Setup and Configuration of Intel AMT > Root Certificate Hashes

Root Certificate Hashes

Starting with Release 2.6, Intel AMT contains embedded root certificate hashes. They represent the certification authorities of major certificate vendors. These hashes are used by the remote configuration process and by the host-based configuration process:

   In remote configuration, the remote setup and configuration application must have a certificate that traces to one of the root certificates. The “Hello” message contains the root hashes so that the application can validate that it has a matching certificate.

   In host-based configuration, upgrading to Admin Control mode or configuring directly to Admin Control mode requires a certificate, and a certificate chain that traces to one of the root certificates.

Prior to Release 7.0, Intel AMT can have up to 20 embedded root hashes plus three custom hashes installed by the OEM or by IT prior to configuration. Release 7.0 adds the capacity for ten more embedded hashes. For backward compatibility, the Release 7.0 “Hello” message contains no more than 23 hashes, even though there may be additional embedded hashes.

In Intel ME 11.0 the default SHA1 certificate hashes were removed from the firmware. Hashes could still be added in manufacturing, or through the MEBX or WS-MAN commands.

Starting from Intel ME 15.0 firmware for H platform, and Intel ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel AMT provisioning. In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.

 Note:

Releases 11.0 and 12.0 support the following root certificates. This list is subject to change, both by Intel and by OEMs. It is recommended to search the web for a list of root certificates supported by different Intel AMT firmware versions.

   VeriSign Class 3 Primary CA-G1 - removed starting Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
e7:68:56:34:ef:ac:f6:9a:ce:93:9a:6b:25:5b:7b:4f:
ab:ef:42:93:5b:50:a2:65:ac:b5:cb:60:27:e4:4e:70

   VeriSign Class 3 Primary CA-G3 - removed starting Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
eb:04:cf:5e:b1:f3:9a:fa:76:2f:2b:b1:20:f2:96:cb:
a5:20:c1:b9:7d:b1:58:95:65:b8:1c:b9:a1:7b:72:44

   Go Daddy Class 2 CA
SHA256 Fingerprint:
c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:
5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4

   Go Daddy Root CA-G2
SHA256 Fingerprint:
45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:
32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da

   Comodo AAA CA
SHA256 Fingerprint:
d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:
1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4

   Starfield Class 2 CA
SHA256 Fingerprint:
14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:
e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58

   Starfield Root CA-G2
SHA256 Fingerprint:
2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:
b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5

   VeriSign Class 3 Primary CA-G2 - removed starting Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
83:ce:3c:12:29:68:8a:59:3d:48:5f:81:97:3c:0f:91:
95:43:1e:da:37:cc:5e:36:43:0e:79:c7:a8:88:63:8b

   VeriSign Class 3 Primary CA-G1.5 - removed starting Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
a4:b6:b3:99:6f:c2:f3:06:b3:fd:86:81:bd:63:41:3d:
8c:50:09:cc:4f:a3:29:c2:cc:f0:e2:fa:1b:14:03:05

   VeriSign Class 3 Primary CA-G5
SHA256 Fingerprint:
9a:cf:ab:7e:43:c8:d8:80:d0:6b:26:2a:94:de:ee:e4:
b4:65:99:89:c3:d0:ca:f1:9b:af:64:05:e4:1a:b7:df

   GTE CyberTrust Global Root - removed starting Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
a5:31:25:18:8d:21:10:aa:96:4b:02:c7:b7:c6:da:32:
03:17:08:94:e5:fb:71:ff:fb:66:67:d5:e6:81:0a:36

   Baltimore CyberTrust Root
SHA256 Fingerprint:
16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:
2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb

   Cybertrust Global Root
SHA256 Fingerprint:
96:0a:df:00:63:e9:63:56:75:0c:29:65:dd:0a:08:67:
da:0b:9c:bd:6e:77:71:4a:ea:fb:23:49:ab:39:3d:a3

   Verizon Global Root
SHA256 Fingerprint:
68:ad:50:90:9b:04:36:3c:60:5e:f1:35:81:a9:39:ff:
2c:96:37:2e:3f:12:32:5b:0a:68:61:e1:d5:9f:66:03

   Entrust.net CA (2048)
SHA256 Fingerprint:
6d:c4:71:72:e0:1c:bc:b0:bf:62:58:0d:89:5f:e2:b8:
ac:9a:d4:f8:73:80:1e:0c:10:b9:c8:37:d2:1e:b1:77

   Entrust Root CA
SHA256 Fingerprint:
73:c1:76:43:4f:1b:c6:d5:ad:f4:5b:0e:76:e7:27:28:
7c:8d:e5:76:16:c1:e6:e6:14:1a:2b:2c:bc:7d:8e:4c

   Entrust Root CA-G2
SHA256 Fingerprint:
43:df:57:74:b0:3e:7f:ef:5f:e4:0d:93:1a:7b:ed:F1:
bb:2e:6b:42:73:8c:4e:6d:38:41:10:3d:3a:a7:f3:39

   VeriSign Universal Root CA
SHA256 Fingerprint:
23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:
A0:78:B5:C8:6:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

   Affirm Trust Premium
SHA256 Fingerprint:
70:a7:3f:7f:37:6b:60:07:42:48:90:45:34:b1:14:82:
d5:bf:0e:69:8e:cc:49:8d:f5:25:77:eb:f2:e9:3b:9a

   DigiCert Global Root CA - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:
D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61

   DigiCert Global Root G2 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:
47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

   DigiCert Global Root G3 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:
39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0

   DigiCert Trusted Root G4 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:
F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88

   GlobalSign NP RSA CA 2018 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
67:54:0A:47:AA:5B:9F:34:57:0A:99:72:3C:FE:FA:96:
A9:6E:E3:F0:D9:B8:BF:4D:EF:94:40:B8:06:5D:66:5D

   GlobalSign NP ECC CA 2018 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
72:24:39:52:22:CD:58:8C:4F:26:83:71:69:22:AD:DB:
41:E3:9B:58:1A:C3:4F:A8:7B:39:EF:A8:96:FB:B3:9E

   GlobalSign Root CA – R3 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
cb:b5:22:d7:b7:f1:27:ad:6a:01:13:86:5b:df:1c:d4:
10:2e:7d:07:59:af:63:5a:7c:f4:72:0d:c9:63:c5:3b

   GlobalSign ECC Root CA – R5 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:
A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24

   GlobalSign Root CA – R6 - supported starting from Releases 11.8.65.3580 and 12.0.32.1420
SHA256 Fingerprint:
2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:
98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69

 

Release 7.0 supports the following SHA1 root certificates.

   VeriSign Class 3 Public Primary CA – G1
SHA1 Fingerprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

   VeriSign Class 3 Public Primary CA – G1.5
SHA1 Fingerprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b

   VeriSign Class 3 Public Primary CA – G2
SHA1 Fingerprint: 85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f

   VeriSign Class 3 Public Primary CA – G3
SHA1 Fingerprint: 13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6

   VeriSign Class 3 Public Primary CA – G5
SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5

   Go Daddy Class 2 CA
SHA1 Fingerprint: 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4

   Comodo AAA CA
SHA1 Fingerprint: d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

   Starfield Class 2 CA
SHA1 Fingerprint: ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.