Intel AMT uses digital certificates for encryption and authentication purposes. A certificate may have different usages. For example, it can be used for TLS, EAC, or 802.1x. In order to unify the certificates usage model, Intel AMT stores all certificates in the Intel AMT certificate store. The certificate store can hold certificates with the same properties as long as they are binary different.
Multiple Certificates may have a single matching key. Certificates that do not have a matching key are used for reporting certificate chain dependency during authentication.
The Intel AMT certificate store can contain trusted root certificates, which are intended to authenticate clients, as well as private key certificates that are used to authenticate Intel AMT itself. The same certificate can be associated with different usages or flows.
The functionality of the certificate store is exposed via the AMT_PublicKeyManagementService class.
Creating Key Pairs and Signing Certificate Requests
Before Releases 6.2/7.0, an external application was required to create a public/private key pair for an Intel AMT PKI certificate. Releases 6.2 and 7.0 add two methods to the AMT_PublicKeyManagementService class – GenerateKeyPair and GeneratePKCS10RequestEx. By using these methods, it is possible for an application to create a key pair and a signed certificate request without ever having the private key anywhere but in the Intel AMT PKI store. This is the preferred method for creating certificate requests when the functionality is available. This is especially important when performing either a Manual Setup or a Host-Based Setup, where setting up for TLS is done in the clear. The Enroll a Certificate use case spells out all the steps for creating and storing a certificate using the new methods.
When adding a certificate chain to the Intel AMT device, the leaf (which has a private key) has to be installed as a certificate with a private key. (Add a Public-Private Key Pair)
All the other certificates in the chain which are SubCA certificates, out of the trusted root certificate, should be added as public key certificates. (Add a Public Key Certificate)
Starting with Intel AMT 6.0 certificates with SHA-224, SHA-256, SHA-384 and SHA-512 signatures are supported. There is no support for SHA-256 or higher encryption prior to Intel AMT6.0 Release
Intel AMT supports TLS on both the network and local interfaces using a server certificate or performing mutual authentication. Enabling TLS means enabling it for both local and remote interfaces.
The following limitations have been in place since Release 2.5:
Certificate Store Limitations
• 7 certificates with a maximum length each of 4100 bytes
• CertChainMaxSize: 4100 bytes ( per single file )
• In addition, there is space for 4 root certificate instances with a maximum length each of 1500 bytes. Beginning in Release 10.0 the maximum length was increased to 2500 bytes.
• CRL Store Size: 1424 bytes
RSA Key Store Limitations
• Server certificate supported key lengths: 1024, 1536, 2048 bits
• Number of keys: 7
Key Sizes supported when authenticating client certificates
• Mutually authenticated
client certificate supported key lengths: 1024, 1536, and 2048 bits.
512-bit keys are supported by Intel ME 6.1.30 firmware and later releases.
• Root certificates and certificates for intermediate CAs with 4096-bit keys are supported by Releases 2.6, 3.2, 4.2, 5.1, 5.2, 6.0 and later releases.
• Provisioning (PKI) certificate supported key lengths: 1024, 1536, 2048 bits for all releases.
Mutual TLS Authentication Limitations
• FqdnSuffixMaxEntries: 4
• FqdnSuffixMaxEntryLength: 63
• Intel AMT uses Root Certificates and optionally FqdnSuffix to verify Client certificates.
Certificate Revocation List (CRL)
Intel AMT can use a Certificate Revocation List (CRL) while mutually authenticating with a remote entity.
A Certification Authority (CA) should be configured to issue certificates that have a “CRL Distribution points” field so that this command can be used later to revoke the certificates. The CRL Distribution Points field should have an HTTP distribution point type, as Intel AMT does not support LDAP and other distribution point types. Intel AMT compares the CRL Distribution Point and serial number information included in the peer certificate with the contents of the stored revocation list. Intel AMT rejects certificates that match those in the CRL.
Active TLS sessions are not affected by changes in CRL settings due to session caching of the TLS stack.
Copyright © 2006-2022, Intel Corporation. All rights reserved.