The Developer’s Guide to Creating Intel® AMT Certificates

Intel® Active Management Technology (Intel® AMT) supports the encryption of communications between the management console and client using Transport Layer Security (TLS). Enabling TLS communications requires the creation of security certificates; while the process may be unfamiliar, it is straightforward.

This guide gives developers the background and step-by-step procedures to create Intel AMT security certificates using the Intel AMT SDK, OpenSSL*, and Microsoft Windows* PowerShell*. It also shows how to use the TLS.ps1 script (provided in Appendix B) to configure Intel AMT systems to use TLS communication.

Background and Preparation

Basic host-based setup of a platform that supports Intel AMT places the platform in Client Control Mode, which provides limited Intel AMT functionality. That limitation reflects the lower level of trust required to perform that type of setup, compared to Admin Control Mode.

Admin Control Mode achieves that higher level of trust, in part, by using TLS to secure communication over the network. The certificates described in this guide support Intel AMT Secure Sockets Layer (SSL) encryption.

Note The process described requires your system to be configured to run the Intel® vPro™ Technology module PowerShell scripts as a prerequisite. If you encounter errors when following the steps given in this guide, see Appendix A for configuration instructions.

Creating Intel AMT Certificates Using the Intel AMT SDK and OpenSSL*

STEP 1: Modify the configuration server to not delete the private key and public key.

Open the following file:

\Windows\Intel_Manageability_Configuration\Bin\ConfigScripts\provend.bat

Comment out or delete the following two lines:

STEP 2: Add your Intel AMT client to the domain, if it is not already there.

Navigate to the following folder:

\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig

Edit the Uss.cfg file and look for commonName_value:

After =$ENV::PROVISIONING_HOSTNAME.$ENV, delete the following:

.$ENV::PROVISIONING_DOMAIN

Look for the following text:

[alt_names]
DNS.1 =$ENV::PROVISIONING_HOSTNAME.$ENV::PROVISIONING_DOMAIN,

Delete .$ENV::PROVISIONING_DOMAIN

The result will look like the following:

STEP 3: If Certificate details such as organizationName and countryName need to be modified to suit local needs, the following files will need to be updated:

\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\Auditor.cfg
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\rootCA.cfg
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\subCA.cf

countryName_default = IL
countryName_value = US
organizationName = Organization Name (that is, company)
organizationName_value = Your Company Name
commonName = Common Name (that is, YOUR name)
commonName_value = Intel® Active Management Technology root CA demo

STEP 4: Ensure that your certificate reflects the correct Provisioning Hostname.

To create the Certificate for a specific Intel AMT Client, set the Provisioning Hostname to reflect the Intel AMT Hostname for your Intel AMT System by editing certgen.bat:

\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\certgen.bat

Use the following syntax in certgen.bat:

IF "%PROVISIONING_HOSTNAME%"=="" SET PROVISIONING_HOSTNAME=

STEP 5: Create the certificates by running the following (in the order given):

For each question, respond with “Y"; no command window is necessary (just double-click):

1. \Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\checkca.bat
2. \Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\certgen.bat

The three certificates are created.

STEP 6: Create and modify the TLS.ps1 script.

Create a file for the TLS.ps1 script using the text in Appendix B.

Copy the hash for the Root CA, Intel AMT Private Key, and the Intel AMT Certificate into the appropriate sections in the TLS.ps1 script. To do so, bring up PowerShell ISE as Administrator, open the TLS.ps1 script, and use the hashes from the following files:

Trusted root CA:
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\rootCA\cacert.cer

Intel AMT Private Key:
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\newkey.pem

Intel AMT Certificate:
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\newcert.pem

Look for the following sections in the TLS.ps1 script and copy the blobs from the above files into the blob sections of the TLS.ps1 file as follows:

cacert.cer:

newkey.pem

newcert.pem:

STEP 7: Run the TLS.ps1 script.

The script should install the RootCA, the Intel AMT Private key, and the Intel AMT Certificate on the Intel AMT Client.

Make sure to update Address; this is the IP address of the Intel AMT Client. Also ensure you can connect to the WebUI-if something is wrong with the network connection, the TLS.ps1 script will not run.

If TLS.ps1 executes without error, the Intel AMT client will now be operating using TLS communication.

You can now connect to the WebUI using https and port 16993.

STEP 8: Address certificate warnings.

When connecting through TLS, you will now get a certificate warning.

In order for the WebUI to open without the certificate warning, make sure the following certificates are installed on the machine from which the WebUI is being accessed:

RootCA:
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\rootCA\cacert.cer

SubCA:
\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\subCA\subcacert.der

STEP 9: Create additional certificates as needed.

