PKI Certificate Verification Methods

During setup and configuration using PKI, the SCA presents a certificate to the Intel AMT device. The Intel AMT device verifies this certificate according to the following:

   The certificate is an SSL Server Certificate.

   The certificate contains a designated OID or designated OU (see Prerequisites for Remote Configuration).

   The certificate chain of trust ends with a root CA that has its hash pre-installed in the Intel AMT device (and the hash is enabled).

   The certificate identifier (the CN field in the Certificate Subject or DNS entry in Subject Alternative Name) is validated according to the following table (in the table, the certificate identifier is noted as <CN>):

Unsecure DNS

Secure DNS

“Default”

PKI DNS Suffix set via OS agent

PKI DNS Suffix set via MEBx/USB

SCA FQDN set via MEBx/USB

DHCP option 15 (or DHCPv6 option 24) is a suffix of <CN>.

DHCP option 15 (or DHCPv6 option 24) is a suffix of <CN> AND PKI DNS Suffix is a suffix of <CN>.

PKI DNS Suffix is a suffix of <CN>.

SCA FQDN is identical to <CN>

Note the following:

   UnSecure DNS – The <CN> verification relies on non secure external data (Domain Suffix obtained via DHCP option 15 or DHCPv6 option 24).

   Secure DNS – The <CN> verification does not rely on external data.

   Defining SCA FQDN also affects the way Intel AMT tries to locate the SCA (see step 2.2.a of Overview of PSK/PKI/Automatic Configuration Flow).

   Defining PKI DNS Suffix does not affect the way Intel AMT tries to locate the SCA. This means that even in secure DNS mode, the presence of DHCP option 15 or DHCPv6 option 24 may still be required in order to locate the SCA.

   There are some exceptions:

   Wildcard Certificate – A certificate signed for *.some.domain will be able to provision even if SCA FQDN is defined, as long as it is a suffix of the SCA FQDN. (i.e. SCA FQDN = sca.someDepartment.some.domain)

   A.com/.net – Configuration will be successful if the <CN> and DHCP/PKI DNS Suffix ends with .com or .net and has the same “second level” domain (i.e. csa.ftl.intel.com can configure platforms in dev.intel.com domain). This is supported starting from Release 2.2, 2.6 and later. In addition, Releases 4.1/5.1 and later, include extended support for Top Level Domains (TLDs).

 

 

Top Level Domain Extended Support

Users under the Top Level Domains (TLD) can utilize a single SSL cert to provision Intel vPro platforms.  Different Top Level Domain (TLD) registrars deploy different policies for the level of domain they support registration. In general there are three registrations types:

   Type A: 2nd level domain registration, i.e. for “.de” (Germany), the name is registered directly under the root: “intel.de”

   Type B: 3rd level domain registration. The registrar allocates a set of predefined 2nd level domains and customer registration takes place at the 3rd level. For example under  “.uk” some generic names are “.ac.uk”, “.co.uk”  and customer registration is for example “intel.co.uk”

   Type C: Those are domain registrations that registration may take place either as a 3rd level domain, under specific generic 2nd level domains, or as 2nd level domain. For example, China’s “.cn” registrar allows registration either as “intel.cn”, or as “intel.com.cn”

 

Country Code
Top Level Domain

Intel AMT Domain Level Depth

de

2

fr

3

cn

3

nl

3

br

3

mx

3

uk

3

pl

3

tw

3

ca

3

fi

3

be

3

ru

3

se

3

ch

2

dk

2

ar

3

es

3

no

3

at

3

in

3

tr

3

cz

2

ro

3

hu

3

nz

3

pt

3

il

3

gr

3

co

3

ie

3

za

3

th

3

sg

3

hk

3

cl

2

lt

3

id

3

hr

3

ee

3

bg

3

ua

2

 

Geographic
Top Level Domain

Intel AMT Depth

net

2

com

2

arpa

3

org

2

gov

2

edu

2

 

 

 

Copyright © 2006-2013, Intel Corporation. All rights reserved.