WS-Management > WS-Management Class Reference > AMT Classes > AMT_PublicKeyManagementService
SUMMARY: NESTED | FIELD | | METHOD
DETAIL: FIELD | METHOD

Class AMT_PublicKeyManagementService

Used in features: Security Administration
Compatible with the following Intel AMT Releases: 3.0, 3.2, 4.0, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0 
CIM_ManagedElement
   extended by CIM_ManagedSystemElement
      extended by CIM_LogicalElement
         extended by CIM_EnabledLogicalElement
            extended by CIM_Service
               extended by CIM_SecurityService
                  extended by CIM_AuthenticationService
                     extended by CIM_CredentialManagementService
                        extended by AMT_PublicKeyManagementService


class AMT_PublicKeyManagementService
 extends CIM_CredentialManagementService


General Information:
This service contains the information 
necessary to represent and manage the functionality provided by the Intel(R) AMT 
CertStore.

Qualifiers:
-------------
Version=11.0.0









  
  

    Supported Fields 
      Summary

  

     uint16 
      
    EnabledDefault 
      
An enumerated value indicating an administrator's default or 
      startup configuration for the Enabled State of an element . . .

  

     uint16 
      
    RequestedState 
      
RequestedState is an integer enumeration that indicates the 
      last requested or desired state for the element, irrespective of the 
      mechanism through which it was requested . . .

  

     uint16 
      
    EnabledState 
      
EnabledState is an integer enumeration that indicates the 
      enabled and disabled states of an element . . .

  

     uint16[] 
      
    OperationalStatus 
      
Indicates the current statuses of the element . . .

  

     string 
      
    ElementName 
A 
      user-friendly name for the object . . .

  

     string 
      
    SystemCreationClassName Key  
The CreationClassName of the scoping 
      System.

  

     string 
      
    SystemName Key  
The Name of the scoping System.

  

     string 
      
    CreationClassName Key  
CreationClassName indicates the name 
      of the class or the subclass that is used in the creation of an instance . 
      . .

  

     string 
      
    Name Key  
The Name property uniquely identifies the 
      Service and provides an indication of the functionality that is managed . 
      . .




  
  

    Methods Summary

  

     uint32
    AddCRL(Url, SerialNumbers, REF 
      CRL) 
This call adds a Certificate revocation list to be used by 
      the Intel(R) AMT device.

  

     uint32
    ResetCRLList() 
      
Remove the usage of CRL during the authentication process

  

     uint32
    AddCertificate(CertificateBlob, REF 
      CreatedCertificate) 
This function adds new certificate to the 
      Intel(R) AMT CertStore . . .

  

     uint32
    AddTrustedRootCertificate(CertificateBlob, 
      REF CreatedCertificate) 
This function adds new root certificate 
      to the Intel(R) AMT CertStore . . .

  

     uint32
    AddKey(KeyBlob, REF 
      CreatedKey) 
This function adds new certificate key to the 
      Intel(R) AMT CertStore . . .

  

     uint32
    GeneratePKCS10RequestEx(REF 
      KeyPair, SigningAlgorithm, NullSignedCertificateRequest, 
      SignedCertificateRequest) 
This API is used to create a PKCS#10 
      certificate signing request based on a key from the key store.

  

     uint32
    GenerateKeyPair(KeyAlgorithm, KeyLength, 
      REF KeyPair) 
This API is used to generate a key in the 
FW

  

     
    Get(Instance) 
Gets the 
      representation of the instance

  

     
    Pull(EnumerationContext, 
      MaxElements) 
Pulls instances of this class, following an 
      Enumerate operation

  

     
    Enumerate() 
      
Enumerates the instances of this class

  

     
    Release(EnumerationContext) 
      
Releases an enumeration context




  
  

    Field 
Detail


EnabledDefault 
public uint16 EnabledDefault



  
General Information:
An enumerated value indicating an 
  administrator's default or startup configuration for the Enabled State of an 
  element. By default, the element is "Enabled" 
  (value=2).