Modify the host name as defined in Step 4.

After the new host name is modified, run the certgen.bat file from step 5.

Follow steps 6 and 7 to configure the new Intel AMT client for TLS encryption.

Developer Resources for Intel® vPro™ Technology

The following sources provide more information about developing for Intel vPro Technology:

Appendix A: System Configuration to Run the Intel® vPro™ Technology Module for Windows PowerShell*

If you encounter errors while trying to run the Intel® vPro™ Technology PowerShell scripts on your management console, it is possible that either the Intel vPro Technology module for Windows PowerShell has not been installed or it is not configured correctly. The following steps cover how to configure your system to use this powerful interface.

Step A: Verify that the PowerShell Module is installed on your system.

If the PowerShell module is not installed, go to the following folder in the Intel AMT SDK and install it (both 32-bit and 64-bit versions are available).

SDK folder: ..\Windows\Common\WS-Management\Scripting Framework:

Step B: Run PowerShell Scripts in the PowerShell command window environment.

Search for “PowerShell” in the Start window.

Run the x86 window as administrator:

A PowerShell command window appears.

First check to see what the current policy is; if it is already set, you do not need to change it:

Note Setting the execution policy to RemoteSigned is generally appropriate, but certain network configurations will require setting execution policy to Unrestricted.

Step C: Configure the execution policy, if required.

Enter the following command to set the execution policy:

Step D: Import the Intel vPro Technology module.

After completing steps A through D, your system will be configured to run the Intel vPro Technology PowerShell scripts from within the command window environment.

If you will be running Intel vPro Technology PowerShell scripts from within the PowerShell ISE, follow the configuration instructions given below in steps E and F.

Step E: Bring up PowerShell ISE as Administrator and open the TLS.ps1 file to be edited.

Note You may have to use the Open option from the File menu, and you may be unable to drag it into the window.

Step F: In the PowerShell ISE, configure the execution policy.

Set the execution policy in the PowerShell environment to Unrestricted or RemoteSigned (see steps B and C, above), entering the configuration command in the bottom window in the PowerShell ISE:

Note The TLS.ps1 script imports the Intel vPro Technology module, so it is not necessary to enter the import command in the command window.

After completing steps E and F, your system is ready to run the Intel vPro Technology module scripts in the PowerShell ISE environment.

Appendix B: TSL.PS1 Script

This appendix contains the contents of the script called for in step 6 of the procedure in the main body of this guide. The file is a collection of some of the ps scripts that exist in the Intel AMT SDK, the licensing for which also governs this snippet. The relevant legal notice appears as part of the Intel® AMT SDK download.

########################################
# Create a Wsman Connection Object #
########################################
$wsmanConnectionObject = new-object 'Intel.Management.Wsman.WsmanConnection'
$wsmanConnectionObject.Username = "admin"
$wsmanConnectionObject.Password = "P@ssw0rd"
$wsmanConnectionObject.Address = "http://10.14.164.24:16992/wsman"

# Add the Trusted Root CA
$certificateBlob = "MIIDBzCCAe+gAwIBAgIJAJehJZlKRi2YMA0GCSqGSIb3DQEBBQUAMDIxFTATBgNV
BAMTDERlbW8gUm9vdCBDQTELMAkGA1UEBhMCSUwxDDAKBgNVBAsTA0ZUTDAeFw0x
MDExMjIwODI1MDhaFw0yMDExMTkwODI1MDhaMDIxFTATBgNVBAMTDERlbW8gUm9v
dCBDQTELMAkGA1UEBhMCSUwxDDAKBgNVBAsTA0ZUTDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAL4S0DXjcngUXGlqX0oezRHDpUJV0bsp9uQNMPc+LhQe
pb0aR7Mgyec4zoI5wMhlHsyjbGEo/AzkoQQiZ5d7YVreh7cqfowXkqvCud/+NnCb
0Dy7bPSCfrSygAaMQ2Dgu1GZZIgd9oPYU1o/P/SK+xS1+PTa2G6CrJ++yjywcPWM
avOCe7hDYXo9TlscbJizsvBfglzweJsHjZLZMW5YK62+PS1CzMUY9uQimz3dVUgz
tItqfefDkMVwJQcAMsTOwg8nj9xZ10LKBRs9+xW2d0exJcAqkwM5df3FoVO9GUjF
a4qsqGjt3Yj/17H8G0Qtn/nGyrleQyx82mdzvGSCAPcCAwEAAaMgMB4wDwYDVR0T
AQH/BAUwAwEB/zALBgNVHQ8EBAMCAbYwDQYJKoZIhvcNAQEFBQADggEBABD/TQ+w
tcejnCCSLI9HRJq1YdtVqreXD0Q3gmsrltrabi09oJkqtILVZwX0C/I3laOObcgy
n2nv3AT4HjEoGY+ezoUNNZwWyoCIMz11FqkLinUKqfGWjBJbagk9tw2bpibIydFJ
M1a0Wnn/51mgbSHkNc5q80kHui/8SUkHh9XZ28FbqgLA5k4hSuFLO+K81ATVgqgO
657yZ0e/wl4l3Qs4Ssn3T7rdq7KumLQKFFfKlSdbNULW5dvNVRK0yMNcYpbFRa/x
ghBmBFpIPze/TCUhir8ysL19MBvX5fjmnjGZHfvl3KPNz0YrBvGCtNNX5J3CJFbH
CaJLIH3FAIfVFMs=
"
$publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddTrustedRootCertificate")
$inputObject.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref
}

