Certificate Chains for Host-Based Configuration

A certificate chain contains a series of public key certificates in pem format, or it could be a series of one or more pem files. Each certificate is delimited by a
-----BEGIN CERTIFICATE----- string at the beginning and a
-----END CERTIFICATE----- at the end.

The first certificate in the chain is the leaf certificate – the actual certificate used to perform setup. The application initiating setup has access to the private key for this certificate. To create such a certificate, see Acquiring an Intel® vPro™ Certificate.

The last certificate in the chain is the root certificate – generated by the certification authority (CA).

Between the leaf certificate and the root certificate are certificates for intermediate CAs. There may be none or one or more. Each intermediate CA derives its authority from the next CA in the chain. The leaf certificate was generated by the first intermediate CA, the certificate of the first intermediate CA was generated by the second intermediate CA, and so on. The certificate of the last intermediate CA was generated by the Root CA.

For example, a chain with two intermediate CA certificates would look like this:

-----BEGIN CERTIFICATE-----
Body of the leaf certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the first intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the second intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the root certificate
-----END CERTIFICATE-----

Because the WS-Management implementation limits the length of the certificate file that an application can send, the certificates must be sent one at a time, starting with the leaf certificate and ending with the root certificate. To do this:

1.  If the chain is not already a series of individual files, divide the pem file into individual files, each beginning with
-----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

2.  Invoke the IPS_HostBasedSetupService.AddNextCertInChain method for the leaf certificate. Intel AMT checks that the certificate is valid, is less than 4101 bytes long, and its usage is as a signing certificate.

3.  Invoke the AddNextCertInChain method for each intermediate certificate. Intel AMT checks that the certificate is valid, that it is less than 4101 bytes long, that it is not the eleventh certificate in the chain, that the signing hash algorithm is SHA-1 or SHA-2, that the key usage is “certificate authority” and that the previous certificate is signed by the current certificate.

4.  Invoke the AddNextCertInChain method for the root certificate. Intel AMT validates that the certificate hash matches one of the stored hashes.

 Note:

The root certificate must match one of the root certificate hashes embedded in the Intel AMT firmware. See Root Certificate Hashes.

 

See Also:

   Acquiring an Intel® vPro™ Certificate

   Add Certificate Chain

Copyright © 2006-2022, Intel Corporation. All rights reserved.