Views: 2266
Attachments: 0
Related Articles: 1
Feedback: 1
Helpful: 1
Not Helpful: 0
File Attachments
No attachments were found.

How to create AMT Certificates using the AMT SDK and OpenSSL

  • Author: Gael Hofemeier
  • Create Time: 01/18/2012 15:55:25
  • Last Update Time: 01/23/2012 11:37:33

Acknowledgements:

Special thanks to Ajith Illendula and Sudeepti Balepur for sending this guide to me in order to share with our vPro Developers Community.


Objectives:

1.  Create certificates for Intel AMT TLS encryption using the Intel AMT SDK and OpenSSL
2.  Using the  TLS.ps1 script,  configure non TLS configured Intel AMT systems to use  TLS communication

Before you get started with the following steps, you may need to make sure your system is configure to run the Intel vPro Module PowerShell Scripts - see the following blog for instructions:

STEP 1: Modify the configuration server to not delete the private key and public key:

Open the file: <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\ConfigScripts\provend.bat


 

 

 

 

 

  

Comment out or delete the two lines:

 

 

STEP 2:  If your AMT Client is not part of the Domain, you will need to do the following:

  • Go to the <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig folder

 

  • Edit the Uss.cfg file and look for the commonName_value.

 

 

Following =$ENV::PROVISIONING_HOSTNAME.$ENV Delete: “.$ENV::PROVISIONING_DOMAIN ”,

  • Next look for [alt_names]

DNS.1 =$ENV::PROVISIONING_HOSTNAME.$ENV::PROVISIONING_DOMAIN,

Delete: “.$ENV::PROVISIONING_DOMAIN

 

STEP 3: If the Certificate details such as Organization Name, Country Name, etc. need to be modified to suit local needs, then the following files will have to updated:

  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\Auditor.cfg
  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\rootCA.cfg
  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecConfig\subCA.cf

 

 

countryName_default   = IL

countryName_value     = US

organizationName        = Organization Name (eg, company)

organizationName_value = Your Company Name

commonName             = Common Name (eg, YOUR name)

commonName_value  = Intel® Active Management Technology root CA demo

 

STEP 4:  Your certificate needs to reflect the correct Provisioning Hostname. Edit Certgen.bat.

To create the Certificate for a specific AMT Client, set the Provisioning Hostname to reflect the AMT Hostname for your AMT System.

<SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\certgen.bat

IF "%PROVISIONING_HOSTNAME%"=="" SET PROVISIONING_HOSTNAME= <no quotes, the host name given to AMT>

 

 

 

 

 STEP 5: Create the certificates by running the following (in this order)

For all the questions, respond with “Y"; no command window is necessary, just double click

  1. <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\checkca.bat
  2. <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\certgen.bat

All three certificates will be created.

 

 

 

 

 

 

 

 

 

 

 

 

STEP 6: Copy the hash from the following files for the Root CA, AMT Private Key and the AMT Certificate into the appropriate sections in the TLS.ps1 script (Create a file on your computer by cutting and pasting from this blog.)

Bring up PowerShell ISE as Administrator  and open the TLS.ps1 script.

  • The hashes are in the following files:
    • Trusted Root CA - cacert.cer
    • AMT Private Key - newkey.pem
    • AMT Certificate - newcert.pem

Trusted root CA:

  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\rootCA\cacert.cer

AMT Private Key:

  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\newkey.pem

AMT Certificate:

  • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\newcert.pem

Look for the following sections in the TLS.ps1 script and copy the blobs from the above files into the blob sections of the TLS.ps1 file as follows:

cacert.cer:

 

 

 

 

 

 

newkey.pem

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 newcert.pem:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 STEP 7:

Run the TLS.ps1 script, it should install the RootCA and the AMT Private key, AMT Certificate on the AMT Client.

Make sure to update the Adress - this is the ip address of the AMT Client.  Also ensure you can connect to the Webui - if there is something wrong with the network connection, the TLS.ps1 script will not run.

 

 

If the TLS.ps1 file executes without error, your AMT client will now be operating using TLS communication.

You should now be able to connect to the WebUI using https and port 16993:

STEP 8: When connecting via TLS, you will now get a certificate warning

In order for the WebUI to open (without the certificate warning), make sure the following certificates are installed in the respective machine from which the WebUI is being accessed:

  • RootCA:
    • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\rootCA\cacert.cer
  • and SubCA:
    • <SDK_Root>\Windows\Intel_Manageability_Configuration\Bin\CertGenerator\SecScripts\subCA\subcacert.der

 STEP 9:  Creating additional Certificates

  1. Modify the host name as defined in Step 4.
  2. After the new host name is modified, run the certgen.bat file from step 5.
  3. Follow steps 6 and 7 to configure the new AMT client for TLS encryption.