# Add AMT private Key
$keyBlob = "MIIEogIBAAKCAQEA9NvDxsVLUAf4N7iZgCpjDdTCehQFgQKTtDKTWl8J000NOVvF
UiniEJUaQzZkRUIQRQcmr82mBe8NYLZeLR+c6FKE1BH9dFFWX7SSvNdWOyVBMGLK
z5gSbAWidluuzrbreTOnkaNu8jztdAoqCocL3SIIZgdJR5mmSm4lTlvkINgPPQ9r
SHGdhG4CI0BGAgdxMZ6lvsOqJBhEowEQXueqGwH4/wPfU0++sMrGhmYnsDMkSETk
23nI+vS9hIlCu0iagtAdBTJgeNd0TYi2kRBmBx7qVjbeFhVdBvtCveqTkz7hhu5M
BXT7f/xplgWCR1x4UKIpvimgs7Qu9qvSIxtVWQIDAQABAoIBAHlYB5eT4pTQvkPu
6bNITjpme9I/5dJfUo90mO2qN5ZNkwYf4pOrSerp2VABvoNMEAAFYTiyc1pxc3HA
Lr+x8PJ5InZuS+q+/E0Fkcqf9I3vEnVGIDfspwR9blu1Z9XtdJhl7t8P3UWSyCI/
f0IkVs7JtNvLNJeVH4G3QCmrBEz5jbI4+NikQSPFkueoDGhlMpTr1XpICU0Xre/z
Jc5Q5KVzuZp+J7B2857MKRm19d0zbzOZv9e1jqpXgNOZYRnU/SSSDGrLxbDjdgB3
hCb4HzQWp+F503SzsE7zYoDh2Xo/0MGB0gmHRhO7PGLwrpjRJR5TLg0rGgCLe31F
7gO+sBkCgYEA/wHiLgSe5BPxGoyIQTnFodoomLs1AMmhrjoay6XpozBffEPWQ9gY
ikZl9zRJVx1lQNmO0F3eK7f8d8iGALPSgaKDZlFgaOG7c+a2FzGThREC20GBmHes
6cIYkctnhAU63XH3xVIf/TRy3IJVni2pp+tXNMqGrvC5zSbNBsc+dacCgYEA9c/E
jfNmUEIidVFc+mPTDnY67kWtb+oR/GzE3YhGQKCyOkgxlB1JHNFusevCzX1/A+5F
LdAPn1fjU/IBK+boKVqDODeQEVAQvRp+p+XUs5bknYctM3g7q8usr68dqRmx5AGl
nEmKsL3R2KKFXKvef38QwFO2T0uY8Pq5C0FHPP8CgYBniGw8IsQf9bi9/rCTStFi
lSBGYjtyxmpOQmj+pa3mA43A9gnYIbRU76AWbbQZGmYxniLNlk7NkTV/rHo7bsbY
uxJ+SCvMaVmiBNmJMSejrvRp8H6dWHlrrtIq31p3z2fG4K6n/l/efZzkykXYotFu
y63sUQ29mR7WnBpB1kMVoQKBgD40sxAdPZIn+mJoEbiH1Jx/TRCJb4e3249e0z8g
wm6OfCwFow5RjvQNCA9ck3K/RIpxHO6oDZwMeMoAn01F5RC6CCUM4pePBH1mnBDP
N9Gu6PH4iHbTAX7LT0sybLYje4Iw7IEtlzx8/QLutgMqt2baeBnD1YohnnW1bWis
v2NvAoGACmpT0xDNQMgRz6lUIKkhjvm94apBMkiiRNw0+4FKd8j1IphZLoyrA7W3
MpIP4UlXRgtOkp33q9L23b/mwLTHHSvhkkSRgSYtM4lHyhpyzkzsSMynVEECdaOD
4eQg6GG2x7LKl2j1cFAo/61tUEtaKSstqkQ+vvDVoD6O8LFCC6E=
" $publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddKey")
$inputObject.AddProperty("KeyBlob", $keyBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicPrivateKeyPairRef is an EPR to the new AMT_PublicPrivateKeyPair object.
$publicPrivateKeyPairRef = $outputObject.GetProperty("CreatedKey").Ref
}

