Enroll a Certificate

Setup and Configuration of Intel AMT > Configuration Settings > Certificate Management > Use Cases > Enroll a Certificate

Enroll a Certificate

This use case shows all the steps required to create and enroll a PKI certificate. Intel AMT can create a key pair and sign a certificate request that an application can then send to a Certification Authority. When the CA supplies the certificate, the application can add it to the Intel AMT certificate store.

1. Create a new public/private key pair.

a. Retrieve the instance of AMT_PublicKeyManagementService, where the “Name” key equals “Intel(r) AMT Public Key Management Service”.

b. Set the following values as GenerateKeyPair method input parameters:

Parameter	Value
KeyAlgorithm	0 (RSA)
KeyLength	The only valid key length is 2048 bits

c. Invoke the method GenerateKeyPair. The method returns an EPR to a new instance of AMT_PublicPrivateKeyPair.

d. Retrieve the instance of AMT_PublicPrivateKeyPair. The property DERKey contains the public portion of the key pair.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$publicKeyManagementServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")

$inputObject =$publicKeyManagementServiceRef.CreateMethodInput("GenerateKeyPair")

$inputObject.SetProperty("KeyAlgorithm","0")

$inputObject.SetProperty("KeyLength","2048")

$outputObject =$publicKeyManagementServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

if($returnValue -like "0")

{

$publicPrivateKeyPairRef =$outputObject.GetProperty("KeyPair").Ref

$publicPrivateKeyPairInstance =$publicPrivateKeyPairRef.Get()

$derKey =$publicPrivateKeyPairInstance.GetProperty("DERKey")

}

2. Create a null request based on the Intel AMT platform FQDN, using the key created in step 1.

a. Set the Common Name based on the Intel AMT FQDN.

b. Build a PKCS10 request (the snippet below uses the MSDN certificate request structure; this could be done with OpenSSL or equivalent toolset).

c. Save the result.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$amtFQDN ="amt.demo.com"

$cn ="CN = " +$amtFQDN

$nullSignedPKCS10Request = new-object-com "X509Enrollment.CX509CertificateRequestPkcs10"

$dn = new-object-com "X509Enrollment.CX500DistinguishedName"

$serverAuthOID = new-object-com "X509Enrollment.CObjectId"

$publicKey = new-Object-com "X509Enrollment.CX509PublicKey"

# Initialize server OID.

$serverAuthOID.InitializeFromName("16") # 16 = RSA.

$publicKey.Initialize($serverAuthOID,$derKey,"","1")

$nullSignedPKCS10Request.InitializeFromPublicKey(0x02,$publicKey,"WebServer") # 0x02 = ContextMachine.

$dn.Encode($cn,"0")

$nullSignedPKCS10Request.Subject =$dn

# Add PKCS10 attributes as needed.

$objHash = new-object-com "X509Enrollment.CObjectId"

$objHash.InitializeFromAlgorithmName("1","0","0","SHA256")

$nullSignedPKCS10Request.HashAlgorithm =$objHash

$nullSignedPKCS10Request.Encode()

$nullSignedPKCS10RequestDER =$nullSignedPKCS10Request.RawData("3")

3. Sign the request created in step 2.

a. Extract the body of the request by dropping anything in the request before the “BEGIN…” line and after the “END…” line.

b. Retrieve the instance of AMT_PublicKeyManagementService, where the “Name” key equals “Intel(r) AMT Public Key Management Service”.

c. Invoke the method GeneratePKCS10RequestEx with the following parameters:

Parameter	Value
KeyPair	EPR to the key pair created in step 1.
SigningAlgorithm	0 (SHA1-RSA), or 1 (SHA256-RSA)
NullSignedCertificateRequest	The null request created in step 2

note-icon Note:

In releases below 6.0 the SigningAlgorithm must be 0. From Release 6.0 the SigningAlgorithm can be 1 or 0.

d. The method returns a signed certificate request.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

function ParseCertificateReq($nullSignedRequest)

{

$BEGIN ="-----BEGIN NEW CERTIFICATE REQUEST-----"

$END ="-----END NEW CERTIFICATE REQUEST-----"

$nullSignedRequest =$nullSignedRequest.Replace($BEGIN,"")

$nullSignedRequest =$nullSignedRequest.Replace($END,"")

return$nullSignedRequest

}

$nullRequest = ParseCertificateReq($nullSignedPKCS10RequestDER)

$publicKeyManagementServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")

$inputObject =$publicKeyManagementServiceRef.CreateMethodInput("GeneratePKCS10RequestEx")

$inputObject.SetProperty("KeyPair",$publicPrivateKeyPairRef)

$inputObject.SetProperty("SigningAlgorithm","1")

$inputObject.SetProperty("NullSignedCertificateRequest",$nullRequest)

$outputObject =$publicKeyManagementServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

if($returnValue -like "0")

{

$signedCertificateRequest =$outputObject.GetProperty("SignedCertificateRequest")

}

4. Submit the request to a Certification Authority. This can be an enterprise CA or the CA included in OpenSSL tools or some other implementation. The CA returns a cetificate in .der format.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$CR_OUT_BASE64 = 0x00000001

$CR_IN_PKCS10 = 0x00000100

$CR_DISP_ISSUED = 0x3

$ca ="ca.demo.com" # The CA name.

$certificateRequest = new-Object-com "CertificateAuthority.Request"

# Submit the request.

$disposition =$certificateRequest.Submit($CR_OUT_BASE64 -or $CR_IN_PKCS10,$signedCertificateRequest,$null,$ca)

if($disposition -match $CR_DISP_ISSUED)

{

$certificate =$certificateRequest.GetCertificate($CR_OUT_BASE64)

}

5. Add the certificate to the Intel AMT certificate store.

a. Retrieve the instance of AMT_PublicKeyManagementService, where the “Name” key equals “Intel(r) AMT Public Key Management Service”.

b. Invoke the method AddCertificate with the following parameter:

Parameter	Value
CertificateBlob	The certificate in .der format.

c. The method returns an EPR to a new instance of AMT_PublicKeyCertificate.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

$publicKeyManagementServiceRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")

$inputObject =$publicKeyManagementServiceRef.CreateMethodInput("AddCertificate")

$inputObject.SetProperty("CertificateBlob",$certificate)

$outputObject =$publicKeyManagementServiceRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

Instance Diagram

Classes Used in This Flow

• AMT_PublicKeyManagementService

• AMT_PublicPrivateKeyPair

• AMT_PublicKeyCertificate

SDK Sample

Not applicable