Obtaining and Applying a VeriSign Remote Configuration Certificate
In previous articles, such as Frequently Asked Questions about Remote Configuration, the topic of remote configuration for the Intel® vPro™ technology was discussed. The core purpose of this approach is to provide remote authentication, thus allow the provisioning or configuration of the technology without physically touching supported Intel® vPro™ technology clients. For delayed provisioning or post deployment provisioning situations, this becomes especially useful.
However, there is a core requirement which most IT professionals managing client computers typically do not deal with: obtaining an external x.509v3 certificate from a trusted certificate authority. The process is actually quite simple and does not require a deep understanding of certificates, PKI, and so forth. If your IT department has a certificate specialist, share the article linked above with them and they will likely have the certificate purchased before you get back to your desk (figuratively speaking).
For the rest of us - the key question keeps getting raised - "How do I purchase and install a remote configuration certificate?" This article addresses the steps to acquire a VeriSign certificate for the purpose of remote configuration, and will be using the Microsoft Internet Information Server (IIS) version 6 to generate the certificate signing request (CSR). There are other processes and methods to generate the CSR, but I will only be showing one in this article. Similar processes would be followed for GoDaddy, Starfield, Comodo, or other remote configuration certificates supported by the target platform. Although there is a cost associated to acquiring the certificate, it is often minimal in light of the cost of touching every system for distribution of security keys - whether by yourself or via a paid service to perform such activities. With that - it should be noted that remote configuration is NOT for everyone and every situation.
If you read the Intel® vPro™ Expert article posted at http://communities.intel.com/openport/blogs/proexpert/2008/03/19/how-to-procure-and-install-a-verisign-cert-for-remote-configuration-on-scs, the FAQ in the article linked above, and are still scratching your head - this article ought to help out.
Overview of the Basic Steps
Obtaining the certificate requires the following steps:
- Generate a Certificate Signing Request (CSR) to be sent to the Certificate Authority (e.g. VeriSign). This will also generate the private key which will be stored on your server.
- Receive the signed request from the Certificate Authority. This is usually in a .CER file
- Complete the CSR using the received .CER file to associate your private key to the signed request
- Export and backup the issued certificate with associated certificate chain to a .PFX file
- Import the certificate into the Load Computer certificate store
- Do a visual check of the certificate and associated certificate path to ensure the correct properties have been applied
- Run the LoadCert.exe utility to complete the association of the certificate to the provisioning service.
Core Considerations of the Certificate
As a review to the core certificate properties referenced in the above linked article, there are a few items to be aware of before purchasing the certificate:
- The desired certificate must have a matching root certificate hash (aka thumbprint) preloaded in the Intel® vPro™ firmware. This is mentioned in the article linked above. Environments wanting to "generate their own certificate" can do so IF they can load their root certificate into the firmware. (However, you have to ask yourself a question there. If you are already touching the system to enter a certificate hash - then why not use pre-shared key?)
- What is the DHCP option 15 setting in your environment? Can you prove ownership of the DNS suffix used? (more on this later).
- Does the DNS domain suffix have a parent or child domain for the clients you will be provisioning? For example, the DNS suffix is company.com, yet you want to provision clients in loc1.company.com and loc2.company.com. The key is understanding the match between the DHCP option 15 and the DNS suffix , this will determine how many certificates you need to purchase. If more than one - the next two items must be understood.
- How many "provisionserver" systems will be in the environment? This is the Altiris Notification Server with Out of Band Management, which is hosting the Intel® vPro™ provisioning service capabilities. If you have more than one client facing Altiris NS Server to be used as a "ProvisionServer", take a look at the articles linked from Using Out of Band Management with Intel SCS in a Multiple Notification Server Environment.
- The present provisioning service will allow only ONE certificate to be associated to it. Therefore, if your environment requires multiple certificates due to different DNS domain suffixes or other reasons, then it is a question of mapping the intended certificate to the target ProvisionServer. This will change in future versions of the provisioning service, yet for now - it is a ONE to ONE mapping for Intel SCS 3.x environments.
- Once imported to the Local Computer Store, the AMTconfig service logon account must have access to the private key for encryption of the messages. If this account does not have access, then the certificate must also be imported to the Service account's certificate store.
Ok - are you ready to start?
Generate the Certificate Signing Request (CSR)
For Microsoft IIS 6.0 environments, follow the basic steps provided by VeriSign at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR225. In short, access the IIS WebSites, right click on Default Web Site, and select Properties. Within the Properties window, select the Directory Security tab, followed by Server Certificates.
You will be prompted to create a new request, among other items.
- Select Create a new certificate request, and step through the screens to Prepare the request now, but send it later.
- When prompted for a Name, enter a value to quickly identify the certificate. This screen will also show the maximum encryption key size. Remote Configuration supports a maximum 2048 key.
