQDN, which in this case is ema-server.drbsystems.com. 

 

This documentation would be: How to Purchase and Install GoDaddy* Certificates for Intel AMT Remote Setup and Configuration. They are using scs.vprodemo.com as their Common name/FQDN in the examples provided. Is there a reason for this discrepancy?

 

I'm wondering why we need to use the root domain of drbsystems.com, instead of the full FQDN used to configure the Intel EMA portal.

 

Thank you,

-RickyB

 

0 Kudos
vij1
Employee
1,352 Views

Hello RickyB,

 

Greetings!

 

Thank you for your response.

 

Please allow me some time to check this internally with my resources. I will get back to you as soon as I have an update.

 

Best regards,

Vijay N

Intel vPro Support Team.


0 Kudos
RickyB
Beginner
1,275 Views

Hi Vijay,

Were you able to find anything regarding this yet from your internal resources?

I checked with our internal teams, and unfortunately we will not be able to update our GoDaddy certificate to reflect only the root domain (drbsystems.com). 

Please advise when you have any additional information regarding how we can resolve this issue.

Thank you,

-RickyB

0 Kudos
vij1
Employee
1,242 Views

Hello RickyB,


Greetings!


We would like to clarify that the article "How to Purchase and Install GoDaddy Certificates for Intel AMT Remote Setup and Configuration"* refers to the previous tool, Intel® SCS, and is not up-to-date with the requirements for Intel® Endpoint Management Assistant (Intel® EMA).


For Intel® EMA, the certificate must be created under a public domain name (domain only, not an FQDN).


We apologize for any misunderstanding caused by this reference. Please ensure the certificate aligns with this updated requirement.


If you need further assistance or clarification, feel free to reach out.


Best regards,

Vijay N.

Intel Customer Support.



0 Kudos
Jimmy_Wai_Intel
Employee
1,225 Views

Hi Ricky,

 

In fact, you can use a provisioning certificate containing the FQDN of the server requesting the certificate in the CN field. The document referencing how to purchase a certificate from GoDaddy is still valid for Intel EMA. AMT only checks up to level 2 and level 3 of the domain suffix of the FQDN. You can reference the technical details here.

 

Given the error messages in the log, your Intel EMA server may be missing the intermediate cert and root cert in the certification path of your provisioning certificate. You can check this under Certificates in the Intel EMA web console. If you are only seeing the provisioning certificate but not the intermediate and root certificates. You are missing those. You can fix it by trying one of the methods below:

1) Re-export your provisioning certificate again to a new file and make sure to include the full certification chain and the private key. Remove the old certificate from the Intel EMA web console and upload the new certificate file.

2) Follow the certificate path of your provisioning certificate, and download the intermediate and root certificates from the CA. Import those to the Intel EMA server via the web console.

 

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
RickyB
Beginner
1,202 Views

@vij1 – Unfortunately, we are not able to adjust this with our CA, due to internal complications we may face with already existing certificates associated to our root domain.

@Jimmy_Wai_Intel – Thank you for your reply. Can you provide some clarity on which certificate would be considered the Provisioning Cert? We were only provided with 3 files from GoDaddy for our Deluxe OV Certificate. (.crt, .pem and .p7b files). Which would be considered the Provisioning Cert? The only files types supported by the EMA web interface are .pfx & .cer.

Also, I’ve attached screenshots of the certificates installed on our test environment (EMA Server). What I believe to be the Provision Certificate is highlighted in the MMC capture. I’m showing the root certificate as the “Go Daddy Root Certificate Authority – G2”, but I am not seeing anything listed as the Intermediate cert.

Is there any documentation that Intel provides that can help to give better clarity on setting up the PKI certificate for Admin Control Mode? All documentation I’m finding is either outdated, or not directly referring to the current version of Intel EMA (SCS).

 

 

0 Kudos
Jimmy_Wai_Intel
Employee
1,159 Views

Hi Ricky,

 

After you have got the 3 files from GoDaddy, you still need to complete the certificate request and export the final certificate to a file. This is your provisioning certificate. The steps are in section 4 of the How To Purchase and Install GoDaddy* Certificates for Intel AMT Remote Setup and Configuration document. Although not shown in the document, if you are presented with the options to include the private key and the certificates in certificate chain/path in the exported file, please be sure to include those.

Once you have completed the certificate, you should also check if the certificate was issued with the correct property for AMT provisioning. You can find the completed certificate in the certificate store of the local machine. Just like Vijay said, check the Enhanced Key Usage properties of the certificate and look for AMT Provisioning (2.16.840.1.113741.1.2.3). If don't see this, you need to work with GoDaddy to have the certificate reissued with the right properties.

Once the certificate is confirmed to be good, remove the existing certificate in the EMA server console and upload the newly exported certificate file. Now, you should be able to choose certificate provisioning and pick the new certificate in AMT autosetup.

 

Jimmy_Wai_Intel_2-1738146094347.png

 

0 Kudos
vij1
Employee
1,188 Views

Hello RickyB,

 

Greetings!

 

Thank you for your response.

 

Could you please share the details from the Enhanced Key Usage section of the certificate? Kindly provide a screenshot for our review.

 

Looking forward to your response.

 

Best regards,

Vijay N.

Intel Customer Support.