 _________________________________________________________________________________________________

The TLS.PS1 file is as follows (cut and paste it and put it into a script file that can be run on your system.)

Note: This file is a conglomeration of some of the ps scripts that exist in the Intel AMT SDK. The same licensing for this snippet is applicable. To view the legal notice for the Intel AMT SDK go to the download link (it appears when you go to download the SDK.)

Download Intel® AMT SDK

########################################
# Create a Wsman Connection Object #
########################################
$wsmanConnectionObject = new-object 'Intel.Management.Wsman.WsmanConnection'
$wsmanConnectionObject.Username = "admin"
$wsmanConnectionObject.Password = "P@ssw0rd"
$wsmanConnectionObject.Address = "http://10.14.164.24:16992/wsman"

# Add the Trusted Root CA
$certificateBlob = "MIIDBzCCAe+gAwIBAgIJAJehJZlKRi2YMA0GCSqGSIb3DQEBBQUAMDIxFTATBgNV
BAMTDERlbW8gUm9vdCBDQTELMAkGA1UEBhMCSUwxDDAKBgNVBAsTA0ZUTDAeFw0x
MDExMjIwODI1MDhaFw0yMDExMTkwODI1MDhaMDIxFTATBgNVBAMTDERlbW8gUm9v
dCBDQTELMAkGA1UEBhMCSUwxDDAKBgNVBAsTA0ZUTDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAL4S0DXjcngUXGlqX0oezRHDpUJV0bsp9uQNMPc+LhQe
pb0aR7Mgyec4zoI5wMhlHsyjbGEo/AzkoQQiZ5d7YVreh7cqfowXkqvCud/+NnCb
0Dy7bPSCfrSygAaMQ2Dgu1GZZIgd9oPYU1o/P/SK+xS1+PTa2G6CrJ++yjywcPWM
avOCe7hDYXo9TlscbJizsvBfglzweJsHjZLZMW5YK62+PS1CzMUY9uQimz3dVUgz
tItqfefDkMVwJQcAMsTOwg8nj9xZ10LKBRs9+xW2d0exJcAqkwM5df3FoVO9GUjF
a4qsqGjt3Yj/17H8G0Qtn/nGyrleQyx82mdzvGSCAPcCAwEAAaMgMB4wDwYDVR0T
AQH/BAUwAwEB/zALBgNVHQ8EBAMCAbYwDQYJKoZIhvcNAQEFBQADggEBABD/TQ+w
tcejnCCSLI9HRJq1YdtVqreXD0Q3gmsrltrabi09oJkqtILVZwX0C/I3laOObcgy
n2nv3AT4HjEoGY+ezoUNNZwWyoCIMz11FqkLinUKqfGWjBJbagk9tw2bpibIydFJ
M1a0Wnn/51mgbSHkNc5q80kHui/8SUkHh9XZ28FbqgLA5k4hSuFLO+K81ATVgqgO
657yZ0e/wl4l3Qs4Ssn3T7rdq7KumLQKFFfKlSdbNULW5dvNVRK0yMNcYpbFRa/x
ghBmBFpIPze/TCUhir8ysL19MBvX5fjmnjGZHfvl3KPNz0YrBvGCtNNX5J3CJFbH
CaJLIH3FAIfVFMs="
$publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddTrustedRootCertificate")
$inputObject.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref
}

