Pre-Shared Key or Self-Signed Remote Configuration Certificate
Document Series Background
This is part 2 of a document series to explain alternative configuration methods for Intel AMT.
This section focuses on Pre-Shared Key and Self-Signed Remote Configuration Certificate. Both methods are compatible with the ePO Deep Command AMT Configuration policy.
To return to the document series introduction of alternative Intel AMT configuration methods, click here.
If starting to experiment with McAfee ePO Deep Command and you need to get Intel® AMT configured, you may be unable to use the stated approach of remote configuration with an SSL certificate. The goal of this section is to use a method aligned to Intel AMT Configuration policy event within McAfee ePO Deep Command v1.5.
Two core approaches will be shared:
- Pre-Shared Key Configuration using a defined value
- Certificate based configuration using a self-signed certificate
Using Pre-Shared Key Configuration
This approach establishes initial trust between Intel® AMT firmware and Intel® SCS via a known 40-character key pair. The pre-shared key (PSK) approach has been available since Intel® AMT 2.x, and will be phased out in future versions of Intel® AMT.
Note: McAfee ePO Deep Command officially supports Intel AMT 4.1 and higher.
The concept is relatively simple: a public and private key pair is provided to both the firmware and the configuration software. The initial handshake uses this key pair to establish a TLS-session for completion of the initial Intel® AMT configuration event.
The method is useful for small test situations yet may be undesirable for large deployments due to a per system touch requirement. The key pairs must be typed in exactly leaving a chance for error.
To simplify the initial experience, please use the attached Setup.bin file prepared for your testing purposes.
Using the USBfile.exe utility from the Intel® AMT SDK, this setup.bin file has simple to remember values for the public and private portions of the key. The output below shows the contents of the setup.bin file.
Using the attached setup.bin file, via the Intel SCS console click the Tools option in the upper right and select the “Import PSK Key from File” option. Browse to the location where the “4444 setup.bin” file has been saved and complete the import process.
Next: The setup.bin file with Pre-shared Keys (PSK) must be applied to the client. Use only one of the two approaches mentioned below
- Preferred approach to prepare the Intel AMT client: To insert the PID and PPS values into the client, a simple approach is via USB key.
- Download and rename the file below from "4444 setup.bin" to "setup.bin"
- Using a 2GB or smaller USB key, perform a FAT format
- Place the setup.bin file as the first file on the USB key.
- Insert the USB key into an Intel AMT client, power it on, and wait for the prompt for USB key pre-provisioning. (see example below)
- Backup approach to prepare the Intel AMT client: In case the USB key pre-provisioning fails, a more involved process to get the PID and PPS values is shown below.
- On the target Intel® AMT client, access the Manageability Extension BIOS (MEBx). On most platforms, this is commonly done via a Ctrl-P option at startup. Some platforms may require you to access the BIOS or a boot menu to access this option. Refer to your OEM documentation as needed.
- Within the MEBx, navigate to the Remote Configuration section with reference to TLS-PSK. Select the option to Set the PID and PPS values, similar to the following example.
- The PID value is: 4444-4444
- The PPS value is: 0000-0000-0000-0000-0000-0000-0000-0000
- Note: You must include the dash ("-") after each set of 4 numbers.
- Once the value is set, exit the MEBx and allow the client to boot into Windows.
Skip to the section "Enable and Assign the AMT Configuration Policy" below on how to use the McAfee ePO Deep Command v1.5 Intel AMT Configuration policy to complete the configuration event.
Note: If you prefer to create a personal setup.bin for your environment, refer to the Intel SCS 8.1 documented command for ConfigViaUSB. The command is executed on the client and will inject the PSK pair into the Intel RCS over the network. The resulting setup.bin file on the client must be placed on a FAT16 formatted USB flash drive that is 2GB or smaller. The setup.bin file must be the first file on the formatted USB flash drive. Insert the flash drive into the target computer and power it on. During the POST boot process, a prompt will appear to confirm the Intel AMT configuration event. Upon confirming the request, the system will be set to “In Configuration” with the PSK pair now applied to the firmware.
Using a Self-Signed Remote Configuration Certificate
Aside from the Pre-Shared Key (PSK) method, Intel AMT is commonly configured via a remote configuration certificate. The McAfee ePO Deep Command product documentation, section 3, references creation and enabling of a custom certificate template. This template can be used to generate a self-signed remote configuration certificate using a Microsoft Enterprise CA.
For the purposes of this document, the certificate template “AMT Configuration” has already been created. The summary steps in creating and enabling the certificate template are summarized below. Refer to section 3 of the McAfee ePO Deep Command product documentation if further explanation needed
- Using a Microsoft Enterprise Certificate Authority, duplicate the Computer certificate template
- Name the new template AMT Configuration
- Note: The template name can be customized. "AMT Configuration" is only an example for this document
- (Optional) Set the Validity Period to 5 years
- On the Extensions tab, select Application Policies and click Edit
- Click Add, then click New to create a new application policy
- Name: AMT Client OID
- Object Identifier: 2.16.840.1.113422.214.171.124
- Click Add, then click New to create a new application policy
- On the Subject Name tab
- Select Supply in the request
- On the Request Handling tab
- Select Allow private key to be exported
Save the newly created certificate template.
