Starting with Release 2.6, Intel AMT contains embedded root certificate hashes. They represent the certification authorities of major certificate vendors. These hashes are used by the remote configuration process and by the host-based configuration process:
• In remote configuration, the remote setup and configuration application must have a certificate that traces to one of the root certificates. The “Hello” message contains the root hashes so that the application can validate that it has a matching certificate.
• In host-based configuration, upgrading to Admin Control mode or configuring directly to Admin Control mode requires a certificate, and a certificate chain that traces to one of the root certificates.
Prior to Release 7.0, Intel AMT can have up to 20 embedded root hashes plus three custom hashes installed by the OEM or by IT prior to configuration. Release 7.0 adds the capacity for ten more embedded hashes. For backward compatibility, the Release 7.0 “Hello” message contains no more than 23 hashes, even though there may be additional embedded hashes.
In Intel ME 11.0 the default SHA1 certificate hashes were removed from the firmware. Hashes could still be added in manufacturing, or through the MEBX or WS-MAN commands.
Starting from Intel ME 15.0 firmware for H platform, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.
|
Releases 11.0 and 12.0 support the following root certificates. This list is subject to change, both by Intel and by OEMs. It is recommended to search the web for a list of root certificates supported by different Intel AMT firmware versions. • VeriSign Class 3
Primary CA-G1 - removed starting Releases 11.8.65.3580 and 12.0.32.1420 • VeriSign Class 3
Primary CA-G3 - removed starting Releases 11.8.65.3580 and 12.0.32.1420 • Go Daddy Class 2
CA • Go Daddy Root
CA-G2 • Comodo AAA CA
• Starfield Class 2
CA • Starfield Root
CA-G2 • VeriSign Class 3
Primary CA-G2 - removed starting Releases 11.8.65.3580 and 12.0.32.1420 • VeriSign Class 3
Primary CA-G1.5 - removed starting Releases 11.8.65.3580 and 12.0.32.1420 • VeriSign Class 3
Primary CA-G5 • GTE CyberTrust
Global Root - removed starting Releases 11.8.65.3580 and 12.0.32.1420 • Baltimore
CyberTrust Root • Cybertrust Global
Root • Verizon Global
Root • Entrust.net CA
(2048) • Entrust Root CA
• Entrust Root
CA-G2 • VeriSign
Universal Root CA • Affirm Trust
Premium • DigiCert Global Root CA - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • DigiCert Global Root G2 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • DigiCert Global Root G3 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • DigiCert Trusted Root G4 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • GlobalSign NP RSA CA 2018 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • GlobalSign NP ECC CA 2018 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • GlobalSign Root CA – R3 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • GlobalSign ECC Root CA – R5 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420 • GlobalSign Root CA – R6 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
Release 7.0 supports the following SHA1 root certificates. • VeriSign Class 3
Public Primary CA – G1 • VeriSign Class 3
Public Primary CA – G1.5 • VeriSign Class 3
Public Primary CA – G2 • VeriSign Class 3
Public Primary CA – G3 • VeriSign Class 3
Public Primary CA – G5 • Go Daddy Class 2
CA • Comodo AAA
CA • Starfield Class 2
CA |
Copyright © 2006-2022, Intel Corporation. All rights reserved. |