Qualifiers:
-------------
Write
ValueMap={2, 
  3, 5, 6, 7, 9, .., 32768..65535}
Values={Enabled, Disabled, Not Applicable, 
  Enabled but Offline, No Default, Quiesce, DMTF Reserved, Vendor 
  Reserved}


  

  





RequestedState 
public uint16 RequestedState



  
General Information:
RequestedState is an integer enumeration 
  that indicates the last requested or desired state for the element, 
  irrespective of the mechanism through which it was requested. The actual state 
  of the element is represented by EnabledState. This property is provided to 
  compare the last requested and current enabled or disabled states. Note that 
  when EnabledState is set to 5 ("Not Applicable"), then this property has no 
  meaning. Refer to the EnabledState property description for explanations of 
  the values in the RequestedState enumeration. 
"Unknown" (0) indicates the 
  last requested state for the element is unknown.
Note that the value "No 
  Change" (5) has been deprecated in lieu of indicating the last requested state 
  is "Unknown" (0). If the last requested or desired state is unknown, 
  RequestedState should have the value "Unknown" (0), but may have the value "No 
  Change" (5).Offline (6) indicates that the element has been requested to 
  transition to the Enabled but Offline EnabledState. 
It should be noted 
  that there are two new values in RequestedState that build on the statuses of 
  EnabledState. These are "Reboot" (10) and "Reset" (11). Reboot refers to doing 
  a "Shut Down" and then moving to an "Enabled" state. Reset indicates that the 
  element is first "Disabled" and then "Enabled". The distinction between 
  requesting "Shut Down" and "Disabled" should also be noted. Shut Down requests 
  an orderly transition to the Disabled state, and might involve removing power, 
  to completely erase any existing state. The Disabled state requests an 
  immediate disabling of the element, such that it will not execute or accept 
  any commands or processing requests. 

This property is set as the 
  result of a method invocation (such as Start or StopService on CIM_Service), 
  or can be overridden and defined as WRITEable in a subclass. The method 
  approach is considered superior to a WRITEable property, because it allows an 
  explicit invocation of the operation and the return of a result code. 
  

If knowledge of the last RequestedState is not supported for the 
  EnabledLogicalElement, the property shall be NULL or have the value 12 "Not 
  Applicable".

Qualifiers:
-------------
ValueMap={0, 2, 3, 
  4, 5, 6, 7, 8, 9, 10, 11, 12, .., 32768..65535}
Values={Unknown, Enabled, 
  Disabled, Shut Down, No Change, Offline, Test, Deferred, Quiesce, Reboot, 
  Reset, Not Applicable, DMTF Reserved, Vendor 
  Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.EnabledState}


  

  





EnabledState 
public uint16 EnabledState



  
General Information:
EnabledState is an integer enumeration that 
  indicates the enabled and disabled states of an element. It can also indicate 
  the transitions between these requested states. For example, shutting down 
  (value=4) and starting (value=10) are transient states between enabled and 
  disabled. The following text briefly summarizes the various enabled and 
  disabled states: 
Enabled (2) indicates that the element is or could be 
  executing commands, will process any queued commands, and queues new requests. 
  
Disabled (3) indicates that the element will not execute commands and will 
  drop any new requests. 
Shutting Down (4) indicates that the element is in 
  the process of going to a Disabled state. 
Not Applicable (5) indicates the 
  element does not support being enabled or disabled. 
Enabled but Offline 
  (6) indicates that the element might be completing commands, and will drop any 
  new requests. 
Test (7) indicates that the element is in a test state. 
  
Deferred (8) indicates that the element might be completing commands, but 
  will queue any new requests. 
Quiesce (9) indicates that the element is 
  enabled but in a restricted mode.
Starting (10) indicates that the element 
  is in the process of going to an Enabled state. New requests are 
  queued.

Qualifiers:
-------------
ValueMap={0, 1, 2, 3, 4, 
  5, 6, 7, 8, 9, 10, 11..32767, 32768..65535}
Values={Unknown, Other, 
  Enabled, Disabled, Shutting Down, Not Applicable, Enabled but Offline, In 
  Test, Deferred, Quiesce, Starting, DMTF Reserved, Vendor 
  Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.OtherEnabledState}


  

  





OperationalStatus 
public uint16[] OperationalStatus



  
General Information:
Indicates the current statuses of the 
  element. Various operational statuses are defined. Many of the enumeration's 
  values are self-explanatory. However, a few are not and are described here in 
  more detail. 
"Stressed" indicates that the element is functioning, but 
  needs attention. Examples of "Stressed" states are overload, overheated, and 
  so on. 
"Predictive Failure" indicates that an element is functioning 
  nominally but predicting a failure in the near future. 
"In Service" 
  describes an element being configured, maintained, cleaned, or otherwise 
  administered. 
"No Contact" indicates that the monitoring system has 
  knowledge of this element, but has never been able to establish communications 
  with it. 
"Lost Communication" indicates that the ManagedSystem Element is 
  known to exist and has been contacted successfully in the past, but is 
  currently unreachable. 
"Stopped" and "Aborted" are similar, although the 
  former implies a clean and orderly stop, while the latter implies an abrupt 
  stop where the state and configuration of the element might need to be 
  updated. 
"Dormant" indicates that the element is inactive or quiesced. 
  
"Supporting Entity in Error" indicates that this element might be "OK" but 
  that another element, on which it is dependent, is in error. An example is a 
  network service or endpoint that cannot function due to lower-layer networking 
  problems. 
"Completed" indicates that the element has completed its 
  operation. This value should be combined with either OK, Error, or Degraded so 
  that a client can tell if the complete operation Completed with OK (passed), 
  Completed with Error (failed), or Completed with Degraded (the operation 
  finished, but it did not complete OK or did not report an error). 
"Power 
  Mode" indicates that the element has additional power model information 
  contained in the Associated PowerManagementService association. 
  
"Relocating" indicates the element is being 
  relocated.
OperationalStatus replaces the Status property on 
  ManagedSystemElement to provide a consistent approach to enumerations, to 
  address implementation needs for an array property, and to provide a migration 
  path from today's environment to the future. This change was not made earlier 
  because it required the deprecated qualifier. Due to the widespread use of the 
  existing Status property in management applications, it is strongly 
  recommended that providers or instrumentation provide both the Status and 
  OperationalStatus properties. Further, the first value of OperationalStatus 
  should contain the primary status for the element. When instrumented, Status 
  (because it is single-valued) should also provide the primary status of the 
  element.

Qualifiers:
-------------
ValueMap={0, 1, 2, 3, 
  4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, .., 
  0x8000..}
Values={Unknown, Other, OK, Degraded, Stressed, Predictive 
  Failure, Error, Non-Recoverable Error, Starting, Stopping, Stopped, In 
  Service, No Contact, Lost Communication, Aborted, Dormant, Supporting Entity 
  in Error, Completed, Power Mode, Relocating, DMTF Reserved, Vendor 
  Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_ManagedSystemElement.StatusDescriptions}


  

  





ElementName 
public string ElementName



  
General Information:
A user-friendly name for the object. This 
  property allows each instance to define a user-friendly name in addition to 
  its key properties, identity data, and description information. 
Note that 
  the Name property of ManagedSystemElement is also defined as a user-friendly 
  name. But, it is often subclassed to be a Key. It is not reasonable that the 
  same property can convey both identity and a user-friendly name, without 
  inconsistencies. Where Name exists and is not a Key (such as for instances of 
  LogicalDevice), the same information can be present in both the Name and 
  ElementName properties. Note that if there is an associated instance of 
  CIM_EnabledLogicalElementCapabilities, restrictions on this properties may 
  exist as defined in ElementNameMask and MaxElementNameLen properties defined 
  in that class.

Product Specific Usage:
In Intel AMT Release 
  6.0 and later releases value is "Intel(r) AMT Certificate Store 
  Service"

Qualifiers:
-------------
MaxLen=40


  

  





SystemCreationClassName Key 
public string SystemCreationClassName



  
General Information:
The CreationClassName of the scoping 
  System.

Product Specific Usage:
In Intel AMT Release 6.0 and 
  later releases value is 
  "CIM_ComputerSystem"

Qualifiers:
-------------
Key
MaxLen=20
Propagated=CIM_System.CreationClassName


  

  





SystemName Key 
public string SystemName



  
General Information:
The Name of the scoping 
  System.

Product Specific Usage:
In Intel AMT Release 6.0 and 
  later releases value is "Intel(r) 
  AMT"

Qualifiers:
-------------
Key
MaxLen=20
Propagated=CIM_System.Name


  

  





CreationClassName Key 
public string CreationClassName



  
General Information:
CreationClassName indicates the name of the 
  class or the subclass that is used in the creation of an instance. When used 
  with the other key properties of this class, this property allows all 
  instances of this class and its subclasses to be uniquely 
  identified.

Product Specific Usage:
In Intel AMT Release 6.0 
  and later releases value is 
  "AMT_PublicKeyManagementService"

Qualifiers:
-------------
Key
MaxLen=35


  

  





Name Key 
public string Name



  
General Information:
The Name property uniquely identifies the 
  Service and provides an indication of the functionality that is managed. This 
  functionality is described in more detail in the Description property of the 
  object.

Product Specific Usage:
In Intel AMT Release 6.0 and 
  later releases value is "Intel(r) AMT Public Key Management 
  Service"

Qualifiers:
-------------
Key
Override=Name
MaxLen=45


  

  






  
  

    Method 
Detail


AddCRL
public uint32 AddCRL([IN]string Url, [IN]string SerialNumbers[], [OUT]REF AMT_CRL CRL)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General Information:
This 
  call adds a Certificate revocation list to be used by the Intel(R) AMT 
  device.

Product Specific Usage:
After the method succeeds a 
  new instance of AMT_CRL will be created. 
This method modifies the flash 
  when executed but requires "CommitChanges" to cause a reset 
  sequence.

Qualifiers:
-------------
ValueMap={0, 1, 23, 
  36, 38}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_INVALID_PARAMETER, 
  PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED}


Parameters:
--------------

  

    
Url 
    
General Information:
The issuer URL of the revoked 
    certificates.

Qualifiers:
-------------
IN


    
SerialNumbers 
    
General Information:
Notice: the values of this array are 
    actually base64 encoded values. A list of serial numbers removed by the CA 
    which is specified in the Url 
    variable.

Qualifiers:
-------------
IN
EOBase64


    
CRL 
    
General Information:
Reference to the new AMT_CRL 
    instance.

Qualifiers:
-------------
OUT







ResetCRLList
public uint32 ResetCRLList()



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General 
  Information:
Remove the usage of CRL during the authentication 
  process

Product Specific Usage:
After the method succeeds the 
  instances of AMT_CRL will be 
  deleted.

Qualifiers:
-------------
ValueMap={0, 1, 
  38}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED}






AddCertificate
public uint32 AddCertificate([IN]uint8 CertificateBlob[], [OUT]REF AMT_PublicKeyCertificate CreatedCertificate)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General Information:
This 
  function adds new certificate to the Intel(R) AMT CertStore. A certificate 
  cannot be removed if it is referenced (for example, used by TLS, 802.1X or 
  EAC).

Product Specific Usage:
After the method succeeds a new 
  instance of AMT_PublicKeyCertificater will be 
  created.

Qualifiers:
-------------
ValueMap={0, 1, 23, 38, 
  2058, 2063}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED, 
  PT_STATUS_DUPLICATE, 
  PT_STATUS_INVALID_CERT}


Parameters:
--------------

  

    
CertificateBlob 
    
General 
    Information:
 
	Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.

	

Qualifiers:
-------------
Required
IN
OctetString


    
CreatedCertificate 
    
General Information:
Certificate encoded in X.509 
    format

Qualifiers:
-------------
OUT







AddTrustedRootCertificate
public uint32 AddTrustedRootCertificate([IN]uint8 CertificateBlob[], [OUT]REF AMT_PublicKeyCertificate CreatedCertificate)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General Information:
This 
  function adds new root certificate to the Intel(R) AMT CertStore. A 
  certificate cannot be removed if it is referenced (for example, used by TLS, 
  802.1X or EAC).

Product Specific Usage:
After the method 
  succeeds a new instance of AMT_PublicKeyCertificater will be created. 
This 
  method modifies the flash when executed but requires "CommitChanges" to cause 
  a reset sequence.

Qualifiers:
-------------
ValueMap={0, 
  1, 16, 23, 38, 2058, 2063}
Values={PT_STATUS_SUCCESS, 
  PT_STATUS_INTERNAL_ERROR, PT_STATUS_NOT_PERMITTED, 
  PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED, 
  PT_STATUS_DUPLICATE, 
  PT_STATUS_INVALID_CERT}


Parameters:
--------------

  

    
CertificateBlob 
    
General 
    Information:
 
	Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.

	

Qualifiers:
-------------
Required
IN
OctetString


    
CreatedCertificate 
    
General Information:
Certificate encoded in X.509 
    format

Qualifiers:
-------------
OUT







AddKey
public uint32 AddKey([IN]uint8 KeyBlob[], [OUT]REF AMT_PublicPrivateKeyPair CreatedKey)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM


  General Information:
This 
  function adds new certificate key to the Intel(R) AMT CertStore. A key cannot 
  be removed if its corresponding certificate is referenced (for example, used 
  by TLS, 802.1X or EAC).


  Product Specific Usage:
After the 
  method succeeds a new instance of AMT_PublicPrivateKeyPair will be 
  created.

  Supported ECC key sizes: 384 and 512 bits. Supported RSA key sizes: 2048, 3072 and 4096 bits.


  Qualifiers:
-------------
ValueMap={0, 1, 23, 38, 
  2058, 2062}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED, 
  PT_STATUS_DUPLICATE, 
  PT_STATUS_INVALID_KEY}


Parameters:
--------------

  

    
KeyBlob 
    
General Information:
RSA Key encoded as DES 
    PKCS#1.
 Note: The use of ECC 192/224 is blocked starting from Intel® CSME 18.0.

Qualifiers:
-------------
Required
IN
OctetString


    
CreatedKey 
    
General 
    Information:


Qualifiers:
-------------
OUT







GeneratePKCS10RequestEx
public uint32 GeneratePKCS10RequestEx([IN]REF AMT_PublicPrivateKeyPair KeyPair, [IN]uint32 SigningAlgorithm, [IN]uint8 NullSignedCertificateRequest[], [OUT]uint8 SignedCertificateRequest[])



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General Information:
This 
  API is used to create a PKCS#10 certificate signing request based on a key 
  from the key store.

Product Specific Usage:
AMT supports 
  requests of size 2KB or 
  less.

Qualifiers:
-------------
ValueMap={0, 1, 36, 
  2066}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_INVALID_PARAMETER, 
  PT_STATUS_UNSUPPORTED}


Parameters:
--------------

  

    
KeyPair 
    
General Information:
An EPR to a key 
    pair.

Qualifiers:
-------------
Required
IN


    
SigningAlgorithm 
    
General Information:
The signing algorithm that the FW should 
    use for signing the certificate 
    request

Qualifiers:
-------------
Required
IN
ValueMap={0, 
    1, 2, ..}
Values={SHA1-RSA, SHA256-RSA, SHA384-RSA, Reserved}. Note: SHA1 is no longer available starting from Intel CSME 18.0.


    
NullSignedCertificateRequest 
    
General Information:
A binary representation of the 
    null-signed PKCS#10 request.the request must include a valid 
    PKCS10RequestInfo, that will be signed by AMT FW. The Public Key specified 
    in the request must match the public key of the referenced KeyPair 
    parameter. 
    

Qualifiers:
-------------
Required
IN
OctetString


    
SignedCertificateRequest 
    
General Information:
A binary representation of the PKCS#10 
    request, signed by 
    FW.

Qualifiers:
-------------
OUT
OctetString







GenerateKeyPair
public uint32 GenerateKeyPair([IN]uint32 KeyAlgorithm, [IN]uint32 KeyLength, [OUT]REF AMT_PublicPrivateKeyPair KeyPair)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM

General Information:
This 
  API is used to generate a key in the 
  FW

Qualifiers:
-------------
ValueMap={0, 1, 23, 36, 38, 
  2066, 2082}
Values={PT_STATUS_SUCCESS, PT_STATUS_INTERNAL_ERROR, 
  PT_STATUS_MAX_LIMIT_REACHED, PT_STATUS_INVALID_PARAMETER, 
  PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED, PT_STATUS_UNSUPPORTED, 
  PT_STATUS_OPERATION_IN_PROGRESS}


Parameters:
--------------

  

    
KeyAlgorithm 
    
General Information:
The algorithm of the generated 
    key.

Qualifiers:
-------------
Required
IN
ValueMap={0, 
    ..}
Values={RSA, Reserved}


    
KeyLength 
    
General Information:
The length of the generatd key in 
    bits.

Qualifiers:
-------------
Required
IN


    
KeyPair 
    
General Information:
An EPR to a key 
    pair.


	Supported ECC key size: 384 bits. Supported RSA key size: 2048 bits


	Qualifiers:
-------------
OUT







Get
public  Get([OUT]AMT_PublicKeyManagementService Instance)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM, 
  ADMIN_SECURITY_GENERAL_INFO_REALM

General Information:
Gets 
  the representation of the instance





Pull
public  Pull([IN]String EnumerationContext, [IN]String MaxElements)



  
Permission Information:
All users permitted to use method, only 
  instances to whom the user has permissions will be returned

General 
  Information:
Pulls instances of this class, following an Enumerate 
  operation





Enumerate
public  Enumerate()



  
Permission Information:
All users permitted to use 
  method

General Information:
Enumerates the instances of this 
  class





Release
public  Release([IN]String EnumerationContext)



  
Permission Information:
All users permitted to use 
  method

General Information:
Releases an enumeration 
  context






  
  

    SUMMARY: NESTED | FIELD | METHOD
  

  

    DETAIL: FIELD | METHOD



  
  

    
      
Copyright © 2006-2022, Intel 
      Corporation. All rights 
reserved.