Setup and Configuration of Intel AMT > Root Certificate Hashes

Root Certificate Hashes

Starting with Release 2.6, Intel AMT contains embedded root certificate hashes. They represent the certification authorities of major certificate vendors. These hashes are used by the remote configuration process and by the host-based configuration process:

   In remote configuration, the remote setup and configuration application must have a certificate that traces to one of the root certificates. The “Hello” message contains the root hashes so that the application can validate that it has a matching certificate.

   In host-based configuration, upgrading to Admin Control mode or configuring directly to Admin Control mode requires a certificate, and a certificate chain that traces to one of the root certificates.

Prior to Release 7.0, Intel AMT can have up to 20 embedded root hashes plus three custom hashes installed by the OEM or by IT prior to configuration. Release 7.0 adds the capacity for ten more embedded hashes. For backward compatibility, the Release 7.0 “Hello” message contains no more than 23 hashes, even though there may be additional embedded hashes.

In Intel ME 11.0 the default SHA1 certificate hashes were removed from the firmware. Hashes could still be added in manufacturing, or through the MEBX or WS-MAN commands.

Starting from Intel ME 15.0 firmware for H platform, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.

Releases 11.0 and later support the following root certificates.

Note: This list is subject to change, both by Intel and by OEMs. It is recommended to search the web for a list of root certificates supported by different Intel AMT firmware versions.

Root Certificate Name

Certificate Thumbprint

Expiration Date

Link to Certificate File

Go Daddy Class 2 CA

c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc: 5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4

4/29/2034

https://certs.godaddy.com/repository/gd-class2-root.crt

Go Daddy Root CA-G2

45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7: 32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da

5/1/2038

https://certs.godaddy.com/repository/gdroot-g2.crt

Comodo AAA CA

d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7: 1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4

1/1/2029

http://crt.sectigo.com/AAACertificateServices.crt

Starfield Class 2 CA

14 65 FA 20 53 97 B8 76 FA A6 F0 A9 95 8E 55 90 E4 0F CC 7F AA 4F B7 C2 C8 67 75 21 FB 5F B6 58

4/29/2034

https://certs.starfieldtech.com/repository/sf-class2-root.crt

Starfield Root CA-G2

2C E1 CB 0B F9 D2 F9 E1 02 99 3F BE 21 51 52 C3 B2 DD 0C AB DE 1C 68 E5 31 9B 83 91 54 DB B7 F5

5/1/2038

https://certs.starfieldtech.com/repository/sfroot-g2.crt

VeriSign Class 3 Primary CA-G5

9A CF AB 7E 43 C8 D8 80 D0 6B 26 2A 94 DE EE E4 B4 65 99 89 C3 D0 CA F1 9B AF 64 05 E4 1A B7 DF 

4/17/2036

https://cacerts.digicert.com/pca3-g5.crt

VeriSign Universal Root CA

23 99 56 11 27 A5 71 25 DE 8C EF EA 61 0D DF 2F A0 78 B5 C8 06 7F 4E 82 82 90 BF B8 60 E8 4B 3C  

3/2/2037

https://symantec.tbs-certificats.com/vsign-universal-root.crt

Baltimore CyberTrust Root

16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB  

3/2/2037

https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt

Verizon Global Root

68:ad:50:90:9b:04:36:3c:60:5e:f1:35:81:a9:39:ff: 2c:96:37:2e:3f:12:32:5b:0a:68:61:e1:d5:9f:66:03  

7/30/2034

https://cacerts.digicert.com/VerizonGlobalRootCA.crt

Entrust.net CA (2048)

6D C4 71 72 E0 1C BC B0 BF 62 58 0D 89 5F E2 B8 AC 9A D4 F8 73 80 1E 0C 10 B9 C8 37 D2 1E B1 77 

7/24/2029

https://web.entrust.com/root-certificates/entrust_2048_ca.cer?_ga=2.31374591.1152083153.1653392010-1845880785.1653201019

