McAfee Deep Command Installation Guide Appendix A

Version 7


    Setup a Microsoft Enterprise Certificate Authority

    Click here for instructions on Standalone CA setup



    Announcement: McAfee ePO Deep Command 2.0 Released June 25th!

    The information provided below is based on McAfee ePO Deep Command version 1.5.    The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more.    The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution


    Microsoft Certificate Authority is optional and no longer required with Deep Command 2.0!


    Click here for the McAfee ePO Deep Command 2.0 Index of Resources



    Installing Microsoft Certificate Authority with Web Enrollment

    McAfee Deep Command requires Intel AMT to be configured for secure communication. This is done by configuring Intel AMT to encrypt its client to server communication with Transport Layer Security (TLS). A Microsoft Certificate Authority must be established to create TLS certificates for each Intel AMT client. AMT clients will then get those certificates via web enrollment.


    Note: You may already have a Microsoft CA in your environment.

    Note: In production environments, do not add the Microsoft Certificate Authority roll to your McAfee ePO server. It should run from its own server.

    Note: This document shows Windows Server 2008, but Windows Server 2003 is also supported.


    Log in to the server that will function as your Microsoft Certificate Authority. Go to server manager, expand roles and choose add roles. Then check the box for Active Directory Certificate Services and click Next.



    Check the box for Certificate Authority Web Enrollment and click Next.



    Web Enrollment requires the server to be running IIS. Select Add Required Role Services to proceed.



    Validate that both Certificate Authority and Certificate Authority Web Enrollment are selected, then click Next to proceed.



    In the Specify Setup Type screen, select Enterprise. Then click next to proceed.



    In the Set Up Private Key Screen, select Create a new private key. Then click Next to proceed.



    In the Configure Cryptography for CA screen, use the default values which should be:

    Cryptographic service provider (CSP): RSA #Microsoft Software Key Storage Provider

    Key character length: 2048

    Hash algorithm for signing certificates issues by this CA: SHA1



    In the Configured CA Name screen, enter a name for your CA in the Common name for this CA field. In this example, we name it RootCA. Then click Next to proceed.



    In the Set Validity Period, set the validity date in accordance with your company’s security policy. 5 Years is the default value and that is used in this example.



    In the Configure Certificate Database screen, select the default values. Then click Next to proceed.



    The Microsoft Certificate Authority configuration is now complete, but we must also add IIS for Web Enrollment. In the Web Server (IIS) screen, simply click Next to proceed.



    In the Confirm Installation Selections screen, click Install proceed.



    The Installation Progress screen will appear and will display the installation progress.



    Once complete, the Installation Results screen will appear. Click close to complete the process. At this point, the Microsoft Certificate Authority role will be enabled with Web Enrollment.



    The final steps to preparing the Microsoft Certificate authority include:

    • Enable permissions for the WebServer template to Read and Enroll
    • Enable Security permissions to Issue and Manage Certificates along with Request Certificates
    • Setting the Request Handling to Automatically Issue the certificate (See Properties of the Microsoft CA under the Policy Module tab)
    • Stop and Start the Certificate Authority after changing the Requesting Handling policy



    More resources for installing McAfee Deep Command

    McAfee Deep Command Installation Guide Introduction


    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command


    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist