McAfee Deep Command Installation Guide Appendix A

Version 7

                                                             

    Setup a Microsoft Enterprise Certificate Authority

    Click here for instructions on Standalone CA setup

                                                             

                                                                                                               

    Announcement: McAfee ePO Deep Command 2.0 Released June 25th!

    The information provided below is based on McAfee ePO Deep Command version 1.5.    The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more.    The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution

     

    Microsoft Certificate Authority is optional and no longer required with Deep Command 2.0!

     

    Click here for the McAfee ePO Deep Command 2.0 Index of Resources

                                                                   

     

    Installing Microsoft Certificate Authority with Web Enrollment

    McAfee Deep Command requires Intel AMT to be configured for secure communication. This is done by configuring Intel AMT to encrypt its client to server communication with Transport Layer Security (TLS). A Microsoft Certificate Authority must be established to create TLS certificates for each Intel AMT client. AMT clients will then get those certificates via web enrollment.

     

    Note: You may already have a Microsoft CA in your environment.

    Note: In production environments, do not add the Microsoft Certificate Authority roll to your McAfee ePO server. It should run from its own server.

    Note: This document shows Windows Server 2008, but Windows Server 2003 is also supported.

     

    Log in to the server that will function as your Microsoft Certificate Authority. Go to server manager, expand roles and choose add roles. Then check the box for Active Directory Certificate Services and click Next.

    step3b01.png

     

    Check the box for Certificate Authority Web Enrollment and click Next.

    step3b02-b.png

     

    Web Enrollment requires the server to be running IIS. Select Add Required Role Services to proceed.

    step3b03.png

     

    Validate that both Certificate Authority and Certificate Authority Web Enrollment are selected, then click Next to proceed.

    step3b04.png

     

    In the Specify Setup Type screen, select Enterprise. Then click next to proceed.

    step3b05.png

     

    In the Set Up Private Key Screen, select Create a new private key. Then click Next to proceed.

    step3b06.png

     

    In the Configure Cryptography for CA screen, use the default values which should be:

    Cryptographic service provider (CSP): RSA #Microsoft Software Key Storage Provider

    Key character length: 2048

    Hash algorithm for signing certificates issues by this CA: SHA1

    step3b07.png

     

    In the Configured CA Name screen, enter a name for your CA in the Common name for this CA field. In this example, we name it RootCA. Then click Next to proceed.

    step3b08.png

     

    In the Set Validity Period, set the validity date in accordance with your company’s security policy. 5 Years is the default value and that is used in this example.

    step3b09.png

     

    In the Configure Certificate Database screen, select the default values. Then click Next to proceed.

    step3b10.png

     

    The Microsoft Certificate Authority configuration is now complete, but we must also add IIS for Web Enrollment. In the Web Server (IIS) screen, simply click Next to proceed.

    step3b12.png

     

    In the Confirm Installation Selections screen, click Install proceed.

    step3b13.png

     

    The Installation Progress screen will appear and will display the installation progress.

    step3b14.png

     

    Once complete, the Installation Results screen will appear. Click close to complete the process. At this point, the Microsoft Certificate Authority role will be enabled with Web Enrollment.

    step3b15.png

     

    The final steps to preparing the Microsoft Certificate authority include:

    • Enable permissions for the WebServer template to Read and Enroll
    • Enable Security permissions to Issue and Manage Certificates along with Request Certificates
    • Setting the Request Handling to Automatically Issue the certificate (See Properties of the Microsoft CA under the Policy Module tab)
    • Stop and Start the Certificate Authority after changing the Requesting Handling policy

     

     

    More resources for installing McAfee Deep Command


    McAfee Deep Command Installation Guide Introduction

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command

     

    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist