Trusted Root Certificates for Intel AMT Credentials

Version 3


    Note: This document compliments guidance on page 32 of the McAfee ePO Deep Command Product Guide

    Introduction

    Communications between McAfee ePO Deep Command and Intel® AMT require a TLS session to be established.   During the configuration process of Intel AMT, a TLS WebServer certificate is applied into the firmware of the target client system.   The public root and intermediate certificates must be known by the requesting application, in this case ePO Deep Command, to complete the connection.

     

    Understanding what certificates are needed and where those certificates should be placed is important to the success of using ePO Deep Command.   This article provides an example and explains the core principles to be understood.  

     

    The information applies to ePO Deep Command version 1.5 or higher.   The PEM file defining the certificate chain and McAfee KVM Viewer references are not supported with ePO Deep Command version 1.0.

     

    Process Overview

    The error is commonly due to missing or incorrect certificates known by the server hosting McAfee ePO.   The main steps to resolve this error include:

     

    • Identify the Certificate Chain used in connection with Intel AMT
    • Export all public certificates in Base-64 format
    • Validate certificates in the Local Computer Store
    • Create and Import PEM file to ePO Server Settings for Intel AMT Credentials

     

    The changes and steps are necessary for TLS communication to work correctly.   Imported certificates can be removed or updated as needed.

    Identifying the Certificate Chain

    One method to determine what certificates apply to a configured Intel AMT system is to open the Intel AMT WebUI.   This is done by opening a web browser to the FQDN of the client on port 16993 using the following format: https://FQDN:16993


    The example below shows the Intel AMT WebUI login page, with a security lock to the right of the address.   Click on the security lock, select View Certificates, and select the Certificate Path tab similar to the example.

    pic1.png

    The above example shows the public certificates in the chain, namely:

    • Root CA: DC1.vprodemo.com
    • Intermediate CA for Policy: PKI-ACS.vprodemo.com
    • Intermediate CA for Issuing: DC2.ent.vprodemo.com

     

    The issued or leaf certificate is for the client: HP8460p.ent.vprodemo.com

     

    If the Intel AMT WebUI has been disabled within your environment, an internal discussion with your peers who configured Intel AMT is required.   The focus of the discussion is to determine what certificate authorities and associated public certificates are used in connection with the Intel AMT configuration settings.  

    Validate Certificates in the Local Certificate Store

    In a Microsoft Enterprise Certificate Authority infrastructure with Active Directory integration, the root and intermediate are automatically replicated to all domain servers.

     

    In the example below, the Trusted Root Certificate store of the Local Computer has DC1.vprodemo.com
    pic2.png

    Similarly, the Intermediate Certificate store has PKI-ACS.vprodemo.com and DC2.ent.vprodemo.com.
    pic3.png
    By double clicking on the DC2.ent.vprodemo.com certificate and viewing the Certification Path the intermediate to root certificate chain is shown as complete

    pic4.png

    Common reasons for your environment to not show the certificate chain is that all servers are not joined to a single Microsoft Active Directory domain or you are using a Standalone Microsoft Certificate Authority.   Certificates created by a standalone CA will not be replicated through the Microsoft Active Directory infrastructure.

     

    If a root or intermediate public certificate is missing from your local computer store, you will need to export and import each root and intermediate certificate associated with Intel AMT.   For convenience and re-use in a later section of the article, export the certificates in Base64 format.

     

    When viewing a certificate, select the Detail tab and click the Copy to File button.
    pic5.png

    When prompted for an Export File Format, select Base-64 encoded X.509 (.CER).  

    pic6.png
    Save the file to a location of your choice.


    To import, right click on the target certificate store.   Select All Tasks > Import

    pic7.png
    Start with the root certificate followed by intermediate certificates as shown in the original order.   Validate the certificate chain similar to the previous example, ensuring an unbroken chain from lowest intermediate to root certificate.

    PEM Files and Certificates within the Intel AMT Credentials Settings

    The above steps will resolve TLS communications for all ePO Deep Command operations except Serial-over-LAN and Boot\Reboot from Image.

     

    The AMTservice.log will show errors similar to the following, with the specific error in bold.

