Supported Intel AMT Features > Certificate Management > Using the Certificate Management API
CollapseAll image

Using the Certificate Management API

The HLAPI implements the Certificate Management feature in the Certificate Management API.

The available methods are described in the ICertificateManagement interface.

Examples

These C# examples show how to use the Certificate Management API (after connecting to the Intel AMT device). A certificate path will only work when a certificate exists in the relevant path.

Add a certificate to the certificate store

X509Certificate2 certificate = new

X509Certificate2(@"..\..\CertificateName.p12",   "q",

X509KeyStorageFlags.Exportable);

amt.Config.CertificateManagement.AddCertificate(certificate);

 

Add a chain to the certificate store

// Add a chain of trusted certificates:

// 1. Create X509Chain object.

// 2. Set to the X509Chain object an additional certificates store from which the chain will be built.

// 3. Build certificates chain.

// 4. Add the chain elements to the certificate store.

 

X509Certificate2 rootCertificate = new

X509Certificate2(@"..\..\RootCert.cer");

X509Certificate2 leafCertificate = new

X509Certificate2(@"..\..\LeafCert.p12", "q", X509KeyStorageFlags.Exportable);

X509Chain trustedChain = new X509Chain();

 

trustedChain.ChainPolicy.ExtraStore.Add(rootCertificate);

trustedChain.ChainPolicy.VerificationFlags =

X509VerificationFlags.AllFlags;

trustedChain.Build(leafCertificate);

 

note-icon Note:

When adding a certificate chain, if there is not enough space for all the certififcates in the added chain, no certificate will be added.

 

Retrieve all certificates

List<X509Certificate2> certificates =

amt.Config.CertificateManagement.GetAllCertificates();

  foreach (X509Certificate2 certificate in certificates)

  {

Console.WriteLine("Name : {0}.  Issuer : {1}.  Subject : {2}.  Has

Private Key : {3}",certificate.FriendlyName ,certificate.Issuer,

certificate.Subject, certificate.HasPrivateKey);

  }

 

Retrieve all TrustedRootCertificates

List<X509Certificate2> certificates =

amt.Config.CertificateManagement.GetTrustedRootCertificates();

  foreach (X509Certificate2 certificate in certificates)

  {

Console.WriteLine("Name : {0}.  Issuer & Subject : {1}.  Has Private Key

: {2}", certificate.FriendlyName, certificate.Issuer, certificate.HasPrivateKey);

  }

 

Retrieve all NonTrustedRootCertificates

List<X509Certificate2> certificates =

amt.Config.CertificateManagement.GetNonTrustedRootCertificates();

  foreach (X509Certificate2 certificate in certificates)

  {

Console.WriteLine("Name : {0}.  Issuer : {1}.  Subject : {2}.  Has

Private Key : {3}", certificate.FriendlyName, certificate.Issuer,

certificate.Subject, certificate.HasPrivateKey);

  }

 

Retrieve a chain of certificates from the certificate store

X509Certificate2 certificate = new

X509Certificate2(@"..\..\CertificateName.p12", "q",

X509KeyStorageFlags.Exportable);

X509Chain chain = amt.Config.CertificateManagement.GetChain(certificate);

 

note-icon Note:

Enter an existing certificate with a private key to build a chain with the appropriate subCA certificates from the certificate store.

 

Remove a certificate from the certificate store

X509Certificate2 certificate = new

X509Certificate2(@"..\..\CertificateName.p12", "q",

X509KeyStorageFlags.Exportable);

amt.Config.CertificateManagement.RemoveCertificate(certificate);

 

Remove all certificates from the certificate store

// Delete all certificates including their private keys.

amt.Config.CertificateManagement.RemoveAllCertificates(true);

 

Remove all trustedRootCertificates from the certificate store

amt.Config.CertificateManagement.RemoveTrustedRootCertificates();

 

Remove all nonTrustedRootCertificates from the certificate store

// DeletenonTrustedRootsCertificates without deleting their private keys.

 amt.Config.CertificateManagement.RemoveNonTrustedRootCertificates(false);

 

 

 

note-icon Note:

     In order to manage the certificate store without any intervention of other Intel AMT features,you  must set the  amt.Config.CertificateManagement.ManageCertificateManually property to be true. If the property’s value is false, a certificate may be removed when a linked profile/feature is deleted.

     When adding a certificate chain, if there is not enough space for all the certififcates in the added chain, no certificate will be added.

     When deleting a specified certificate with a X509Certificate property, the certificate and its private keys will be deleted even though the X509Certificate property contained only the certificate without the certificate’s private key.

See Also:

   Connecting to an Intel AMT Device

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.