Before Remote Configuration begins, the following initial conditions must be met:
• The Intel AMT device is configured to receive its IP address from a DHCP server. The DHCP server must be configured to support option 15 to acquire the local domain suffix (Unsecure DNS mode). Alternatively, from Intel AMT release 3.0 and later, you can supply the SCA FQDN or PKI DNS Suffix from the MEBx menu or a USB key.
• The Intel AMT device is pre-programmed with at least one active root certificate hash.
• If the Intel AMT was not set to Bare Metal or if the provisioning period has expired, an ISV-created local agent must be installed on the host platform.
• The SCA is registered with a DNS server accessible to the Intel AMT device. The record in DNS should match “provisionServer.<option 15>”.
• The SCA has a server certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device.
To acquire a server certificate, contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the certificate vendor’s website site and purchase an “SSL certificate”.
For example, the following link to Verisign’s* site shows how to purchase an appropriate certificate: http://www.verisign.com/ssl/intel-vpro-technology/index.html.
Use the OID or the OU values described here (or both) when defining the certificate.
• The Extended Key Usage (EKU) field is a list of OIDs separated by commas. It should contain an Intel AMT unique OID (2.16.840.1.1137220.127.116.11) if possible. It must contain the “SSL Server” OID (an IANA pre-defined OID).
— OR —
• The OU value in the Subject field must be “Intel(R) Client Setup Certificate”. This OU value is case-sensitive and must be entered exactly.
Copyright © 2006-2022, Intel Corporation. All rights reserved.