Configure PKI Web Server Certificates for each Management Controller Intel Confidential 1 Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™ • There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2 • Intel® AMT Self Signed Certificate • Used during PKI provisioning to secure the connection • Transparent to process • Intel® AMT Provisioning Certificate • Used for Remote Configuration authentication by the Out of Band Service Point • Can be generated from Internal PKI Infrastructure or purchased from 3rd Party CA (VeriSign*, GoDaddy*, Comodo, Starfield) • Provisioning certificate can be generated from internal PKI environment • Require Internal Root hash to be imported into the MEBx • Requires Option 15 set on DHCP to support “Zero Touch” Configuration • Intel® AMT Web Server Certificate • Used to secure a connection to Intel AMT client by the management console • Issued to the Intel AMT client during the provisioning process • ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft Enterprise CA • PKI certificate key sizes <=2048-bits Intel Confidential 2 Enterprise CA & Provision Certificate Configuration • Assumes that a Microsoft Enterprise CA exists and is already configured • Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert • Intel AMT Provisioning Certificate (Used for Provisioning) • • Determine 3rd party or Self Generated • 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield) • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1 • Self Generated from Internal PKI infrastructure • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2 Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3 • Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro) • Create New Web server Template • Recommend certificate name: ConfigMgr AMT Web Server Certificate • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver • 802.1x RADIUS Certificate (Optional for 802.1x networks) • • Create New RADIUS Client Template for 802.1x network Allows AMT to securely authenticate to an 802.1x network without an OS present • Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate • Ensure you select Supply in the request to provide the Subject Name • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate Intel Confidential 3 Configure PKI Web Server Certificate Template Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority Expand DC1.vprodemo.com Note: This is a Microsoft Enterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™ Right Click on Certificate Templates > Manage Intel Confidential 4 Configure PKI Web Server Certificate Template In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template In the Duplicate Template Window Select the radio button for Windows 2003 Server, Enterprise Edition Click OK In the Properties of New Template Window on the General Tab: Enter ConfigMgr AMT Web Server Certificate Proceed to next foil to set security rights on this template Intel Confidential 5 Apply Security Permission to Web Server Certificate Template In the Properties of New Template window, click the Security tab Click Add Select ConfigMgr Primary Site Servers group Click OK With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll Click OK Close the Certificate Templates Console Intel Confidential 6 Issue Web Server Certificate Template In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step) Click OK Intel Confidential 7 Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2 In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT. Intel Confidential 8 Configure RADIUS Client Certificate Template Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority Expand DC1.vprodemo.com Right Click on Certificate Templates > Manage Intel Confidential 9 Configure RADIUS Client Certificate Template In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template In the Duplicate Template Window Select the radio button for Windows 2003 Server, Enterprise Edition Click OK In the Properties of New Template Window General Tab: Enter ConfigMgr AMT 802.1X Client Authentication Certificate Subject Name Tab: Select Supply in the request Click OK in the warning message Proceed to next foil to set security rights on this template Intel Confidential 10 Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template In the Properties of New Template window, click the Security tab Click Add Select ConfigMgr Primary Site Servers group Click OK With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll Click OK Close the Certificate Templates Console Intel Confidential 11 Issue RADIUS Client Certificate Template In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step) Click OK Intel Confidential 12 RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2 In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state. Intel Confidential 13 Configure Root CA to Allow Revocation of Client Management Controller Certificates In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties In the DC1.vprodemo.com Properties Window, select the Security tab Click Add Intel Confidential 14 Configure Root CA to Allow Revocation of Client Management Controller Certificates Add the ConfigMgr Primary Site Servers group Click OK Select the ConfigMgr Primary Site Servers group Check Allow Issue and Manage Certificates and Request Certificates permissions for this group Click OK Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked). Intel Confidential 15