Use my own provisioning certificate in ema service

simple1 · ‎02-17-2021

I can Use my own provisioning certificate in ema service，But I need 2 windows servers,
Because the ema service will make the web certificate authority unavailable，and I only successfully setup the cira connect in the enterprise certificate authority environment。

Because the price of windows server is too expensive，So i need help

1.How to install enterprise ca and ema service on the same machine?

or

2.How to Use Standalone CA and be successful cira connect?

or

3. How to Use ubuntu to create a certificate authority and be successful cira connect?

JoseH_Intel · ‎02-17-2021

Hello Huang,

Thank you for joining the Intel community

The configuration you are attempting to setup might not be fully supported. To be able to use your own certificate you must input it manually in MEBX or import it with a USB which will require you to physically touch every single machine before the provisioning process.

For #1, I will need to make sure if this is possible.

For #2, if not mistaking CIRA will require a TLS certificate

For #3 is totally out of the scope of this support.

For further details about how to upload a PKI certificate you want to check section 3.3 of: https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=22

I will look forward to your feedback

Regards

Jose A.

Intel Customer Support Technician

simple1 · ‎02-17-2021

Dear JoseH

Thanks for your reply

I know how to upload a my own provisioning certificate PKI certificate and input it manually in MEBX，so i can setup the cira connect。

My question is how to use only one windows server device and create my own provisioning certificate and use my own provisioning certificate in ema service to complete the cira connection

For #1:Please help

For #2:How to create my own TLS certificate in Standalone CA environment?

iamtornado · ‎11-09-2024

Hi，How did you use Microsoft CA to issue certificates to intel EMA server?

I've been researching for a long time and can't figure it out。

I hope you can share your experience, thank you very much。

JoseH_Intel · ‎02-17-2021

Hello Huang,

Not sure if such configuration is possible but I will look into that a bit and will let you know.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎02-28-2021

Hello simple1,

There are many design decisions you can make here. You can virtualize your CA or do a bare metal install with EMA on the same server. It is possible, but there are design tradeoff around scalability when using the same server. If you don't plan on scaling beyond 5000 endpoints using the same server is an acceptable practice. It is also important to note that setting up your own PKI is considerably more complex than purchasing a Cert.

You will want to refer to Microsoft best practices and how to guides on setting up a CA. There are numerous video tutorials on this subject.

For best practices on setting up their EMA server you should refer to the EMA Installation and admin and user guide after you have established your PKI.

Section 3.3 will walk through on how to upload your private cert into their EMA server...

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf

Installation guide and consideration in setting up your Certs...

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf

Regards

Jose A.

Intel Customer Support Technician

simple1 · ‎03-01-2021

Dear JoseH

Thanks for your reply

I have read these two documents ,but About the #1 question

How can I fix the following problem?

EMA service will make the web certificate authority unavailable,because the Web Certificate Authority and EMA service both use the default website

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-server-installation-and-maintenance-guide.pdf

page 21

For first-time installations, if youcontinue with the installation process, the IntelEMA Setup Wizard will delete everything in thec:\inetpub\wwwroot folder. Be sure to backup anyneeded files before continuing with the installationprocess.This does NOT apply when updating from aprevious Intel EMA version, although IIS bindingswill be set to default values. Click Next on theWelcome screen to continue the setup process.When the License Agreement is displayed, acceptthe license to continue.

About the #2 question

Is there any update about this question?

thanks

JoseH_Intel · ‎03-01-2021

Hello simple1,

Let me research on this and I will let you know soon.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎03-04-2021

Hello simple1,

You are correct if you have the requirement that his CA provide web enrollment environment. EMA does actively use IIS for it's own web portal. Developers are looking at changing this, but we don't have a timeframe for when this will be available.

The following are some options for testing. They are not supported for production environment and have not been tested by our teams, but may help you with your requirement to avoid another Windows license.

Install EMA in a development environment and then install ISS and change the default directory. Again not to be done in production.
Consider a Linux VM (to avoid licensing OS costs) This will of course be a non-iSS CA, which may not work for you.
Investigate an open source CA PKI like EJBCA, https://www.ejbca.org/
Using Dockers to containerize ISS. https://mcpmag.com/articles/2019/11/20/iis-on-windows-server-containers.aspx

And please remember that these alternative options are NOT supported by Intel, but ideas to help you to have a CA with self enrollment and EMA live on the server. No warranty or support for the suggestions.

Hope these help you

Regards

Jose A.

Intel Customer Support Technician