Adding Root Certificate Hashes

Adding Root Certificate Hashes


I'm going through the process of adding Root Certificate Hashes to use own provisioning certificate for configuring AMT. When I go through AMT 7.0 SDK it has following details under

Setup and Configuration of Intel AMT > Root Certificate Hashes

"Prior to Release 7.0, Intel AMT can have up to 20 embedded root hashes plus three custom hashes installed by the OEM or by IT prior to configuration. Release 7.0 adds the capacity for ten more embedded hashes."

Custom hashes can be added prior to configuration means without enabling AMT or without entering into MEBx we can add hash.If so how we can add hash prior to configuration.

When I lookedIntel_SCS_7.0_User_Guide.pdf, it has following details

Entering a Root Certificate Hash Manually in the Intel AMT Firmware
Normally the certificate hashes are programmed in the Intel AMT system firmware by the manufacturer. However, there is an option of entering the root certificates hash manually via the MEBx. (The names and locations of menu options might vary slightly in different Intel AMT versions.)
As per SCS user guide, we need to manually enter MEBx to add hash certificate.

I feel the information related to adding hash certificate is conflicting between AMT SDK and SCS. Can anyone explain about this ?


8 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi - I'm trying to figure out what is conflicting between the SDK and the SCS documentation? The MEBx comes with a set of hashes already in it from some of the vendors, such as Verisign, GoDaddy, etc. If you wish to use one of the hashes thatare already there, you need to go buy the matching root certificate from the vendor and install it. If that is the case, you do not need to touch the AMT client during the setup and configuration stage.

If you want to create your own provisioning certificate then you either enter it manually in the MEBx menus or you can use the setup.bin/USB method described and availablein the SDK. Either way, you must have that hash entered into the MEBx prior to using it to configure the system. You can always go into those menus and add new hashes or to view the ones that are already there whether or not it has been provisioned previously.

From the SDK documentation above - I'll have to check on what the "three custom hashes" mean. Last time I checked there were more than 3 available from vendors. It might mean that you can ask your OEM to burn your specific has into the MEBx, provided you are going to be ordering a lot of systems needing that particular hash. (Don't quote me on that - again we need to check on that.)


Follow me on Twitter: @GaelHof

Hi Gael,

In SDK it is mentioned as "three custom hashes installed by the OEM or by IT prior to configuration"
Can you explain what is meant by prior to configuration?

If we manually go into MEBx menu for the first time, it will ask to change password and then only we can add our hash. If the user needs to go to MEBx menu means he can set settings like enable DHCP etc and then what is the need for remote provisioning in this case(like using own provisioning certificate). Once we entered MEBx menu means it is like configured and then we can change the settings using wsman remotely.

I'm looking for methodsto configure AMT without entering into MEbx or manually going to each systems(USB provisioning)


Hi Mani,

"Prior to configuration" in this context means that the custom hashes will need to be put in the firmware before these systems can be provisioned remotely.

They only way you are going to be able to use custom hashes without manually putting them in yourself via the MEBx is to have the OEM add the custom hash to the systems being purchased during the manufacturing process.

Without OEM customization, the only way to remotely provision systems is by purchasing a provisioning certificate from one of the supported vendors.

Please let us know if this answers your question on this topic.

Hi Lance Atencio,

Thanks for the reply.
I understand the difference between setup and configuration process of AMT
If we buy the certificate from vendor, wedon'tneed to touch the AMT client during the setup and configuration stage. I have few clarifications below

If AMT machine comes in Factory mode means, AMT mode will be disabled and DHCP will also disabled(TCP/IP settings also notenabled). In that case howAMT will send Hello packet to provisioning server without modifying the settings in MEBx?

Intel AMT attempts a DNS look-up using the host name "ProvisionServer" for SCA.
For automatic provision we need SCA machine name to be "ProvisionServer", Correct me if I'm wrong?
Intel AMT will send hello message to provisionserver alone or it will broadcast to network?


Hi Mani,

Initially the systems can be configured by the OEM to start sending Hello packets upon first power up.

Aside from that, you can use code runningon the localOS (deployed remotely) to initiate sending the Hello packets.
Please take a look at the "Remote Configuration Using Scripts" section in the Intel_SCS_7.0_User_Guide found in the latest Intel SCS.

Hello messages are only sent to the specified ProvisionServer and not broadcast.
For more information on the Hello messages please refer to the AMT SDK documentation section:
"Setup and Configuration of Intel AMT > Setup and Configuration Methods > Remote Configuration > Setup Mode Hello Messages"

Hi Lance Atencio,

Can you explain what are the settings configured by OEM like AMT enabled, network settings etc. If we didn't enable AMT during first power, will it send hello packets again(Like if we remove power and connect power again). I would like to know how AMTwill enable DHCP mode and get IP address, then start sending Hello packets during first power up

If AMT mode is disabled in MEbx menu , Will code runningon the localOS (deployed remotely) send the Hello packets?


The OEM's have a variety of special settings that they can configure when building the firmware. I'm not familiar with the details, but do know they are different from whatisavailable in the MEBx.

If an OEM has configured the system to send Hello messages they will run for a specified amount of time (usually 24 hours). After that time the network will be closed.

You can use a tool like the ZTCLocalAgent in the AMT SDK to enable AMT and start sending Hello messages.

Leave a Comment

Please sign in to add a comment. Not a member? Join today