Configure PKI Web Server
Certificates for each
Management Controller
Intel Confidential
1
Closer look at Certificates with ConfigMgr 2007 SP2 and
Intel® vPro™
• There are three types of Certificates that are used in association to
Intel vPro client provisioning and management within ConfigMgr
2007 SP2
• Intel® AMT Self Signed Certificate
• Used during PKI provisioning to secure the connection
• Transparent to process
• Intel® AMT Provisioning Certificate
• Used for Remote Configuration authentication by the Out of Band Service Point
• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party
CA (VeriSign*, GoDaddy*, Comodo, Starfield)
• Provisioning certificate can be generated from internal PKI environment
• Require Internal Root hash to be imported into the MEBx
• Requires Option 15 set on DHCP to support “Zero Touch” Configuration
• Intel® AMT Web Server Certificate
• Used to secure a connection to Intel AMT client by the management console
• Issued to the Intel AMT client during the provisioning process
• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft
Enterprise CA
• PKI certificate key sizes <=2048-bits
Intel Confidential
2
Enterprise CA & Provision Certificate Configuration
• Assumes that a Microsoft Enterprise CA exists and is already configured
• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert
• Intel AMT Provisioning Certificate (Used for Provisioning)
•
•
Determine 3rd party or Self Generated
• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1
• Self Generated from Internal PKI infrastructure
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3
• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
•
Create New Web server Template
• Recommend certificate name: ConfigMgr AMT Web Server Certificate
• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
• 802.1x RADIUS Certificate (Optional for 802.1x networks)
•
•
Create New RADIUS Client Template for 802.1x network
Allows AMT to securely authenticate to an 802.1x network without an OS present
• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate
• Ensure you select Supply in the request to provide the Subject Name
• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions
• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Intel Confidential
3
Configure PKI Web
Server Certificate
Template
 Open your Certificate Authority issuing
PKI Server - Click Start > Programs >
Administrator Tools > Certification
Authority
 Expand DC1.vprodemo.com
Note: This is a Microsoft Enterprise
Certificate Authority, Standalone CAs
are not supported with ConfigMgr 2007
SP2 for Intel® vPro™
 Right Click on Certificate Templates
> Manage
Intel Confidential
4
Configure PKI Web
Server Certificate
Template
 In the Certificate Templates Console on
the right hand window pane, right click
on Web Server and select Duplicate
Template
 In the Duplicate Template Window
 Select the radio button for
Windows 2003 Server,
Enterprise Edition
 Click OK
 In the Properties of New Template
Window on the General Tab:
 Enter ConfigMgr AMT Web
Server Certificate
 Proceed to next foil to set security
rights on this template
Intel Confidential
5
Apply Security Permission
to Web Server Certificate
Template
 In the Properties of New Template window,
click the Security tab
 Click Add
 Select ConfigMgr Primary Site
Servers group
 Click OK
 With the ConfigMgr Primary Site
Servers group highlighted, check Read
and Enroll
 Click OK
 Close the Certificate Templates Console
Intel Confidential
6
Issue Web Server
Certificate Template
 In the Certification Authority Window,
Right Click on Certificate Templates
> New > Certificate Template to
Issue
 In the Enable Certificate Templates
Window, select ConfigMgr AMT Web
Server Certificate (this template
created in the previous step)
 Click OK
Intel Confidential
7
Web Server Certificate
Template issued in CA
for use by ConfigMgr
2007 SP2
 In the Certification Authority Window >
Certificate Templates, you will now see
ConfigMgr AMT Web Server
Certificate listed in the right hand
window and ready for use by the Out of
Band Service Point
Note: This Web Server Template will be
used by ConfigMgr 2007 SP2 to generate a
unique certificate for each Intel® AMT
system during the provisioning process
and used for TLS session during
management of Intel AMT.
Intel Confidential
8
Configure RADIUS
Client Certificate
Template
 Open your Certificate Authority issuing
PKI Server - Click Start > Programs >
Administrator Tools > Certification
Authority
 Expand DC1.vprodemo.com
 Right Click on Certificate Templates
> Manage
Intel Confidential
9
Configure RADIUS
Client Certificate
Template
 In the Certificate Templates Console on the
right hand window pane, right click on
Workstation Authentication and select
Duplicate Template
 In the Duplicate Template Window
 Select the radio button for Windows
2003 Server, Enterprise Edition
 Click OK
 In the Properties of New Template Window
 General Tab:
 Enter ConfigMgr AMT
802.1X Client
Authentication Certificate
 Subject Name Tab:
 Select Supply in the request
 Click OK in the warning
message
 Proceed to next foil to set security rights on
this template
Intel Confidential
10
Apply Security Permission
to ConfigMgr AMT 802.1X
Client Authentication
Certificate Template
 In the Properties of New Template window,
click the Security tab
 Click Add
 Select ConfigMgr Primary Site
Servers group
 Click OK
 With the ConfigMgr Primary Site
Servers group highlighted, check Read
and Enroll
 Click OK
 Close the Certificate Templates Console
Intel Confidential
11
Issue RADIUS Client
Certificate Template
 In the Certification Authority Window,
Right Click on Certificate Templates
> New > Certificate Template to
Issue
 In the Enable Certificate Templates
Window, select ConfigMgr AMT
802.1X Client Authentication
Certificate (this template created in
the previous step)
 Click OK
Intel Confidential
12
RADIUS Client
Certificate Template
issued in CA for use by
ConfigMgr 2007 SP2
 In the Certification Authority Window >
Certificate Templates, you will now see
ConfigMgr AMT 802.1X Client
Authentication Certificate listed in
the right hand window and ready for
use by the Out of Band Service Point
Note: This Certificate Template will be
used by ConfigMgr 2007 SP2 to generate a
unique certificate for each Intel® AMT
system and stored in the firmware during
the provisioning process and allow vPro
systems to authenticate to an 802.1x
network while OS is in a sleep/off state.
Intel Confidential
13
Configure Root CA to Allow
Revocation of Client
Management Controller
Certificates
 In the Certification Authority Window,
right click on DC1.vprodemo.com and
select Properties
 In the DC1.vprodemo.com
Properties Window, select the
Security tab
 Click Add
Intel Confidential
14
Configure Root CA to Allow
Revocation of Client
Management Controller
Certificates
 Add the ConfigMgr Primary Site
Servers group
 Click OK
 Select the ConfigMgr Primary Site
Servers group
 Check Allow Issue and Manage
Certificates and Request Certificates
permissions for this group
 Click OK
Note: This setting is required when you
are performing actions like an unprovision
of the Management Controller. This will
keep your PKI Issued certificates cleaned
up (revoked).
Intel Confidential
15