CollapseAll image

Add a Trusted Root Certificate

Intel AMT supports using TLS to authenticate a peer if the peer presents a certificate that is signed by a root certificate that was added to the Intel AMT certificate store.

Note: Prior to Intel AMT 11.8, only a root certificate can be added to the certificate store via the AMT_PublicKeyManagementService.AddTrustedRootCertificate method described below. Starting with Intel AMT 11.8, an intermediate certificate can be added to the certificate store, and Intel AMT will treat it as a trusted certificate and will authenticate the peer presenting the certificate signed by this intermediate certificate.

The following steps describe how to add a trusted root certificate to the Intel AMT certificate store.

1.  Create a trusted root certificate blob in Base64 format.

2.  Retrieve the instance of AMT_PublicKeyManagementService, where the “Name” key equals “Intel(r) AMT Public Key Management Service”.

3.  Invoke AMT_PublicKeyManagementService.AddTrustedRootCertificate with the following parameter:




The trusted root certificate blob created in step 1.


note-icon Note:

A trusted root certificate cannot be added if Network or Local Authentication modes are set to Mutual Authentication.

The method returns the EPR of the AMT_PublicKeyCertificate instance representing the trusted root certificate that was created. This EPR is used in the Remove a Trusted Root Certificate flow.


Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.


$certificateBlob =# The trusted root certificate blob created in step 1.

$publicKeyManagementServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")

$inputObject =$publicKeyManagementServiceRef.CreateMethodInput("AddTrustedRootCertificate")


$outputObject =$publicKeyManagementServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

if($returnValue -like "0")


          # The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.

    $publicKeyCertificateRef =$outputObject.GetProperty("CreatedCertificate").Ref 




Instance Diagram

Classes Used in This Flow

SDK Sample

If there is a sample demonstrating this flow, it is included in the SDK installation file. See SDK Installation Layout for details.


Copyright © 2006-2022, Intel Corporation. All rights reserved.