The certificate template must be enabled to be issued by the Microsoft Enterprise Certificate Authority. This is done by right clicking Certificate Templates under the designated Certificate Authority, selecting New > Certificate Template to Issue. Within the window that opens, select the newly created template.
The properties page of an example certificate ready to be issued is shown below
After creating the custom certificate template, complete the final two key steps as described in the sub-tasks sections below:
- Issue a certificate using the custom template
- Insert the root certificate hash into the Intel AMT firmware
Sub-Task: Issuing the Self-Signed Certificate
NOTE: The above steps on creating a self-signed remote configuration certificate template must be completed on a Microsoft Enterprise Certificate Authority,
The most common approach to issuing the certificate is via the web enrollment capabilities of the Microsoft Certificate Authority server and submitting the Certificate Signing Request (CSR).
To generate the CSR, use Microsoft Internet Information Services (IIS) which is also required for web enrollment of certificates.
Select the Server Certificates option within Microsoft IIS
Select to Create Certificate Request
Enter the Request Certificate properties similar to the example shown below, ensuring that Organizational Unit value is Intel(R) Client Setup Certificate
Set the Bit Length to 2048 as shown below
Provide a location to save the certificate signing request
Within your environment, connect to the internal certificate server via the web address <servername>/certsrv.
Once the Microsoft Active Directory Certificate Services page loads do the following:
- Select Request a Certificate
- Select Advanced Certificate Request
- Select Submit a certificate request by using a base-64-endcoded CMC…
Copy and paste the entire contents of the cert_request.txt file into the Saved Request field as shown below. In addition, select the “AMT Configuration” Certificate Template
Once the certificate signing request and desired template are selected as shown above, select Submit
Save the newly generated certificate file, certnew.cer.
Using the generated certnew.cer certificate, complete the certificate signing process within Microsoft IIS as shown below
Once the certificate signing process has been completed, export the certificate with private key to a .PFX file.
Import the certificate to the Personal Certificate Folder of the Logon account for the RCS server. This process is explained in various locations including the Intel vPro Platform Provisioning Certificates webpage.
Once the certificate is imported, visually inspect the certificate for the following information:
- Ensure a private key is assigned to the issued leaf certificate
- The General properties of the certificate will show
- Validate that one of the following exists on the Details tab of the certificate
- Subject CN value is “Intel(R) Client Setup Certificate”
- Enhanced Key Usage includes the unique OID value 2.16.840.1.1137126.96.36.199
- Capture the root certificate Thumbprint, which is also the root certificate hash
- Per the example below: d760-716a-148a-260a-6714-6101-1af0-7773-2870-e7b0
Sub-Task: Insert the root certificate hash into the Intel AMT firmware
Using the obtained root certificate hash value, access the MEBx of the client and insert this value into the firmware. The location will vary depending on the generation of the Intel AMT firmware, yet is commonly located under a sub-menu highlighting TLS-PKI. One example is provided below.
Note: The above guidance is for manually inserting the root certificate hash value. This approach is useful for small test or deployment environments. For production use of a custom root certificate hash, other methods are available yet beyond the scope of this article.
Save the changes to the MEBx and allow the device to boot into the host operating system.
Refer to the section below on how to use the McAfee ePO Deep Command v1.5 Intel AMT Configuration policy to complete the configuration process.
Enable and Assign the AMT Configuration Policy
Within ePO Deep Command v1.5, enable the AMT Configuration Policies according to your environment. This step requires RCS Manager to be installed on the target Intel SCS 8.x server to enable the policy, and that an Intel AMT configuration profile has been generated within the Intel SCS 8.x console. For more information how setup Intel SCS 8.x and create a profile, please refer to the McAfee ePO Deep Command v1.5 product documentation.
After the policy has run, update the Intel AMT Discovery Plugin data to confirm the clients have been configured. The policy update includes data related to the Intel AMT related queries, reports, and so forth.
In addition, a successful Intel AMT configuration using the AMT Configuration Policies will be listed in the Threat Event Log as shown below.
Although Intel AMT is configured, the AMT Actions may still be grayed out until the AMT tag is applied to a system. To expedite the process of applying the AMT tag, run the existing Run Tag Criteria Server Task for ePO Deep Command which reviews and applies the AMT tag
Shown in the example below are two systems configured with the AMT tag applied. Although the first used a PSK value and the second used a custom root certificate hash, both responded to the ePO Deep Command v1.5 AMT Configuration Policy.
The systems have a compliant configuration for ePO Deep Command without use of an SSL remote configuration certificate from a public CA.
The approaches shared in this section are useful for testing or small deployments.
Please refer to other sections of this document series if a different alternative method is needed to configure Intel AMT to be compliant with ePO Deep Command.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries