The certificate used for host-based setup and configuration is the same kind of certificate as is required for remote configuration. It is a server certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA that has a root certificate hash stored in the Intel AMT device.
To acquire a server certificate, contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. See the list at Certificate Chains for Host-Based Configuration or check Intel’s Manageability website for the root hashes found in different releases of Intel AMT. A list of the hashes should be provided by the platform vendor. Go to the vendor’s website site and purchase an “SSL certificate”.
For example, the following link to Verisign’s* site shows how to purchase an appropriate certificate: http://www.verisign.com/ssl/intel-vpro-technology/index.html.
Use the OID or the OU values described here (or both) when defining the certificate.
• The Extended Key Usage (EKU) field is a list of OIDs separated by commas. It should contain an Intel AMT unique OID (2.16.840.1.1137188.8.131.52) if possible. It must contain the “SSL Server” OID (an IANA pre- defined OID).
– OR –
• The OU value in the Subject field must be “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly.
• The Domain suffix in the leaf certificate must match the Domain suffix of the DNS entry associated with the host platform.
• The certificate and all the elements in the certificate chain should be created using the SHA_2 hashing algorithm.
Copyright © 2006-2022, Intel Corporation. All rights reserved.