# Add AMT private Key
$keyBlob = "MIIEogIBAAKCAQEA9NvDxsVLUAf4N7iZgCpjDdTCehQFgQKTtDKTWl8J000NOVvF
UiniEJUaQzZkRUIQRQcmr82mBe8NYLZeLR+c6FKE1BH9dFFWX7SSvNdWOyVBMGLK
z5gSbAWidluuzrbreTOnkaNu8jztdAoqCocL3SIIZgdJR5mmSm4lTlvkINgPPQ9r
SHGdhG4CI0BGAgdxMZ6lvsOqJBhEowEQXueqGwH4/wPfU0++sMrGhmYnsDMkSETk
23nI+vS9hIlCu0iagtAdBTJgeNd0TYi2kRBmBx7qVjbeFhVdBvtCveqTkz7hhu5M
BXT7f/xplgWCR1x4UKIpvimgs7Qu9qvSIxtVWQIDAQABAoIBAHlYB5eT4pTQvkPu
6bNITjpme9I/5dJfUo90mO2qN5ZNkwYf4pOrSerp2VABvoNMEAAFYTiyc1pxc3HA
Lr+x8PJ5InZuS+q+/E0Fkcqf9I3vEnVGIDfspwR9blu1Z9XtdJhl7t8P3UWSyCI/
f0IkVs7JtNvLNJeVH4G3QCmrBEz5jbI4+NikQSPFkueoDGhlMpTr1XpICU0Xre/z
Jc5Q5KVzuZp+J7B2857MKRm19d0zbzOZv9e1jqpXgNOZYRnU/SSSDGrLxbDjdgB3
hCb4HzQWp+F503SzsE7zYoDh2Xo/0MGB0gmHRhO7PGLwrpjRJR5TLg0rGgCLe31F
7gO+sBkCgYEA/wHiLgSe5BPxGoyIQTnFodoomLs1AMmhrjoay6XpozBffEPWQ9gY
ikZl9zRJVx1lQNmO0F3eK7f8d8iGALPSgaKDZlFgaOG7c+a2FzGThREC20GBmHes
6cIYkctnhAU63XH3xVIf/TRy3IJVni2pp+tXNMqGrvC5zSbNBsc+dacCgYEA9c/E
jfNmUEIidVFc+mPTDnY67kWtb+oR/GzE3YhGQKCyOkgxlB1JHNFusevCzX1/A+5F
LdAPn1fjU/IBK+boKVqDODeQEVAQvRp+p+XUs5bknYctM3g7q8usr68dqRmx5AGl
nEmKsL3R2KKFXKvef38QwFO2T0uY8Pq5C0FHPP8CgYBniGw8IsQf9bi9/rCTStFi
lSBGYjtyxmpOQmj+pa3mA43A9gnYIbRU76AWbbQZGmYxniLNlk7NkTV/rHo7bsbY
uxJ+SCvMaVmiBNmJMSejrvRp8H6dWHlrrtIq31p3z2fG4K6n/l/efZzkykXYotFu
y63sUQ29mR7WnBpB1kMVoQKBgD40sxAdPZIn+mJoEbiH1Jx/TRCJb4e3249e0z8g
wm6OfCwFow5RjvQNCA9ck3K/RIpxHO6oDZwMeMoAn01F5RC6CCUM4pePBH1mnBDP
N9Gu6PH4iHbTAX7LT0sybLYje4Iw7IEtlzx8/QLutgMqt2baeBnD1YohnnW1bWis
v2NvAoGACmpT0xDNQMgRz6lUIKkhjvm94apBMkiiRNw0+4FKd8j1IphZLoyrA7W3
MpIP4UlXRgtOkp33q9L23b/mwLTHHSvhkkSRgSYtM4lHyhpyzkzsSMynVEECdaOD
4eQg6GG2x7LKl2j1cFAo/61tUEtaKSstqkQ+vvDVoD6O8LFCC6E="
$publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")
$inputObject = $publicKeyManagementServiceRef.CreateMethodInput("AddKey")
$inputObject.AddProperty("KeyBlob", $keyBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicPrivateKeyPairRef is an EPR to the new AMT_PublicPrivateKeyPair object.
$publicPrivateKeyPairRef = $outputObject.GetProperty("CreatedKey").Ref
}

# Add AMT Certificate
$certificateBlob = "MIIDcDCCAligAwIBAgIBAjANBgkqhkiG9w0BAQsFADAyMRUwEwYDVQQDEwxEZW1v
IFJvb3QgQ0ExCzAJBgNVBAYTAklMMQwwCgYDVQQLEwNGVEwwHhcNMTAxMTIyMDgy
NTMwWhcNMTExMTIyMDgyNTMwWjAYMRYwFAYDVQQDEw1kdXQuaW50ZWwuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9NvDxsVLUAf4N7iZgCpjDdTC
ehQFgQKTtDKTWl8J000NOVvFUiniEJUaQzZkRUIQRQcmr82mBe8NYLZeLR+c6FKE
1BH9dFFWX7SSvNdWOyVBMGLKz5gSbAWidluuzrbreTOnkaNu8jztdAoqCocL3SII
ZgdJR5mmSm4lTlvkINgPPQ9rSHGdhG4CI0BGAgdxMZ6lvsOqJBhEowEQXueqGwH4
/wPfU0++sMrGhmYnsDMkSETk23nI+vS9hIlCu0iagtAdBTJgeNd0TYi2kRBmBx7q
VjbeFhVdBvtCveqTkz7hhu5MBXT7f/xplgWCR1x4UKIpvimgs7Qu9qvSIxtVWQID
AQABo4GqMIGnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMCAGA1UdJQEB/wQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU4v65z5NAqLepfzhYCzgNpnDt
JEQwTAYDVR0jBEUwQ6E2pDQwMjEVMBMGA1UEAxMMRGVtbyBSb290IENBMQswCQYD
VQQGEwJJTDEMMAoGA1UECxMDRlRMggkAl6ElmUpGLZgwDQYJKoZIhvcNAQELBQAD
ggEBAKF7TxMp3dnTkPRxCaWhdEAmCQbox74OGzZg29SlT2TpZVHMe6i5AgFr/JPs
uFXokBW338Pvhkk916jxzpTF9HwNmYr4DGc01wLcT0mOe2HqR7XF2SAzkcvAaObi
sSfrBZ/PHKwgP4T+8Wi0cVYapuM3JwwRQIZxD4vxm0PFJ+ean1G161ks+2S/oIoU
1+CEOK4alIRMygTi9uMbv15Gda2Woh4V2E0SN/8kV7f5oO51LtXYl8WX5igN5O8y
Pv5fNQjnSxNdAjYK2XhG0p4yp3k2GsOb6PqeCfXeohltWswMND9x49Bx3nLg7FaZ
LJ0fAsQOO/8ZtEaIpYUOdqW76xQ="
$publicKeyManagementServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_PublicKeyManagementService WHERE Name='Intel(r) AMT Public Key Management Service'")
$inputCertificate = $publicKeyManagementServiceRef.CreateMethodInput("AddCertificate")
$inputCertificate.AddProperty("CertificateBlob", $certificateBlob)
$outputObject = $publicKeyManagementServiceRef.InvokeMethod($inputCertificate)
$returnValue = $outputObject.GetProperty("ReturnValue")
if($returnValue -like "0")
{
# The $publicKeyCertificateRef is an EPR to the new AMT_PublicKeyCertificate object.
$publicKeyCertificateRef = $outputObject.GetProperty("CreatedCertificate").Ref
}

# Add TLS certificate
$tlsProtocolEndpointCollectionRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSProtocolEndpointCollection WHERE ElementName='TLSProtocolEndpoint Instances Collection'")
$tlsCredentialContextInstance = $wsmanConnectionObject.NewInstance("AMT_TLSCredentialContext")
# $publicKeyCertificateRef is an EPR to the AMT_PublicKeyCertificate object created by the 'Add a Public Key Certificate' use case.
$tlsCredentialContextInstance.SetProperty("ElementInContext", $publicKeyCertificateRef)
$tlsCredentialContextInstance.SetProperty("ElementProvidingContext", $tlsProtocolEndpointCollectionRef)
$tlsCredentialContextInstance.Create()

# Enable TLS on remote interface
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel(r) AMT 802.3 TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")
$tlsSettingDataRef.Put($tlsSettingDataInstance)

# Enable TLS on local interface.
$tlsSettingDataRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_TLSSettingData WHERE InstanceID='Intel(r) AMT LMS TLS Settings'")
$tlsSettingDataInstance = $tlsSettingDataRef.Get()
$tlsSettingDataInstance.SetProperty("Enabled", "true")
$tlsSettingDataInstance.SetProperty("MutualAuthentication", "false")
$tlsSettingDataRef.Put($tlsSettingDataInstance)

# Commit changes
$setupAndConfigurationServiceRef = $wsmanConnectionObject.NewReference("SELECT * FROM AMT_SetupAndConfigurationService WHERE Name='Intel(r) AMT Setup and Configuration Service'")
$inputObject = $setupAndConfigurationServiceRef.CreateMethodInput("CommitChanges")
$outputObject = $setupAndConfigurationServiceRef.InvokeMethod($inputObject)
$returnValue = $outputObject.GetProperty("ReturnValue")

Remove-Module 'IntelvPro'

 

##### End of file

Post Feedback
This article is:
Name: *
Email: *
Comment:
Verification Code: *
*Required Field
Related Articles
Feedback
1 piece(s) of feedback were found. 1 were marked helpful.
Hans Wurst   03/07/2012 06:57:47  
[Helpful]    Thank you for this nice write up.

However due to my lack of having a proper FQDN name in the beginning, I find myself now with an unusable OOB connection as the program I use needs a FQDN, which is not what I was aiming for. Is there a way to disable TLS again, removing all the certificates?