- When prompted for Organization, enter the DNS context you intend to use. The example below is MyCompany.local
- When prompted for the Organizational Unit enter Intel(R) Client Setup Certificate. Note that (R) is used instead of ®.
- When promoted for the site's common name, enter the FQDN of the target server. This value could also include a placeholder hostname is needed. The more important piece is the DNS suffix specified.
- When the necessary data has been entered, a .TXT file will be created to be sent to VeriSign. The following screen shows a summary of the core values within the .TXT file.
Submit the CSR to VeriSign
Access the VeriSign SSL certificate purchasing site at http://www.verisign.com/ssl/buy-ssl-certificates/index.html. On the Buy SSL Certificates page, locate the Secure Site: SSL Certificates section and click Buy.
On the Select Options page, do the following:
- Select how many years you wish purchase (validity period).
- Enter the number of servers to be secured with this certificate.
- Specify whether the server is located outside of the USA/Canada.
- Click Continue.
On the Select a level of security page, select a server type and paste the contents of the previously generated .txt file. The contents should look similar to what is shown below. Be sure to use Notepad or other viewer that does not add in extra characters or formatting.
On the Contacts page, enter your contact and payment information. Print your order confirmation for your records and finish the purchasing process.
Complete the CSR
Within a few hours you will receive an email with the signed certificate - both text in the email and likely a .CER file from VeriSign. The text in the email between the BEGIN and END NEW CERTIFICATE REQUEST is the Base64 encoded signed certificate from VeriSign. This certificate needs to be combined with the private key stored on your Microsoft IIS server. Repeat the steps used to generate a new CSR previously described, except this time select Process the pending request and install the certificate.
It is important that the pending require match the response file. If the pending request was deleted in error, a new CSR must be generated and submitted to VeriSign. VeriSign has a 30-day revoke or replace guarantee.
Export and Backup the Certificate to a PFX File
Once the pending certificate request has been completed with the .CER file provided, the target website used for this process has been assigned the issued certificate. However, the Loadcert.exe process and Intel® SCS will be looking for the issued certificate in the Local Computer certificate store. In addition, a backup copy of the certificate is recommended.
Another method to access the Microsoft ISS Manager is Start > Programs > Administrative Tasks > Internet Information Services (IIS) Manager. Open the IIS Manager and navigate to the website which currently has the issued remote configuration certificate. Access the Properties of the website, select the Directory Security Tab, and select View Certificate under the Secure Communications section.
With the issued remote configuration certificate opened, select the Detail tab and click Copy to File to initiated the Certificate Export Wizard. In stepping through the wizard, ensure the following options are selected:
- Yes, export the private key
- Include all certificates in the certification path if possible
You will be prompted to provide a password, which will secure the generated PFX file.
Once completed, you now have a .PFX file providing a backup copy of the issued remote configuration certificate, intermediate certificate, and root VeriSign certificate.
Import to the Local Computer Certificate Store
NOTE: The instruction below apply ONLY to Altiris 6 with SCS 3.x environments. If you are using Altiris 7.x which includes SCS 5.x - please refer to Insight #4 at http://www.symantec.com/connect/articles/readyfour-insights-oob-site-service-installation-and-usage
If not already opened, access the Local Computer Certificate store by running mmc.exe (Microsoft Management Console). Within the console, select File > Add/Remove Snap-in. From the list of options, select Certificates. When prompted, select Computer Account followed by Local Computer. Close the Add/Remove Snap-in window to see the certificate folders.
Navigate to the Personal folder and select Import. In stepping through the Import Wizard, Browse to the .PFX file previously created. When prompted to Select a Certificate Store, choose Automatically select the certificate store based on the type of certificate. This will ensure that the certificates are imported to the correct folder providing the server with the full certificate security chain.
Visually Inspect the Certificate Properties
Once the certificate is imported, refresh the screen and open the newly issued certificate. Ensure that the certificate includes the private key, as this will be used to encrypt messages.
Select the Detail tab, and check the Subject of the certificate. Ensure that the OU entry is Intel(R) Client Setup Certificate, and that the CN entry is the FQDN of the target server.
Select the Certificate Path tab, and navigate to the Root Certificate which is found at the top of the certificate chain. Double click on the root certificate (e.g. VeriSign Class 3 Public Primary CA).
Within the Details of the Root Certificate, select Thumbprint. This is the certificate hash unique to this certificate and that has been loaded in the firmware of the Intel® vPro™ technology system. The list of certificate hashes is referenced in the FAQ article mentioned at the beginning of this article.
Run LoadCert.exe to Complete the Certificate Process
NOTE: This step ONLY applies to Altiris 6.x environments using SCS 3.x
With the certificate created, imported, and inspected - one final step remains: associate the issued certificate with the provisioning service. The LoadCert.exe utility located at c:\Program Files\Intel\AMTConfserver\Tools is used to perform this action.
Run the LoadCert.exe utility. A command window will appear providing brief instructions and a prompt to continue. Select Y and the Select Certificate window will appear showing all certificates in the Personal Folder of the Local Computer Certificate Store. Select the issued certificate, with an option to view the certificate first to validate it is the correct certificate.
At this point, the provisioning service within the Altiris OOBM server is ready to receive and process remote configuration requests using the issued VeriSign certificate. You will need to ensure Remote Configuration is enabled in the General settings of the Altiris provisioning interface. All remote configuration capable systems have the matching certificate hash preloaded. The certificate must be issued to the DNS context of the clients, which requires a validation of identity during the certificate purchase process.
With the certificate loaded, initiating of the provisioning process is accomplished via OOB Task Agent with Delayed Provisioning, or via the Intel® vPro™ Activator Utility. More information on each of these can be provided if needed - just make a note to this article.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.
- Client Management Suite
- DigiCert Code Signing
- DigiCert SSL TLS Certificates
0Regarding the following step in "Generate the Certificate Signing Request (CSR)": When promoted for the site's common name, enter the FQDN of the target server. This value could also include a placeholder hostname is needed. The more important piece is the DNS suffix specified. Is it possible to create it like provisionserver.yourdomain.com when you have set up a DNS-alias to realcomputername.yourdomain.com to or must it be realcomputername.yourdomain.com to work?
0You are correct - the important part is the DNS suffix\context and your DHCP option 15 setting. By nature - certificate authorities (VeriSign and others) will want to issue the certificate to the designated server and frown upon mismatching the certificate and server FDQN. However, if you don't know the final name or will have a group of servers (e.g. load balance or mixed mgmt software situation) handling, this comes in handy. When creating the request - you could say ProvisionServer.yourdomain.com. This is how my demonstration kit is setup (same certificate used for 3 or 4 servers - depending on which software solution is being shown). I've also seen customers do this. One caution - noted at a customer earlier this year. If you use your internal root DNS suffix\contenxt (e.g. mycompany.com), and only want a set or specific location of systems to provision... double check the DNS suffix, and consider employing scripts, provisioning authorization, or other "filtering" mechanisms. We experienced a situation where not only the desired systems were provisioning, yet also systems several states away, etc, etc. In short - the technology worked exactly the way it should... we simply didn't do our homework ahead of time.
0Terry, We have a Microsoft Certificate Server that we would like to use for automatic provisioning. I've found documentation regrading how to do this from the Intel site, but everything I have read concerning Altiris only mentions using the providers listed above. Do you know if we can use Microsoft Certificate from our server?
0Yes - this can be done. However - it will require you to enter the root certificate hash into the Intel AMT firmware. Only AMT 3.x or higher supports the addition of "non-persistent" root certificate hash additions post manufacturing. There's an FAQ at http://communities.intel.com/docs/DOC-1490 Plus - documentation on generating an internal remote configuration certificate is needed. Although this is possible - I wouldn't recommend beyond small lab testing. After the effort to implement - a GoDaddy or VeriSign certificate cost is minimal in comparison
There’s a whitepaper and configuration certificate selection utility at http://www.vproexpert.com/59JHE/RCFG-Cert-Util-Download.html
The whitepaper provides a handy flowchart and addt’l insights on the supported certificates
More information, including link to video which explains the Intel Remote Configuration Utility at http://communities.intel.com/docs/DOC-2734 and video at http://www.vproexpert.com/59JHE/RCFG-CERT-UTIL/RCFG-CERT-UTIL-DEMO/RCFG-CERT-UTIL-DEMO.html
The VeriSign landing page for vPro certificates is http://www.verisign.com/ssl/intel-vpro-technology/index.html
0Since this question has been raised several times, here is the quick answer.
Yes - you can use an internally generated certificate to configuration vPro systems. However, this will require the root certificate hash to be added to the firmware on every system. Thus - this may be a good approach to simply test the remote configuration process before proceeding in the acquisition of an external certificate.
Some customers have an Entrust certificate environment which is a common reason this request comes up.
An overview on what is required - using Microsoft CA environment - is described at http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2 - specifically look at the sections
Creating a Windows Security Group for the Out of Band Service Point Site System Servers
Requesting, Installing and Preparing the AMT Provisioning Certificate
Why a certificate is used is to establish initiate trust as mentioned at http://www.symantec.com/connect/articles/alternative-approaches-and-tools-configuring-intel-vpro-technology .... there's also mention to the USBfile.exe utility for helping to insert the root certificate hash
If more insights and step-by-step needed - let me know.
It appears that as of November 1, 2015, Symantec will no longer be signing Secure Server CSRs for non-registered (internal server hosts) domains. Any Intel vPro Remote Client Setup Certificates requested before this period will only be valid through November 1, 2015. As such, Symantec is crediting users the difference in cost, since this is less than the minimum 1yr validity period.