Setup and Configuration of Intel AMT > Root Certificate Hashes

Root Certificate Hashes

Starting with Release 2.6, Intel AMT contains embedded root certificate hashes. They represent the certification authorities of major certificate vendors. These hashes are used by the remote configuration process and by the host-based configuration process:

   In remote configuration, the remote setup and configuration application must have a certificate that traces to one of the root certificates. The “Hello” message contains the root hashes so that the application can validate that it has a matching certificate.

   In host-based configuration, upgrading to Admin Control mode or configuring directly to Admin Control mode requires a certificate, and a certificate chain that traces to one of the root certificates.

Prior to Release 7.0, Intel AMT can have up to 20 embedded root hashes plus three custom hashes installed by the OEM or by IT prior to configuration. Release 7.0 adds the capacity for ten more embedded hashes. For backward compatibility, the Release 7.0 “Hello” message contains no more than 23 hashes, even though there may be additional embedded hashes.

In Intel ME 11.0 the default SHA1 certificate hashes were removed from the firmware. Hashes could still be added in manufacturing, or through the MEBX or WS-MAN commands.

Starting from Intel ME 15.0 firmware for H platform, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.

Releases 11.0 and later support the following root certificates.

Note: This list is subject to change, both by Intel and by OEMs. It is recommended to search the web for a list of root certificates supported by different Intel AMT firmware versions.

Root Certificate Name

Signing Algorithm

Certificate Thumbprint

Expiration Date

Link to Certificate File

Go Daddy Class 2 CA

SHA1-RSA2K

c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc: 5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4

4/29/2034

https://certs.godaddy.com/repository/gd-class2-root.crt

Go Daddy Root CA-G2

SHA256-RSA2K

45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7: 32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da

5/1/2038

https://certs.godaddy.com/repository/gdroot-g2.crt

Comodo AAA CA

SHA1-RSA2K

d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7: 1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4

1/1/2029

http://crt.sectigo.com/AAACertificateServices.crt

Starfield Class 2 CA

SHA1-RSA2K

14 65 FA 20 53 97 B8 76 FA A6 F0 A9 95 8E 55 90 E4 0F CC 7F AA 4F B7 C2 C8 67 75 21 FB 5F B6 58

4/29/2034

https://certs.starfieldtech.com/repository/sf-class2-root.crt

Starfield Root CA-G2

SHA256-RSA2K

2C E1 CB 0B F9 D2 F9 E1 02 99 3F BE 21 51 52 C3 B2 DD 0C AB DE 1C 68 E5 31 9B 83 91 54 DB B7 F5

5/1/2038

https://certs.starfieldtech.com/repository/sfroot-g2.crt

VeriSign Class 3 Primary CA-G5

SHA1-RSA2K

9A CF AB 7E 43 C8 D8 80 D0 6B 26 2A 94 DE EE E4 B4 65 99 89 C3 D0 CA F1 9B AF 64 05 E4 1A B7 DF 

4/17/2036

https://cacerts.digicert.com/pca3-g5.crt

VeriSign Universal Root CA

SHA256-RSA2K

23 99 56 11 27 A5 71 25 DE 8C EF EA 61 0D DF 2F A0 78 B5 C8 06 7F 4E 82 82 90 BF B8 60 E8 4B 3C  

3/2/2037

https://cacerts.digicert.com/universal-root.crt?_gl=1*1apz3e4*_gcl_au*MjEwMDIwNzY3OS4xNzIzNjk3OTc3

Baltimore CyberTrust Root

SHA1-RSA2K

16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB  

3/2/2037

https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt

Verizon Global Root

SHA256-RSA2K

68:ad:50:90:9b:04:36:3c:60:5e:f1:35:81:a9:39:ff: 2c:96:37:2e:3f:12:32:5b:0a:68:61:e1:d5:9f:66:03  

7/30/2034

https://cacerts.digicert.com/VerizonGlobalRootCA.crt

Entrust.net CA (2048)

SHA1-RSA2K

6D C4 71 72 E0 1C BC B0 BF 62 58 0D 89 5F E2 B8 AC 9A D4 F8 73 80 1E 0C 10 B9 C8 37 D2 1E B1 77 

7/24/2029

https://web.entrust.com/root-certificates/entrust_2048_ca.cer?_ga=2.31374591.1152083153.1653392010-1845880785.1653201019

Entrust Root CA

SHA1-RSA2K

73 C1 76 43 4F 1B C6 D5 AD F4 5B 0E 76 E7 27 28 7C 8D E5 76 16 C1 E6 E6 14 1A 2B 2C BC 7D 8E 4C 

11/26/2027

https://web.entrust.com/root-certificates/entrust_2048_ca.cer?_ga=2.31374591.1152083153.1653392010-1845880785.1653201019

Entrust Root CA-G2

SHA256-RSA2K

43 DF 57 74 B0 3E 7F EF 5F E4 0D 93 1A 7B ED F1 BB 2E 6B 42 73 8C 4E 6D 38 41 10 3D 3A A7 F3 39  

12/7/2030

https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.23943290.1152083153.1653392010-1845880785.1653201019

Affirm Trust Premium

SHA384-RSA4K

70 A7 3F 7F 37 6B 60 07 42 48 90 45 34 B1 14 82 D5 BF 0E 69 8E CC 49 8D F5 25 77 EB F2 E9 3B 9A  

12/31/2040

https://www.affirmtrust.com/downloads/affirmtrust_premium.crt

DigiCert Global Root CA

SHA1-RSA2K

43 48 A0 E9 44 4C 78 CB 26 5E 05 8D 5E 89 44 B4 D8 4F 96 62 BD 26 DB 25 7F 89 34 A4 43 C7 01 61  

11/10/2031

https://cacerts.digicert.com/DigiCertGlobalRootCA.crt

DigiCert Global Root G2

SHA256-RSA2K

CB 3C CB B7 60 31 E5 E0 13 8F 8D D3 9A 23 F9 DE 47 FF C3 5E 43 C1 14 4C EA 27 D4 6A 5A B1 CB 5F  

1/15/2038

https://cacerts.digicert.com/DigiCertGlobalRootG2.crt

DigiCert Global Root G3

SHA384ECDSA

31 AD 66 48 F8 10 41 38 C7 38 F3 9E A4 32 01 33 39 3E 3A 18 CC 02 29 6E F9 7C 2A C9 EF 67 31 D0  

1/15/2038

https://cacerts.digicert.com/DigiCertGlobalRootG3.crt

DigiCert Trusted Root G4

SHA384RSA4K

55 2F 7B DC F1 A7 AF 9E 6C E6 72 01 7F 4F 12 AB F7 72 40 C7 8E 76 1A C2 03 D1 D9 D2 0A C8 99 88  

1/15/2038

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

GlobalSign Root CA - R3

SHA256RSA2K

CB B5 22 D7 B7 F1 27 AD 6A 01 13 86 5B DF 1C D4 10 2E 7D 07 59 AF 63 5A 7C F4 72 0D C9 63 C5 3B

3/18/2029

https://secure.globalsign.net/cacert/Root-R3.crt

GlobalSign ECC Root CA - R5

SHA384ECDSA

17 9F BC 14 8A 3D D0 0F D2 4E A1 34 58 CC 43 BF A7 F5 9C 81 82 D7 83 A5 13 F6 EB EC 10 0C 89 24

1/19/2038

https://secure.globalsign.net/cacert/Root-R5.crt

GlobalSign Root CA - R6

SHA384RSA4K

2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25: 98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69

12/10/2034

https://secure.globalsign.net/cacert/root-r6.crt

Releases 15.0.45, 16.1 and later support the following root certificate, in addition to the certificates supported in release 11.0 and later (in addition, releases supporting this root certificate are planned for Intel® CSME 12 and Intel CSME 14):

Root Certificate Name

Signing Algorithm

Certificate Thumbprint

Expiration Date

Link to Certificate File

USERTrust RSA CA

SHA384RSA4K

E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81: 19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2

01/18/2038

https://crt.sh/?id=1199354

Releases 7.0 through 10.x support the following SHA1 root certificates.

   VeriSign Class 3 Public Primary CA – G1
SHA1 Fingerprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

   VeriSign Class 3 Public Primary CA – G1.5
SHA1 Fingerprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

   VeriSign Class 3 Public Primary CA – G2
SHA1 Fingerprint: 85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f

   VeriSign Class 3 Public Primary CA – G3
SHA1 Fingerprint: 13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6

   VeriSign Class 3 Public Primary CA – G5
SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

   Go Daddy Class 2 CA
SHA1 Fingerprint: 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

   Comodo AAA CA
SHA1 Fingerprint: d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

   Starfield Class 2 CA
SHA1 Fingerprint: ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.