Setup a Microsoft Standalone Certificate Authority
Document Series Background
This is Appendix A of the document series on alternative configuration methods for Intel AMT.
The focus of this appendix is how to install and configure a Microsoft Standalone Certificate Authority (CA). The process is very similar to that of a Microsoft Enterprise CA used for issuing WebServer TLS certificates during the Intel AMT configuration (click here for more information)
To return to the document series introduction of alternative Intel AMT configuration methods, click here.
Appendix A Introduction
McAfee ePO Deep Command requires each Intel® AMT client to have an individual TLS WebServer certificate with private key stored in the client firmware.
The Intel AMT Configuration profile defined within Intel SCS specifies a target Microsoft Certificate Authority to request, enroll, and apply this certificate. If a Microsoft Enterprise CA resides in the same domain as the Intel SCS server, the field to select an appropriate certificate authority is populated based on Microsoft Active Directory objects.
An alternative approach is to use a Microsoft Standalone CA.
In this example, the Microsoft Standalone CA is installed on the same server hosting Intel SCS. The steps below explain how to install and configure the Microsoft Standalone CA, followed by creating an appropriate Intel SCS profile.
Install Microsoft Standalone CA
The following instructions apply to a Microsoft Windows 2008 server.
- Open the Server Manager for the system
- Select Add Roles
- Select Active Directory Certificate Services
- Select Web Enrollment and confirm installation of IIS
- Select Standalone option, which does not require the user of Directory Services to issue or manage certificates
- Select Root CA
- Confirm creation of a Private Key
- Keep the Microsoft Software Key Storage Provider and default setting of 2048
- (Optional) Adjust the Common Name of the CA as needed for your environment
- Retain the 5 year validity period and use the default values for the remaining screens.
- Review the Installation Results screen to confirm the Microsoft Standalone CA installation has completed successfully.
- Within the Server Manager screen, right click on the newly created Microsoft StandAlone CA. In this example the CA is called “IntelAMTcerts”
- Open the properties of the CA and select the Policy Module tab
- Click Properties to review the Request Handling
- Select the option to “Automatically issue certificates”
- Save the settings and close all dialogue boxes returning to the Server Manager window
- Right click on the Certificate Authority, select All Tasks and Stop Service.
- Repeat the previous step to Start Service
Grant Access Rights for the RCSserver Logon Account
During the web enrollment process, the Intel RCSserver service will request a certificate per Intel AMT system configured. The appropriate rights must be granted for the RCSserver logon account to perform this action.
- Open the properties of the Certificate Authority and select the Security Tab
- Add in the RCSserver logon account and grant the “Issue and Manage Certificates”
- Note: In this example, RCSserver is running under the Network Service Account
- Save the settings and close the open dialogue boxes to return to the Server Manager
In addition to Issue and Manage Certificates, the RCSserver logon account must have rights to Read and Enroll the WebServer certificate template.
- Within the Server Manager console above the Certificate Authority, select Certificate Templates
- Locate the Web Server template, right click, and select properties
- Grant the RCSserver logon account both Read and Enroll permissions
- Note: In this example, RCSserver is running under the Network Service account
- Save the settings and close all open dialogue boxes.
Update Intel AMT Configuration Profile for Standalone CA
When generating your Intel AMT configuration profile, use the locally installed Microsoft Standalone CA as shown below. If your Microsoft Standalone CA is not local to the Intel SCS server, provide the correct location using the format server_FQDN\CA_Name.
Optional – if Intel AMT clients are not part of the Microsoft Active Directory domain with a full FQDN, you can add other Common Names (CNs) to the certificate. In the example below the CNs of the certificate include both the FQDN and Host Name.
Install the Standalone CA Public Root Certificate on each Agent Handler
Once Intel AMT is configured, the TLS session will originate from the McAfee ePO server and associated Agent Handlers. The public root certificate of the Microsoft Standalone CA will not be registered and replicated automatically throughout the environment. This certificate must be added to the Local Computer Certificate store on each system that will open a TLS session to Intel AMT. Each Agent Handler must have the public root certificate imported to avoid errors 401 and 12175 in the AMTservice.log.
One method to obtain the public root certificate of the Microsoft Standalone CA is to open the properties of the CA as shown below.
- Select the General tab
- Select the certificate followed by View Certificate
- Click the Details tab for the certificate
- Click on Copy to File
- Select the Base-64 encoded x.509 format
- Copy the .cer file to your ePO server
- On the server running McAfee ePO, Open MMC, Certificates Plugin, Computer Account
- Right click on Trusted Root Authorities and select Import
- Browse to the location for the public root certificate file of the Microsoft Standalone CA
- Choose “Automatically select a certificate store”
- The public root certificate now in the Local Computer Trusted Root Certificate Store
In addition to importing the public root certificate into the Local Computer store, it must also be imported into the McAfee ePO Console server settings. Intel AMT Credentials is located under Menu > Configuration > Intel® AMT Credentials. Import the public root certificate similar to the example below.
Once saved to the McAfee ePO Console, ensure the certificate is listed as Active.
More information on the placement of root certificates is available in a related article - click here.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries