Configure Certificates for Intel AMT
Intel AMT configuration is a process that involves server components and client components. Before the client components can be deployed, the server components must be configured. The process for installing and configuring these server components and certificates is detailed below as a sequence of tasks.
Task: Create AMT Configuration Service Account
Create a new account in Microsoft Active Directory. This account will be used to run the Intel Remote Configuration Service (RCS) on the server, to interact with the Microsoft Certificate Authority. and can be used by the Intel AMT configurator (ACUconfig.exe) during AMT configuration events on the client. Since this is a service account, be sure to use a strong password. Set the account properties such that the user cannot change the password and the password never expires.
Note: This account does not need domain admin rights. Standard user privileges in addition to the privileges specified in this document are sufficient.
On a server with Administrative Tools for your domain, launch Active Directory Users and Computers and create a new account.
Make this service account a local administrator on the server that will run the Intel Remote Configuration Service (RCS). In this example, the server running ePO Console is also running Intel RCS.
Login to the server and launch Server Manager. Expand Configuration > Local Users and Groups. Right click on Administrators and select Add to Group
Click Add and then select your service account. Click OK to finish the process.
The service account is now created. Additional privileges will be granted to this account later in the document.
Task: Export the public root certificate from your Microsoft Certificate Authority
If you do not have a Microsoft Certificate Authority with Web Enrollment enabled in your environment, please see McAfee Deep Command Installation Guide Appendix A.
The public root certificate for your Microsoft Certificate Authority must be installed on all server components used by McAfee Deep Command and must also be checked in to McAfee ePO. Use the following task to export the public root certificate from the Microsoft Certificate Authority.
Login to your Microsoft Certificate Authority server. Launch the Server Manager and expand Roles > Active Directory Certificate Services. Right-click your Certificate Authority (RootCA in this example) and select Properties.
Select the General tab. Select your certificate (Certificate #0 in this example) and click View Certificate.
Select the Details tab. Then click Copy to File to start the certificate export process.
You will see the Certificate Export Wizard. Click Next to proceed.
In the Export File Format screen, select Base-64 encoded X.509 (.CER). Then click Next to proceed.
In the Files to Export screen, select a destination for the file. Then click Next to proceed.
In the Completing the Certificate Export Wizard, simply click Finish to complete the process. This certificate will be checked into ePO in Step 4 of this guide.
Note: Domain services will replicate this root certificate to all servers that are members of the domain. If your McAfee ePO server or Agent Handlers are not members of a domain, then you must manually install the root certificate. See Appendix B for instructions on how to manually install the root certificate.
Task: Grant Service Account Privileges to Microsoft Certificate Authority
The final steps of configuring the Microsoft Certificate Authority for use with Intel RCS is to grant specific privileges for your service account to interact with the Microsoft Certificate Authority. This will allow the service account to distribute TLS certificates to Intel AMT clients during configuration.
Login to your Microsoft Certificate Authority server. Launch Server Manager and expand Roles > Active Directory Certificate Services. Select Certificate Templates and then right-click on Web Server and select properties.
In the Web Server Properties screen, select the Security tab. Then click Add to add your service account. With your service account highlighted, grant both Read and Enroll privileges. Click Apply to complete the process.
Right-click your Certificate Authority (RootCA in this example) and select Properties.
In the Security tab, click Add and add your service account. Grant the service account permissions to Request Certificates and also to Issue and Manage Certificates.
The service account now has the ability to Request, Issue, and Manage WebServer certificates to all Intel AMT clients during configuration.
Task: Get SSL Certificate for Remote Intel AMT Configuration
An SSL certificate is used to establish initial trust between your AMT clients and Intel RCS when initiating client configuration. All AMT clients ship with root hashes for defined vendors (Verisign, GoDaddy, Comodo, Starfield, Entrust, Cybertrust, etc) embedded in the firmware. Therefore, a certificate from one of these vendors is required to configure AMT clients. This single certificate is completely separate from the one-per-client TLS certificates that will be issued by your Microsoft Certificate Authority.
Note: This SSL certificate is commonly referred to as the Remote Configuration Certificate.
Getting the SSL certificate is a three step process:
- Create a certificate signing request.
- Complete the certificate request.
- Export the SSL certificate so that it can be used in Intel AMT configuration.
To start the process, you need access to a server with IIS installed. You can use the Microsoft Certificate Authority server since that has IIS installed.
Login to a server with IIS installed. Launch Server Manager and expand Roles > Web Server (IIS) and select Internet Information Services (IIS) Manager. Select your server in the Connections column and open Server Certificates.
In the Actions column, select Create Certificate Request.
Complete the Certificate Request wizard. Be sure that the Common Name field includes the correct DNS suffix as defined by the DHCP option 15 value for your environment. This can be verified on clients by running ipconfig and looking at the connection-specific DNS suffix.
Once the fields are completed similar to the example below, click Next to proceed.