# Add AMT Certificate $certificateBlob = "MIIDcDCCAligAwIBAgIBAjANBgkqhkiG9w0BAQsFADAyMRUwEwYDVQQDEwxEZW1v
IFJvb3QgQ0ExCzAJBgNVBAYTAklMMQwwCgYDVQQLEwNGVEwwHhcNMTAxMTIyMDgy
NTMwWhcNMTExMTIyMDgyNTMwWjAYMRYwFAYDVQQDEw1kdXQuaW50ZWwuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9NvDxsVLUAf4N7iZgCpjDdTC
ehQFgQKTtDKTWl8J000NOVvFUiniEJUaQzZkRUIQRQcmr82mBe8NYLZeLR+c6FKE
1BH9dFFWX7SSvNdWOyVBMGLKz5gSbAWidluuzrbreTOnkaNu8jztdAoqCocL3SII
ZgdJR5mmSm4lTlvkINgPPQ9rSHGdhG4CI0BGAgdxMZ6lvsOqJBhEowEQXueqGwH4
/wPfU0++sMrGhmYnsDMkSETk23nI+vS9hIlCu0iagtAdBTJgeNd0TYi2kRBmBx7q
VjbeFhVdBvtCveqTkz7hhu5MBXT7f/xplgWCR1x4UKIpvimgs7Qu9qvSIxtVWQID
AQABo4GqMIGnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMCAGA1UdJQEB/wQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU4v65z5NAqLepfzhYCzgNpnDt
JEQwTAYDVR0jBEUwQ6E2pDQwMjEVMBMGA1UEAxMMRGVtbyBSb290IENBMQswCQYD
VQQGEwJJTDEMMAoGA1UECxMDRlRMggkAl6ElmUpGLZgwDQYJKoZIhvcNAQELBQAD
ggEBAKF7TxMp3dnTkPRxCaWhdEAmCQbox74OGzZg29SlT2TpZVHMe6i5AgFr/JPs
uFXokBW338Pvhkk916jxzpTF9HwNmYr4DGc01wLcT0mOe2HqR7XF2SAzkcvAaObi
sSfrBZ/PHKwgP4T+8Wi0cVYapuM3JwwRQIZxD4vxm0PFJ+ean1G161ks+2S/oIoU
1+CEOK4alIRMygTi9uMbv15Gda2Woh4V2E0SN/8kV7f5oO51LtXYl8WX5igN5O8y
Pv5fNQjnSxNdAjYK2XhG0p4yp3k2GsOb6PqeCfXeohltWswMND9x49Bx3nLg7FaZ
LJ0fAsQOO/8ZtEaIpYUOdqW76xQ=

" $publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel® AMT Public Key Management Service'")
$inputCertificate = $publicKeyManagementServiceRef.CreateMethodInput("AddCertificate")
$inputCertificate.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputCertificate)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref
}

# Add TLS certificate
$tlsProtocolEndpointCollectionRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSProtocolEndpointCollection WHERE ElementName='TLSProtocolEndpoint Instances Collection'")
$tlsCredentialContextInstance = $wsmanConnectionObject.NewInstance("AMT_TLSCredentialContext")
# $publicKeyCertificateRef is an EPR to the AMT_PublicKeyCertificate object created by the 'Add a Public Key Certificate' use case.
$tlsCredentialContextInstance.SetProperty("ElementInContext", $publicKeyCertificateRef)
$tlsCredentialContextInstance.SetProperty("ElementProvidingContext", $tlsProtocolEndpointCollectionRef)
$tlsCredentialContextInstance.Create()

# Enable TLS on remote interface
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel® AMT 802.3 TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")
$tlsSettingDataRef.Put($tlsSettingDataInstance)

# Enable TLS on local interface.
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel® AMT LMS TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")
$tlsSettingDataRef.Put($tlsSettingDataInstance)

# Commit changes
$setupAndConfigurationServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_SetupAndConfigurationService WHERE Name='Intel® AMT Setup and Configuration Service'")
$inputObject = $setupAndConfigurationServiceRef.CreateMethodInput("CommitChanges")
$outputObject = $setupAndConfigurationServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")

Remove-Module 'IntelvPro'

##### End of file

Para obter informações mais completas sobre otimizações do compilador, consulte nosso aviso de otimização.