CollapseAll image

Add Certificate Chain

The following steps describe how to load a certificate chain into Intel AMT for use by either the IPS_HostBasedSetupService.AdminSetup method or the IPS_HostBasedSetupService.UpgradeClientToAdmin method.

 Note:

If this flow is performed before performing Setup and Intel AMT is an unconfigured state, use the $$OsAdmin credentials. If Setup was already performed, use the Intel AMT admin credentials to perform the flow and skip step 3, below. If Setup was already performed, this command can be initiated remotely.

 

1.  Acquire a certificate derived from a root certificate authority whose root certificate is incorporated into Intel AMT. See Acquiring an Intel® vPro™ Certificate.

2.  If necessary, split the chain into separate files, as described in Certificate Chains for Host-Based Configuration.

3.  (Only when Intel AMT is in a pre-provisioning state.) Retrieve the $$OsAdmin credentials by invoking the MEI command CFG_GetLocalSystemAccount, which returns the user ID (always $$OsAdmin) and a randomly generated password. Alternatively, invoke the WMI method OOB_Service.GetLocalAdminCredentials via the ME WMI provider. (See Intel ME WMI Provider). The PC user who performs this step must have OS Admin privileges on the host platform. Use the returned credentials for the following WS-Management requests.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$connectionWMI = Invoke-WmiMethod-Class OOB_Service -Namespace "ROOT\Intel_ME:OOB_Service" -ComputerName "localhost" -Name "GetLocalAdminCredentials"

$user =$connectionWMI.Username

$password =$connectionWMI.Password

 

 

4.  Retrieve the instance of IPS_HostBasedSetupService, where the “Name” key equals “Intel(r) AMT Host Based Setup Service”.

5.  Invoke IPS_HostBasedSetupService.AddNextCertInChain to send each certificate in the chain:

a.   Send the leaf certificate. Set the IsLeafCertificate parameter to TRUE and the IsRootCertificate parameter to FALSE.

b.   For any certificates from intermediate certification authorities set the IsLeafCertificate parameter to FALSE and the IsRootCertificate parameter to FALSE.

c.    Now send the root certificate. Set the IsLeafCertificate parameter to FALSE and the IsRootCertificate parameter to TRUE.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$certificate =# The certificate from the certificate chain

$isLeafCertificate ='true'

$isRootCertificate ='false'

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$inputObject =$hostBasedSetupServiceRef.CreateMethodInput("AddNextCertInChain")

$inputObject.SetProperty("NextCertificate",$certificate)

$inputObject.SetProperty("IsLeafCertificate",$isLeafCertificate

$inputObject.SetProperty("IsRootCertificate",$isRootCertificate

$outputObject =$hostBasedSetupServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

 

 

6.  At any step, you can invoke IPS_HostBasedSetupService.Get and examine the CertChainStatus property.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$hostBasedSetupServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM IPS_HostBasedSetupService WHERE Name='Intel(r) AMT Host Based Setup Service'")

$hostBasedSetupServiceInstance =$hostBasedSetupServiceRef.Get()

$certChainStatus =$hostBasedSetupServiceInstance.GetProperty("CertChainStatus")

 

 

 

 Note:

If any of the steps in this sequence fail, the chain is deleted. The process will have to start again with the leaf certificate.

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Located at: <SDK_Root>\Windows\ Intel_AMT\Samples\Configuration\HostBasedSetup.

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.