Note: The Organization unit value must be set to Intel(R) Client Setup Certificate
In the Cryptographic Service Provider Properties screen, use the default values of Microsoft RSA SChannel Cryptographic Provider with Bit length of 1024. Click Next to proceed.
Note: The bit length can be 1024 or 2048. Most Certificate Authorities will prefer 2048 bit length.
In the File Name screen, give the certificate request a name and save it on the Desktop. Then click Next to proceed.
The resulting file can be sent to an approved certificate authority, and they will provide a certificate response file.
Note: For more information on valid Certificate Authorities, see http://communities.intel.com/docs/DOC-1277
When the certificate authority provides a certificate response file, go back into IIS and select Complete Certificate Request.
In the Certificate Authority Response screen, select the file that was provided by the external certificate authority. Give the certificate a friendly name (AMT Remote Configuration Certificate is used in this example). Click OK to proceed.
The SSL certificate will now appear in IIS.
Note: You must also have valid root and intermediate certificates from the external CA. If not already present on your system, contact your certificate authority.
Double click on the certificate to open and visually inspect, ensuring key properties and settings have been applied.
The General tab will show the certificate is valid for specific purposes with a clear statement of “You have a private key that corresponds to this certificate”.
Select the Details tab. Select the Subject under the Field column. The CN value must show the expected DNS suffix as aligned to your DHCP option 15 value used within the environment. The OU value must show Intel(R) Client Setup Certificate
Note: The OU value may be different for certificates signed by Comodo. Comodo certificates use a specific OID value to designate an Intel(R) Client Setup Certificate.
Note: An additional validation step is to confirm the root certificate thumbprint hash value against a list of known root certificates stored within the Intel AMT firmware. If the previous two validation points are correct, the root certificate is commonly valid.
Click OK to close the certificate. Close IIS to complete this process.
Task: Export SSL Certificate for Remote Intel AMT Configuration
The SSL certificate must now be exported so that it can be imported into the server where Intel RCS will be installed. In this document, Intel RCS will be installed on the same server as the McAfee ePO Console.
To export the SSL certificate, launch MMC and add the certificates snap-in (choose Computer Account). Expand Certificates (Local Computer) > Personal and select Certificates. Then right-click on the certificate and choose All Tasks > Export.
Note: Do not export the certificate from IIS, as the full certificate chain may not be included.
In the Export Private Key screen choose Yes, export the private key. Click Next to proceed.
In the Export File Format screen, select Personal Information Exchange – PKCS #12 (.PFX). Select options to ‘Include all certificates in the certification path if possible’ and ’Export all extended properties’. Click Next to proceed.
In the Password screen, enter a strong password. Click Next to proceed.
In the Certificate Export Wizard screen, provide path and file name for the resulting PFX file. In the example below, the file will be saved to the desktop of the server.
In the Completing the Certificate Export Wizard, choose Finish to complete the process.
Per the instructions provided thus far, you should have two certificates exported and ready for use. The first is the internal TLS public root certificate from your Microsoft Certificate Authority, shown below as rootcert.cer. The second is the remote configuration certificate (an SSL certificate from your external Certificate Authority) with all chain certificates, shown below as AMT_Configuration_cert.pfx.
Task: Import SSL Certificate for Remote Intel AMT Configuration to User Certificate Store
The remote configuration certificate must be installed in the correct user certificate store on the server that is running the Remote Configuration Service. In this example, that is the McAfee ePO server. . The previously created service account will be used in this example.
To ensure the certificate is placed in the correct personal certificate store, open Microsoft Management Console (MMC) using the following command:
- runas /user:vprodemo\AMTConfigService mmc.exe
Note: In this example our domain is vprodemo. Adjust the command according to your domain and environment.
The user’s password can then be entered into the command window that appears.
Add the certificates snap-in with “My user account” selected and click Finish to proceed.
In the Microsoft Management Console, expand Certificates – Current User and select Personal. Then right-click and select All Tasks > Import.
In the Welcome to the Certificate Import Wizard, click Next to proceed.
In the File to Import screen, browse to the exported remote configuration certificate (AMT_configuration_cert.pfx in this example). Click Next to proceed.
Note: If you don’t see the certificate, remember that you are running MMC as the service account. You may need to browse to another location (e.g. the desktop of your administrator’s account) to find the certificate.
In the Password screen, enter the password and also select “Include all extended properties”.
Note: The Enable Strong Private Key Protection must not be selected. If selected and unchangeable, check the group policy settings for the server.
Click Next to proceed.
In the Certificate Store screen, select ‘Automatically select the certificate store based on the type of certificate. Then click Next to proceed.
On the Completing the Certificate Import wizard, click Finish to proceed.
The certificate will now appear in the certificate store.
You are now done with the SSL certificate. The trusted root certificate from your Microsoft CA (rootcer.cer) has been exported and will not be used until Step 4 where it will be checked-in to ePO.
More resources for installing McAfee Deep Command
Appendix C: McAfee Deep Command Setup Checklist