     

    When attempting to open a Serial-over-LAN (SoL) session:

    • [client.vprodemo.com] Opening SOL session
    • LIBAMTWSMAN: Fqdn: client.vprodemo.com, IP address: 192.168.1.103, Message: Failed to Establish TLS Connection
    • [client.ent.vprodemo.com] Failed to open SOL session: Failed to Establish TLS Connection

     

    When attempting to start a Boot\Reboot from Image

    • [client.vprodemo.com] Opening IDE-R session, redirecting to image
    • LIBAMTWSMAN: Fqdn: client.vprodemo.com, IP address: 192.168.1.103, Message: Failed to Establish TLS Connection
    • [client.vprodemo.com] Failed to open IDE-R session: Failed to Establish TLS Connection

     

    The reason for this error is the Intel AMT Credentials settings within the McAfee ePO Console.   These specific operations of Serial-over-LAN and Boot\Reboot to Image do not utilize the Microsoft Certificate store.   The certificate chain must be defined within the McAfee ePO Console under Configuration > Server Settings > Intel AMT Credentials.

     

    In the example below, the Intel AMT Credentials setting shows only the root certificate (DC1.vprodemo.com).   This certificate was obtained by exporting the .CER file in Base-64 format as explained earlier, and then imported here.   This approach would be sufficient if the certificate chain included only the root certificate, a very common scenario when using a Standalone CA. 

     

    Note: ePO Deep Command version 1 allowed only one certificate to be imported into the Intel AMT Credentials settings.   If your environment has a certificate chain, upgrading to ePO Deep Command version 1.5 is recommended.   (Targeted for late September 2012 release)

    pic8.png

    In the previous examples of this article, a root and two intermediate certificates are part of the chain.   Only a single certificate or chain can be selected when importing to Intel AMT credentials in the McAfee ePO Console.   To define the chain in a single file for import, a PEM file must be created.


    The PEM file is simply a concatenation of the certificates starting from the root to the intermediate certificates in a top-down order.   To create the PEM file, first export each certificate in Base-64 format.   Open each certificate file via Notepad.   Copy and paste the complete contents similar to the following example:

    pic9.png

    A brief explanation of the above image:

    • On the left, “mychain.pem” is opened in Notepad.
    • The selected text is the Base-64 encoding of DC1.cer, shown in the middle of the screen.  
    • DC1.cer was obtained by exporting the root certificate from the certificate chain on right
    • On the left, the next certificate has been concatenated to the file.   A simple copy and paste from the PKI-ACS.cer file is the approach used.   The entire contents from BEGIN CERTIFICATE to END CERTIFICATE must be included.
    • Although not shown in the above image, further down in the mychain.pem file the DC2.cer file has been concatenated or added, also in Base-64 format.

     

    Using the created PEM file, import into Intel AMT Credentials within the McAfee ePO Console.   The Trusted Root Certificates will show the chain from lowest to highest.    The Trusted Root Certificate option in blue is the current active selection.  

    In the example below, the final step is to select the second option and “Activate”

    pic10.png

    The desired operations for Serial-over-LAN and Boot\Reboot from Image will now function correctly.


    Certificates and the McAfee KVM Viewer

    The McAfee KVM Viewer, introduced with ePO Deep Command version 1.5, also utilizes a PEM file to complete the TLS session connection.   The McAfee KVM Viewer application can be started on a system separate from the McAfee ePO Console server.   When first started on the system, the McAfee KVM Viewer will generate a PEM file based on the root and immediate certificates already in the Local Computer certificate store for that particular system.

     

    Shown below, the McAfee KVM Viewer application is initializing.   At the bottom of the image the output reads “Generating trusted Root certificate file…”.   The resulting PEM file is stored in c:\ProgramData\McAfee\McAfee KVM Viewer.   This is the file path for Microsoft Windows 2008 Server and Microsoft Windows 7 clients.

     

    pic11.png

    Ensure the desired root and intermediate public certificates are already in the Local Computer Certificate store before starting the McAfee KVM Viewer.   If this is not the case at the first initialization, import the required certificates, delete or rename the KVMcerts.PEM file as shown, and start the McAfee KVM Viewer.   The initialization process will recreate the PEM file used for this application.

     

    Related Articles and Materials

     

     

    Interested in other articles associated to Intel AMT and McAfee ePO Deep Command?   Click here for an index listing

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries