Acquiring an Intel® vPro™ Certificate

Setup and Configuration of Intel AMT > Setup and Configuration Methods > Host-Based Setup and Configuration > Acquiring an Intel® vPro™ Certificate

Acquiring an Intel® vPro™ Certificate

The certificate used for host-based setup and configuration is the same kind of certificate as is required for remote configuration. It is a server certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA that has a root certificate hash stored in the Intel AMT device.

To acquire a server certificate, contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. See the list at Certificate Chains for Host-Based Configuration or check Intel’s Manageability website for the root hashes found in different releases of Intel AMT. A list of the hashes should be provided by the platform vendor. Go to the vendor’s website site and purchase an “SSL certificate”.

For example, the following link to Verisign’s* site shows how to purchase an appropriate certificate: http://www.verisign.com/ssl/intel-vpro-technology/index.html.

Use the OID or the OU values described here (or both) when defining the certificate.

Note:

• The Extended Key Usage (EKU) field is a list of OIDs separated by commas. It should contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3) if possible. It must contain the “SSL Server” OID (an IANA pre- defined OID).

– OR –

• The OU value in the Subject field must be “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly.

• The Domain suffix in the leaf certificate must match the Domain suffix of the DNS entry associated with the host platform.

• The certificate and all the elements in the certificate chain should be created using the SHA_2 hashing algorithm.