Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Currently Being Moderated

Appendix A: Alternative Methods of Configuring Intel AMT

VERSION 8  Click to view document history
Created on: Sep 22, 2012 12:08 AM by Terry Cutler - Last Modified:  Jun 25, 2013 1:29 PM by Terry Cutler

                                                                          

Setup a Microsoft Standalone Certificate Authority

Click here for instructions how to setup a Microsoft Enteprise CA

                                                                         

                                                                                                           

Announcement: McAfee ePO Deep Command 2.0 Released June 25th!

The information provided below is based on McAfee ePO Deep Command version 1.5.    The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more.    The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution

 

Microsoft Certificate Authority is optional and no longer required with Deep Command 2.0!

 

Click here for the McAfee ePO Deep Command 2.0 Index of Resources

                                                              



Document Series Background

This is Appendix A of the document series on alternative configuration methods for Intel AMT. 

 

The focus of this appendix is how to install and configure a Microsoft Standalone Certificate Authority (CA).   The process is very similar to that of a Microsoft Enterprise CA used for issuing WebServer TLS certificates during the Intel AMT configuration (click here for more information)

 

To return to the document series introduction of alternative Intel AMT configuration methods, click here.

 

Appendix A Introduction

McAfee ePO Deep Command requires each Intel® AMT client to have an individual TLS WebServer certificate with private key stored in the client firmware. 

 

The Intel AMT Configuration profile defined within Intel SCS specifies a target Microsoft Certificate Authority to request, enroll, and apply this certificate.    If a Microsoft Enterprise CA resides in the same domain as the Intel SCS server, the field to select an appropriate certificate authority is populated based on Microsoft Active Directory objects.  

 

An alternative approach is to use a Microsoft Standalone CA.

 

In this example, the Microsoft Standalone CA is installed on the same server hosting Intel SCS.  The steps below explain how to install and configure the Microsoft Standalone CA, followed by creating an appropriate Intel SCS profile.

 

Install Microsoft Standalone CA

The following instructions apply to a Microsoft Windows 2008 server.  

 

  • Open the Server Manager for the system
  • Select Add Roles
  • Select Active Directory Certificate Services

altconfig_pic46.png

 

  • Select Web Enrollment and confirm installation of IIS

altconfig_pic47.png

 

  • Select Standalone option, which does not require the user of Directory Services to issue or manage certificates

altconfig_pic48.png

 

  • Select Root CA

altconfig_pic49.png

 

  • Confirm creation of a Private Key
  • Keep the Microsoft Software Key Storage Provider and default setting of 2048

altconfig_pic50.png

 

  • (Optional) Adjust the Common Name of the CA as needed for your environment

altconfig_pic51.png

 

  • Retain the 5 year validity period and use the default values for the remaining screens.
  • Review the Installation Results screen to confirm the Microsoft Standalone CA installation has completed successfully.

altconfig_pic52.png

 

  • Within the Server Manager screen, right click on the newly created Microsoft StandAlone CA.   In this example the CA is called “IntelAMTcerts”
  • Open the properties of the CA and select the Policy Module tab
  • Click Properties to review the Request Handling
  • Select the option to “Automatically issue certificates”

altconfig_pic53.png

 

  • Save the settings and close all dialogue boxes returning to the Server Manager window
  • Right click on the Certificate Authority, select All Tasks and Stop Service.
  • Repeat the previous step to Start Service

 

Grant Access Rights for the RCSserver Logon Account

During the web enrollment process, the Intel RCSserver service will request a certificate per Intel AMT system configured.    The appropriate rights must be granted for the RCSserver logon account to perform this action.

 

  • Open the properties of the Certificate Authority and select the Security Tab
  • Add in the RCSserver logon account and grant the “Issue and Manage Certificates”
    • Note: In this example, RCSserver is running under the Network Service Account
  • Save the settings and close the open dialogue boxes to return to the Server Manager

altconfig_pic54.png 

 

In addition to Issue and Manage Certificates, the RCSserver logon account must have rights to Read and Enroll the WebServer certificate template.

 

  • Within the Server Manager console above the Certificate Authority, select Certificate Templates
  • Locate the Web Server template, right click, and select properties
  • Grant the RCSserver logon account both Read and Enroll permissions
    • Note: In this example, RCSserver is running under the Network Service account
  • Save the settings and close all open dialogue boxes.

altconfig_pic55.png

 

Update Intel AMT Configuration Profile for Standalone CA

When generating your Intel AMT configuration profile, use the locally installed Microsoft Standalone CA as shown below.   If your Microsoft Standalone CA is not local to the Intel SCS server, provide the correct location using the format server_FQDN\CA_Name.

 

altconfig_pic56.png

 

Optional – if Intel AMT clients are not part of the Microsoft Active Directory domain with a full FQDN, you can add other Common Names (CNs) to the certificate.   In the example below the CNs of the certificate include both the FQDN and Host Name.

 

Install the Standalone CA Public Root Certificate on each Agent Handler

Once Intel AMT is configured, the TLS session will originate from the McAfee ePO server and associated Agent Handlers.   The public root certificate of the Microsoft Standalone CA will not be registered and replicated automatically throughout the environment.   This certificate must be added to the Local Computer Certificate store on each system that will open a TLS session to Intel AMT.   Each Agent Handler must have the public root certificate imported to avoid errors 401 and 12175 in the AMTservice.log.

 

One method to obtain the public root certificate of the Microsoft Standalone CA is to open the properties of the CA as shown below.

  • Select the General tab
  • Select the certificate followed by View Certificate

altconfig_pic58.png

 

  • Click the Details tab for the certificate
  • Click on Copy to File
  • Select the Base-64 encoded x.509 format

altconfig_pic59.png

 

  • Copy the .cer file to your ePO server
  • On the server running McAfee ePO, Open MMC, Certificates Plugin, Computer Account

altconfig_pic60.png

 

  • Right click on Trusted Root Authorities and select Import
  • Browse to the location for the public root certificate file of the Microsoft Standalone CA

altconfig_pic61.png

 

  • Choose “Automatically select a certificate store”

altconfig_pic62.png

 

  • The public root certificate now in the Local Computer Trusted Root Certificate Store

altconfig_pic63.png

 

 

In addition to importing the public root certificate into the Local Computer store, it must also be imported into the McAfee ePO Console server settings.    Intel AMT Credentials is located under Menu > Configuration > Intel® AMT Credentials.    Import the public root certificate similar to the example below.

altconfig_pic64.png

 

Once saved to the McAfee ePO Console, ensure the certificate is listed as Active.

altconfig_pic65.png


More information on the placement of root certificates is available in a related article - click here.

 

 

Click here to return to the start of this document series

 

Click here for an Index of related McAfee ePO Deep Command resources within the McAfee Community site.

 

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries