The Developer’s Guide to Creating Intel® AMT Certificates

Intel® Active Management Technology (Intel® AMT) supports the encryption of communications between the management console and client using Transport Layer Security (TLS). Enabling TLS communications requires the creation of security certificates; while the process may be unfamiliar, it is straightforward.

This guide gives developers the background and step-by-step procedures to create Intel AMT security certificates using the Intel AMT SDK, OpenSSL*, and Microsoft Windows* PowerShell*. It also shows how to use the TLS.ps1 script (provided in Appendix B) to configure Intel AMT systems to use TLS communication.

Background and Preparation

Basic host-based setup of a platform that supports Intel AMT places the platform in Client Control Mode, which provides limited Intel AMT functionality. That limitation reflects the lower level of trust required to perform that type of setup, compared to Admin Control Mode.

Admin Control Mode achieves that higher level of trust, in part, by using TLS to secure communication over the network. The certificates described in this guide support Intel AMT Secure Sockets Layer (SSL) encryption.

Note The process described requires your system to be configured to run the Intel® vPro™ Technology module PowerShell scripts as a prerequisite. If you encounter errors when following the steps given in this guide, see Appendix A for configuration instructions.

Creating Intel AMT Certificates Using the Intel AMT SDK and OpenSSL*

STEP 1: Modify the configuration server to not delete the private key and public key.

Open the following file:


Comment out or delete the following two lines:

STEP 2: Add your Intel AMT client to the domain, if it is not already there.

Navigate to the following folder:


Edit the Uss.cfg file and look for commonName_value:

After =$ENV::PROVISIONING_HOSTNAME.$ENV, delete the following:


Look for the following text:



The result will look like the following:

STEP 3: If Certificate details such as organizationName and countryName need to be modified to suit local needs, the following files will need to be updated:


countryName_default = IL
countryName_value = US
organizationName = Organization Name (that is, company)
organizationName_value = Your Company Name
commonName = Common Name (that is, YOUR name)
commonName_value = Intel® Active Management Technology root CA demo

STEP 4: Ensure that your certificate reflects the correct Provisioning Hostname.

To create the Certificate for a specific Intel AMT Client, set the Provisioning Hostname to reflect the Intel AMT Hostname for your Intel AMT System by editing certgen.bat:


Use the following syntax in certgen.bat:


STEP 5: Create the certificates by running the following (in the order given):

For each question, respond with “Y"; no command window is necessary (just double-click):

1. \Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\checkca.bat
2. \Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\certgen.bat

The three certificates are created.

STEP 6: Create and modify the TLS.ps1 script.

Create a file for the TLS.ps1 script using the text in Appendix B.

Copy the hash for the Root CA, Intel AMT Private Key, and the Intel AMT Certificate into the appropriate sections in the TLS.ps1 script. To do so, bring up PowerShell ISE as Administrator, open the TLS.ps1 script, and use the hashes from the following files:

Trusted root CA:

Intel AMT Private Key:

Intel AMT Certificate:

Look for the following sections in the TLS.ps1 script and copy the blobs from the above files into the blob sections of the TLS.ps1 file as follows:




STEP 7: Run the TLS.ps1 script.

The script should install the RootCA, the Intel AMT Private key, and the Intel AMT Certificate on the Intel AMT Client.

Make sure to update Address; this is the IP address of the Intel AMT Client. Also ensure you can connect to the WebUI-if something is wrong with the network connection, the TLS.ps1 script will not run.

If TLS.ps1 executes without error, the Intel AMT client will now be operating using TLS communication.

You can now connect to the WebUI using https and port 16993.

STEP 8: Address certificate warnings.

When connecting through TLS, you will now get a certificate warning.

In order for the WebUI to open without the certificate warning, make sure the following certificates are installed on the machine from which the WebUI is being accessed:



STEP 9: Create additional certificates as needed.

Modify the host name as defined in Step 4.

After the new host name is modified, run the certgen.bat file from step 5.

Follow steps 6 and 7 to configure the new Intel AMT client for TLS encryption.

Developer Resources for Intel® vPro™ Technology

The following sources provide more information about developing for Intel vPro Technology:

Appendix A: System Configuration to Run the Intel® vPro™ Technology Module for Windows PowerShell*

If you encounter errors while trying to run the Intel® vPro™ Technology PowerShell scripts on your management console, it is possible that either the Intel vPro Technology module for Windows PowerShell has not been installed or it is not configured correctly. The following steps cover how to configure your system to use this powerful interface.