0 Kudos
RickyB
Beginner
1,123 Views

@vij1 @Jimmy_Wai_Intel  - The key that we are using currently already includes that value within the Enhanced Key Usage. Server & Client Authentication also shows the same values. The only difference is my certificate shows the label as Unknown Key Usage, while yours states AMT Provisioning, but the OID value is exactly the same. See screenshot below:

RickyB_0-1738160885803.png

I deleted this existing certificate and went through the "Complete Certificate Request..." process again, but IIS Manager does not give an option to include the Private Key. Only asked for the .crt certificate file, Friendly Name, and to select a certificate store (Personal).

  • Once this was done, the "Enhanced Key Usage" still shows the same values and OID has not changed (showing correctly as 2.16.840.1.113741.1.2.3, but with the Unknown Key Usage label, instead of AMT Provisioning).

After attempting another export, I then installed the PFX Certificate again onto the EMA Server (under Current User - Personal Certificate Store). I then uploading the .pfx certificate file to the EMA web interface, I attempted to provision the endpoint again.

Here are the steps I followed:

  • 1st - I configured my AMT profile for HBP (Host Based Provisioning) for CCM (Client Control Mode) to verify that the connections were still working as they should. 
    • Everything worked fine after setting this up for CCM. Was able to connect without issues, but only in CCM.
  • 2nd - I then un-provisioned the endpoint, and attempted to re-provision with the updated AMT Profile set to PKI Provisioning for ACM (Admin Control Mode).
    • While doing this I also updated the installed Agent services to reflect the updated AMT Profile changed to PKI Provisioning.
  • 3rd - After updating the AMT Profile and Agent services on the endpoint and attempted re-provisioning for ACM, I received the same errors as before within the EMALog-ManageabilityServer logs, and ACM provisioning was not successful.

 

2025-01-29 10:08:23.9357|INFO||3112|8|AttemptPhase1_Pki - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Attempting phase 1 PKI provisioning : (SERVER,71814D91). 
2025-01-29 10:08:23.9357|INFO||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Get Mesh information (Tenant) : (SERVER,71814D91). 
2025-01-29 10:08:23.9523|INFO||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Message:Starting PKI Setup process for endpoint: (SERVER,71814D91) ComputerName: SERVER 
2025-01-29 10:08:24.1190|ERROR||3112|8|PerformPkiSetup - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error:Unable to get activation certificate chain from the database : (SERVER,71814D91). 
2025-01-29 10:08:24.1190|WARN||3112|8|AttemptPhase1 - MeshManageabilityServer.CentralManageabilityServer, EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Failed PKI provisioning : (SERVER,71814D91). 

 

I'm not sure what else to do at this point. The only other options I can think of would be to:

  • Either uninstall all Intel EMA components from the EMA Server & endpoint, delete all of the certificates from MMC, re-install Intel EMA Server components, install the needed certificates (GoDaddy Deluxe OV, Intermediate, , and try the process again for Admin Control Mode. 
  • Or completely re-image the EMA Server (fresh OS image), re-install SQL Server Express, re-install EMA Server components, re-install certificates needed, and try the ACM Provisioning again.

Any other guidance on this will be greatly appreciated.

Thank you,

-RickyB

0 Kudos
Jimmy_Wai_Intel
Employee
1,110 Views

Hi Ricky,

It is OK to see Unknown Key Usage in the certificate properties as long as OID 2.16.840.1.113741.1.2.3 is there. I would not suggest to re-install the server as this is definitely a certificate issue. The error is reproduceable if you do not have everything correct in the provisioning certificate file uploaded to the Intel EMA server - OID, private key, intermediate and root certs.

Could you try the following to export the provisioning certificate on the server?

1) Open MMC and add the certificate snap in for computer account

2) Check all the certs in the certificate path of your provisioning certificate are not missing in the intermediate and root certificate stores. If any is missing, find it from GoDaddy website, download and import it.

Jimmy_Wai_Intel_1-1738169874912.png

 

2) Locate the provisioning certificate your completed in the personal certificate store

3) Right click on the certificate, choose All Tasks, and then Export

4) Choose to include private key. If you don't have the option, it means either your user account do not have access right, or the key is marked not exportable in the certificate. You need to resolve this.

Jimmy_Wai_Intel_0-1738169516571.png

5) Choose to include all certificates in the certification path

Jimmy_Wai_Intel_2-1738169926132.png

6) Provide a password to protect the private key, and complete the export process. If you missed to include the private key, you won't be asked for a password.

Jimmy_Wai_Intel_4-1738170601845.png

 

Once you completed the export, repeat the process as before - remove the pervious certificate from the EMA web console, import the newly exported certificate file, update your AMT autosetup settings, and then try provision your client again.

 

0 Kudos
RickyB
Beginner
1,085 Views

@Jimmy_Wai_Intel  - That worked! Exporting the certificate the way you mentioned, w/ the Private Key included allowed me to properly provision the Endpoint into ACM!

Thank you so much for all your help! I've been trying to figure this out for months! You're a lifesaver!

0 Kudos
Jimmy_Wai_Intel
Employee
980 Views

My pleasure! I'm glad it is now working for you.

0 Kudos
vij1
Employee
1,049 Views

Hello RickyB,

 

Greetings!

 

Thank you for your response. Since you have confirmed that the issue is resolved, we will proceed with closing this thread.

 

Please don’t hesitate to reach out if you need any further assistance.

Thank you for using Intel products and services.

 

Best regards,

Vijay N.

Intel Customer Support.


0 Kudos
Reply