Out of Band Remote PKI Configuration with a Local Agent

The following diagrams and table describe how you can incorporate a local agent on the Intel AMT platform to enable a delayed remote setup and configuration. Note: Starting with Tiger Lake, the On-Die Certificate Authority (ODCA) is used for issuing certificates for Intel CSE applications (e.g., Intel AMT).





The management console requests the local agent to check for Intel AMT capability on the platform and to return key parameters.


The agent detects Intel AMT and requests the UUID and Intel AMT firmware version.


The Intel AMT device returns the values to the agent.


The agent returns the information to the management console. If the firmware Version is Tiger Lake 15.X.X or above, the Secure Host Based Provisioning Method is recommended.


Legacy out of band flow only: Optionally the management console sends a One Time Password (OTP) to the agent.

When the Secure Host Based Provisioning method is used, the management console sends a hash of the SCA TLS leaf certificate to the agent.


The management console sends the identifying information and optionally an OTP to the SCA.


If an OTP was set up in Steps 5 and 6, the Agent sends the OTP to the Intel AMT device.

If secure Host Based Provisioning is used, the agent invokes CFG_StartConfigurationHBased() to place the Intel AMT device into Setup Mode (see Intel AMT Device Modes) Mutual-TLS. The SCA TLS leaf certificate hash is provided by the agent as an input parameter. The Intel AMT device returns the hash of the AMT ODCA leaf certificate as an output parameter. The Agent sends the Intel AMT certificate hash to the management console which sends it to the SCA Server. Now both ends are configured with the required certificates for the Mutual TLS session.

If the legacy out of band flow is used, CFG_StartConfigurationEx() is invoked, the Intel AMT device opens the out of band network interface and generates a self-signed certificate. This process may take up to seven minutes to generate the necessary keys.

CFG_StartConfigurationHBased() replaces the CFG_StartConfigurationEx() command which is being deprecated.


Legacy out of band flow only: The Intel AMT device starts sending “Hello” messages.


Setup and configuration begins using the PKI-CH protocol (see Remote Setup and Configuration Flow). This flow is out of band for legacy PKI and in-band for the secure host-based provisioning method.


Legacy out of band flow only: After the PKI-CH protocol was successful and before any configuration is sent to Intel AMT, SCA will request Intel AMT to send the OTP and will compare it to the OTP sent by the management console. Note that the SCA does not have to ask for an OTP (even if one was set).

Copyright © 2006-2022, Intel Corporation. All rights reserved.