Step A: Verify that the PowerShell Module is installed on your system.

If the PowerShell module is not installed, go to the following folder in the Intel AMT SDK and install it (both 32-bit and 64-bit versions are available).

SDK folder: ..\Windows\Common\WS-Management\Scripting Framework:

Step B: Run PowerShell Scripts in the PowerShell command window environment.

Search for “PowerShell” in the Start window.

Run the x86 window as administrator:

A PowerShell command window appears.

First check to see what the current policy is; if it is already set, you do not need to change it:

Note Setting the execution policy to RemoteSigned is generally appropriate, but certain network configurations will require setting execution policy to Unrestricted.

Step C: Configure the execution policy, if required.

Enter the following command to set the execution policy:

Step D: Import the Intel vPro Technology module.

After completing steps A through D, your system will be configured to run the Intel vPro Technology PowerShell scripts from within the command window environment.

If you will be running Intel vPro Technology PowerShell scripts from within the PowerShell ISE, follow the configuration instructions given below in steps E and F.

Step E: Bring up PowerShell ISE as Administrator and open the TLS.ps1 file to be edited.

Note You may have to use the Open option from the File menu, and you may be unable to drag it into the window.

Step F: In the PowerShell ISE, configure the execution policy.

Set the execution policy in the PowerShell environment to Unrestricted or RemoteSigned (see steps B and C, above), entering the configuration command in the bottom window in the PowerShell ISE:

Note The TLS.ps1 script imports the Intel vPro Technology module, so it is not necessary to enter the import command in the command window.

After completing steps E and F, your system is ready to run the Intel vPro Technology module scripts in the PowerShell ISE environment.

Appendix B: TSL.PS1 Script

This appendix contains the contents of the script called for in step 6 of the procedure in the main body of this guide. The file is a collection of some of the ps scripts that exist in the Intel AMT SDK, the licensing for which also governs this snippet. The relevant legal notice appears as part of the Intel® AMT SDK download.

# Create a Wsman Connection Object #
$wsmanConnectionObject = new-object 'Intel.Management.Wsman.WsmanConnection'
$wsmanConnectionObject.Username = "admin"
$wsmanConnectionObject.Password = "P@ssw0rd"
$wsmanConnectionObject.Address = ""

# Add the Trusted Root CA
$publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddTrustedRootCertificate")
$inputObject.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref

# Add AMT private Key
" $publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddKey")
$inputObject.AddProperty("KeyBlob", $keyBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
# The $publicPrivateKeyPairRef is an EPR to the new AMT_PublicPrivateKeyPair object.
$publicPrivateKeyPairRef = $outputObject.GetProperty("CreatedKey").Ref

# Add AMT Certificate $certificateBlob = "MIIDcDCCAligAwIBAgIBAjANBgkqhkiG9w0BAQsFADAyMRUwEwYDVQQDEwxEZW1v

" $publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputCertificate = $publicKeyManagementServiceRef.CreateMethodInput("AddCertificate")
$inputCertificate.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputCertificate)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref

# Add TLS certificate
$tlsProtocolEndpointCollectionRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSProtocolEndpointCollection WHERE ElementName='TLSProtocolEndpoint Instances Collection'")
$tlsCredentialContextInstance = $wsmanConnectionObject.NewInstance("AMT_TLSCredentialContext")
# $publicKeyCertificateRef is an EPR to the AMT_PublicKeyCertificate object created by the 'Add a Public Key Certificate' use case.
$tlsCredentialContextInstance.SetProperty("ElementInContext", $publicKeyCertificateRef)
$tlsCredentialContextInstance.SetProperty("ElementProvidingContext", $tlsProtocolEndpointCollectionRef)

# Enable TLS on remote interface
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel® AMT 802.3 TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")

# Enable TLS on local interface.
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel® AMT LMS TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")

# Commit changes
$setupAndConfigurationServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_SetupAndConfigurationService WHERE Name='Intel® AMT Setup and Configuration Service'")
$inputObject = $setupAndConfigurationServiceRef.CreateMethodInput("CommitChanges")
$outputObject = $setupAndConfigurationServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")

Remove-Module 'IntelvPro'

##### End of file

For more complete information about compiler optimizations, see our Optimization Notice.