Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller
Feb 22, 2016
Intel Confidential1
Configure PKI Web Server Certificates for each
Management Controller
Intel Confidential2
Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™• There are three types of Certificates that are used in association to
Intel vPro client provisioning and management within ConfigMgr 2007 SP2• Intel® AMT Self Signed Certificate
• Used during PKI provisioning to secure the connection• Transparent to process
• Intel® AMT Provisioning Certificate• Used for Remote Configuration authentication by the Out of Band Service Point• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party
CA (VeriSign*, GoDaddy*, Comodo, Starfield)• Provisioning certificate can be generated from internal PKI environment
• Require Internal Root hash to be imported into the MEBx• Requires Option 15 set on DHCP to support “Zero Touch” Configuration
• Intel® AMT Web Server Certificate• Used to secure a connection to Intel AMT client by the management console• Issued to the Intel AMT client during the provisioning process• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft
Enterprise CA• PKI certificate key sizes <=2048-bits
Intel Confidential3
Enterprise CA & Provision Certificate Configuration
• Assumes that a Microsoft Enterprise CA exists and is already configured• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert• Intel AMT Provisioning Certificate (Used for Provisioning)
• Determine 3rd party or Self Generated• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1• Self Generated from Internal PKI infrastructure
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2• Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
• Create New Web server Template• Recommend certificate name: ConfigMgr AMT Web Server Certificate• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
• 802.1x RADIUS Certificate (Optional for 802.1x networks)• Create New RADIUS Client Template for 802.1x network• Allows AMT to securely authenticate to an 802.1x network without an OS present
• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate• Ensure you select Supply in the request to provide the Subject Name• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Intel Confidential4
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com
Note: This is a Microsoft Enterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™
Right Click on Certificate Templates > Manage
Configure PKI Web Server Certificate Template
Intel Confidential5
In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template
In the Duplicate Template Window Select the radio button for
Windows 2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window on the General Tab:
Enter ConfigMgr AMT Web Server Certificate
Proceed to next foil to set security rights on this template
Configure PKI Web Server Certificate Template
Intel Confidential6
In the Properties of New Template window, click the Security tab
Click Add Select ConfigMgr Primary Site
Servers group Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK Close the Certificate Templates Console
Apply Security Permission to Web Server Certificate Template
Intel Confidential7
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step)
Click OK
Issue Web Server Certificate Template
Intel Confidential8
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.
Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential9
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com Right Click on Certificate Templates >
Manage
Configure RADIUS Client Certificate Template
Intel Confidential10
In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template
In the Duplicate Template Window Select the radio button for Windows
2003 Server, Enterprise Edition Click OK In the Properties of New Template Window
General Tab: Enter ConfigMgr AMT
802.1X Client Authentication Certificate
Subject Name Tab: Select Supply in the request Click OK in the warning
message Proceed to next foil to set security rights on
this template
Configure RADIUS Client Certificate Template
Intel Confidential11
In the Properties of New Template window, click the Security tab
Click Add Select ConfigMgr Primary Site
Servers group Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK Close the Certificate Templates Console
Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template
Intel Confidential12
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step)
Click OK
Issue RADIUS Client Certificate Template
Intel Confidential13
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.
RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential14
In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties
In the DC1.vprodemo.com Properties Window, select the Security tab
Click Add
Configure Root CA to Allow Revocation of Client Management Controller Certificates
Intel Confidential15
Add the ConfigMgr Primary Site Servers group
Click OK
Select the ConfigMgr Primary Site Servers group
Check Allow Issue and Manage Certificates and Request Certificates permissions for this group
Click OK
Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).
Configure Root CA to Allow Revocation of Client Management Controller Certificates