Acquiring an Intel® vPro™ Certificate

The certificate used for host-based setup and configuration is the same kind of certificate as is required for remote configuration. It is a server certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA that has a root certificate hash stored in the Intel AMT device.

To acquire a server certificate, contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. See the list at Certificate Chains for Host-Based Configuration or check Intel’s Manageability website for the root hashes found in different releases of Intel AMT. A list of the hashes should be provided by the platform vendor. Go to the vendor’s website site and purchase an “SSL certificate”.

For example, the following link to Verisign’s* site shows how to purchase an appropriate certificate:

Use the OID or the OU values described here (or both) when defining the certificate.


   The Extended Key Usage (EKU) field is a list of OIDs separated by commas. It should contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3) if possible. It must contain the “SSL Server” OID (an IANA pre- defined OID).

–     OR –

   The OU value in the Subject field must be “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly.

   The Domain suffix in the leaf certificate must match the Domain suffix of the DNS entry associated with the host platform.

   The certificate and all the elements in the certificate chain should be created using the SHA_2 hashing algorithm.


Copyright © 2006-2022, Intel Corporation. All rights reserved.