Entrust Root CA

73 C1 76 43 4F 1B C6 D5 AD F4 5B 0E 76 E7 27 28 7C 8D E5 76 16 C1 E6 E6 14 1A 2B 2C BC 7D 8E 4C 

11/26/2027

https://web.entrust.com/root-certificates/entrust_2048_ca.cer?_ga=2.31374591.1152083153.1653392010-1845880785.1653201019

Entrust Root CA-G2

43 DF 57 74 B0 3E 7F EF 5F E4 0D 93 1A 7B ED F1 BB 2E 6B 42 73 8C 4E 6D 38 41 10 3D 3A A7 F3 39  

12/7/2030

https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.23943290.1152083153.1653392010-1845880785.1653201019

Affirm Trust Premium

70 A7 3F 7F 37 6B 60 07 42 48 90 45 34 B1 14 82 D5 BF 0E 69 8E CC 49 8D F5 25 77 EB F2 E9 3B 9A  

12/31/2040

https://www.affirmtrust.com/downloads/affirmtrust_premium.crt

DigiCert Global Root CA

43 48 A0 E9 44 4C 78 CB 26 5E 05 8D 5E 89 44 B4 D8 4F 96 62 BD 26 DB 25 7F 89 34 A4 43 C7 01 61  

11/10/2031

https://cacerts.digicert.com/DigiCertGlobalRootCA.crt

DigiCert Global Root G2

CB 3C CB B7 60 31 E5 E0 13 8F 8D D3 9A 23 F9 DE 47 FF C3 5E 43 C1 14 4C EA 27 D4 6A 5A B1 CB 5F  

1/15/2038

https://cacerts.digicert.com/DigiCertGlobalRootG2.crt

DigiCert Global Root G3

31 AD 66 48 F8 10 41 38 C7 38 F3 9E A4 32 01 33 39 3E 3A 18 CC 02 29 6E F9 7C 2A C9 EF 67 31 D0  

1/15/2038

https://cacerts.digicert.com/DigiCertGlobalRootG3.crt

DigiCert Trusted Root G4

55 2F 7B DC F1 A7 AF 9E 6C E6 72 01 7F 4F 12 AB F7 72 40 C7 8E 76 1A C2 03 D1 D9 D2 0A C8 99 88  

1/15/2038

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

GlobalSign Root CA - R3

CB B5 22 D7 B7 F1 27 AD 6A 01 13 86 5B DF 1C D4 10 2E 7D 07 59 AF 63 5A 7C F4 72 0D C9 63 C5 3B

3/18/2029

https://secure.globalsign.net/cacert/Root-R3.crt

GlobalSign ECC Root CA - R5

17 9F BC 14 8A 3D D0 0F D2 4E A1 34 58 CC 43 BF A7 F5 9C 81 82 D7 83 A5 13 F6 EB EC 10 0C 89 24

1/19/2038

https://secure.globalsign.net/cacert/Root-R5.crt

GlobalSign Root CA - R6

2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25: 98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69

12/10/2034

https://secure.globalsign.net/cacert/root-r6.crt

Releases 15.0.45, 16.1 and later support the following root certificate, in addition to the certificates supported in release 11.0 and later (in addition, releases supporting this root certificate are planned for Intel® CSME 12 and Intel CSME 14):

Root Certificate Name

Certificate Thumbprint

Expiration Date

Link to Certificate File

USERTrust RSA CA

E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81: 19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2

01/18/2038

https://crt.sh/?id=1199354

Releases 7.0 through 10.x support the following SHA1 root certificates.

   VeriSign Class 3 Public Primary CA – G1
SHA1 Fingerprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

   VeriSign Class 3 Public Primary CA – G1.5
SHA1 Fingerprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

   VeriSign Class 3 Public Primary CA – G2
SHA1 Fingerprint: 85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f

   VeriSign Class 3 Public Primary CA – G3
SHA1 Fingerprint: 13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6

   VeriSign Class 3 Public Primary CA – G5
SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

   Go Daddy Class 2 CA
SHA1 Fingerprint: 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

   Comodo AAA CA
SHA1 Fingerprint: d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

   Starfield Class 2 CA
SHA1 Fingerprint: ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.