Intel vPro – Configuration – Part 3 – PKI Configuration

vPro Series of Posts


Now that your PKI is installed, we need to configure it for use with vPro.

Overview

  1. Create Provisioning Certificate Template
  2. Create AMT Device TLS Template

Creating the Provisioning Certificate Template

  1. RDP to your Enterprise Subordinate CA Server, then choose Start -> Run -> certtmpl.msc.
  2. Right-click the Web Server certificate template and choose ‘Duplicate’.
  3. Name the new template “AMT Provisioning Certificate”
  4. Navigate to the ‘Request Handling’ tab, and check the box labeled “Allow private key to be exported”.
  5. Navigate to the ‘Subject Name’ tab, and choose ‘Build from this Active Directory information’.
  6. Click the ‘Subject Name Format’ combo box and choose ‘Common Name’ from the list. Leave the other checkboxes on this page to their defaults.
  7. Navigate to the ‘Security’ tab, and grant the server which is going to run the Intel SCS service the Read and Enroll permissions. If you don’t have a server configured to run Intel SCS, you will have to come back and do this later.
  8. Navigate to the ‘Extensions’ tab, click ‘Application Policies’, then click ‘Edit’.
  9. On the ‘Edit Application Policies Extension’ screen, click ‘Add’.
  10. On the ‘Add Application Policy’ screen, click “New”.
  11. On the ‘New Application Policy’ screen, enter the following:
    • Name: ‘AMT Provisioning’
    • Object Identifier: 2.16.840.1.113741.1.2.3
  12. Click ‘OK’ until the template is saved.

Create the AMT Device TLS Certificate Template

This template will be used by the Intel SCS service. It will request certificates on behalf of your AMT devices. These certificates will be installed into the AMT device firmware and used for traffic authentication and for the WebUI.

  1. RDP to your Enterprise Subordinate CA Server, then choose Start -> Run -> certtmpl.msc.
  2. Right-click the certificate template named “Web Server” and choose ‘Duplicate’.
  3. Name the new template “AMT TLS Certificate”.
  4. Navigate to the ‘Request Handling’ tab, and check the box labeled “Allow private key to be exported”.
  5. Navigate to the ‘Subject Name’ tab, and ensure that the radio button ‘Supply in the request’ is selected.
  6. Navigate to the ‘Security’ tab, and grant the Intel SCS Server the Read and Enroll permissions. If you don’t have a server configured to run Intel SCS, you will have to come back and do this later.
  7. Click ‘OK’ to save the template.

Enabling the Templates

  1. On your Enterprise Subordinate CA server, run the ‘Certification Authority’ tool.
  2. Navigate to the ‘Certificate Templates’ folder on the left pane.
  3. Right-click the ‘Certificate Templates’ folder and choose ‘New’ -> ‘Certificate Template to Issue’.
  4. Choose the ‘AMT TLS Certificate’ template, and click ‘OK’.
  5. Again, right-click the ‘Certificate Templates’ folder and choose ‘New’ -> ‘Certificate Template to Issue’.
  6. Choose the ‘AMT TLS Certificate’ template, and click ‘OK’.

Great! Now you’re ready to install and configure the Intel SCS Service. This will be detailed in a future post.

Advertisements

12 thoughts on “Intel vPro – Configuration – Part 3 – PKI Configuration

  1. Pingback: Intel vPro – Configuration – Part 4 – Install and Configre Intel SCS | windowsmasher

  2. Pingback: Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS | windowsmasher

  3. Pingback: Intel vPro – Configuration – Part 5 – Configure Active Directory | windowsmasher

  4. Pingback: Intel vPro – Configuration – Part 6 – Basic SCS Profile | windowsmasher

  5. Pingback: Intel vPro – Configuration – Part 7 – Provisioning Your First System | windowsmasher

  6. Pingback: Intel vPro – Configuration – Part 8 – Adding Kerberos | windowsmasher

  7. Pingback: Intel vPro – Configuration – Part 9 – Adding TLS | windowsmasher

  8. Pingback: Intel vPro – Configuration – Part 1 – Architecture Overview | windowsmasher

  9. Pingback: Intel vPro – Configuration – Part 2 – PKI Installation | windowsmasher

  10. Pingback: Intel vPro – The Basics of vPro | windowsmasher

  11. Pingback: Intel vPro – Configuration – Part 10 – SCCM Integration | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s