Posted Obtaining and Applying a VeriSign Remote Configuration Certificate on Article
In previous articles, such as Frequently Asked Questions about Remote Configuration, the topic of remote configuration for the Intel® vPro™ technology was discussed. The core purpose of this approach is to provide remote authentication, thus allow the provisioning or configuration of the technology without physically touching supported Intel® vPro™ technology clients. For delayed provisioning or post deployment provisioning situations, this becomes especially useful.
However, there is a core requirement which most IT professionals managing client computers typically do not deal with: obtaining an external x.509v3 certificate from a trusted certificate authority. The process is actually quite simple and does not require a deep understanding of certificates, PKI, and so forth. If your IT department has a certificate specialist, share the article linked above with them and they will likely have the certificate purchased before you get back to your desk (figuratively speaking).
For the rest of us - the key question keeps getting raised - "How do I purchase and install a remote configuration certificate?" This article addresses the steps to acquire a VeriSign certificate for the purpose of remote configuration, and will be using the Microsoft Internet Information Server (IIS) version 6 to generate the certificate signing request (CSR). There are other processes and methods to generate the CSR, but I will only be showing one in this article. Similar processes would be followed for GoDaddy, Starfield, Comodo, or other remote configuration certificates supported by the target platform. Although there is a cost associated to acquiring the certificate, it is often minimal in light of the cost of touching every system for distribution of security keys - whether by yourself or via a paid service to perform such activities. With that - it should be noted that remote configuration is NOT for everyone and every situation.
If you read the Intel® vPro™ Expert article posted at http://communities.intel.com/openport/blogs/proexpert/2008/03/19/how-to-procure-and-install-a-verisign-cert-for-remote-configuration-on-scs, the FAQ in the article linked above, and are still scratching your head - this article ought to help out.
Overview of the Basic Steps
Obtaining the certificate requires the following steps:
Core Considerations of the Certificate
As a review to the core certificate properties referenced in the above linked article, there are a few items to be aware of before purchasing the certificate:
Ok - are you ready to start?
Generate the Certificate Signing Request (CSR)
For Microsoft IIS 6.0 environments, follow the basic steps provided by VeriSign at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR225. In short, access the IIS WebSites, right click on Default Web Site, and select Properties. Within the Properties window, select the Directory Security tab, followed by Server Certificates.
You will be prompted to create a new request, among other items.
Submit the CSR to VeriSign
Access the VeriSign SSL certificate purchasing site at http://www.verisign.com/ssl/buy-ssl-certificates/index.html. On the Buy SSL Certificates page, locate the Secure Site: SSL Certificates section and click Buy.
On the Select Options page, do the following:
On the Select a level of security page, select a server type and paste the contents of the previously generated .txt file. The contents should look similar to what is shown below. Be sure to use Notepad or other viewer that does not add in extra characters or formatting.
On the Contacts page, enter your contact and payment information. Print your order confirmation for your records and finish the purchasing process.
IMPORTANT: You will receive an e-mail from VeriSign's automated order verification within few hours. You have only 24 hours, after receiving the e-mail, to finish this process. Click the link in the e-mail and complete the process as detailed below.
Complete the CSR
Within a few hours you will receive an email with the signed certificate - both text in the email and likely a .CER file from VeriSign. The text in the email between the BEGIN and END NEW CERTIFICATE REQUEST is the Base64 encoded signed certificate from VeriSign. This certificate needs to be combined with the private key stored on your Microsoft IIS server. Repeat the steps used to generate a new CSR previously described, except this time select Process the pending request and install the certificate.
It is important that the pending require match the response file. If the pending request was deleted in error, a new CSR must be generated and submitted to VeriSign. VeriSign has a 30-day revoke or replace guarantee.
Export and Backup the Certificate to a PFX File
Once the pending certificate request has been completed with the .CER file provided, the target website used for this process has been assigned the issued certificate. However, the Loadcert.exe process and Intel® SCS will be looking for the issued certificate in the Local Computer certificate store. In addition, a backup copy of the certificate is recommended.
Another method to access the Microsoft ISS Manager is Start > Programs > Administrative Tasks > Internet Information Services (IIS) Manager. Open the IIS Manager and navigate to the website which currently has the issued remote configuration certificate. Access the Properties of the website, select the Directory Security Tab, and select View Certificate under the Secure Communications section.
With the issued remote configuration certificate opened, select the Detail tab and click Copy to File to initiated the Certificate Export Wizard. In stepping through the wizard, ensure the following options are selected:
You will be prompted to provide a password, which will secure the generated PFX file.
Once completed, you now have a .PFX file providing a backup copy of the issued remote configuration certificate, intermediate certificate, and root VeriSign certificate.
Import to the Local Computer Certificate Store
NOTE: The instruction below apply ONLY to Altiris 6 with SCS 3.x environments. If you are using Altiris 7.x which includes SCS 5.x - please refer to Insight #4 at http://www.symantec.com/connect/articles/readyfour-insights-oob-site-service-installation-and-usage
If not already opened, access the Local Computer Certificate store by running mmc.exe (Microsoft Management Console). Within the console, select File > Add/Remove Snap-in. From the list of options, select Certificates. When prompted, select Computer Account followed by Local Computer. Close the Add/Remove Snap-in window to see the certificate folders.
Navigate to the Personal folder and select Import. In stepping through the Import Wizard, Browse to the .PFX file previously created. When prompted to Select a Certificate Store, choose Automatically select the certificate store based on the type of certificate. This will ensure that the certificates are imported to the correct folder providing the server with the full certificate security chain.
Visually Inspect the Certificate Properties
Once the certificate is imported, refresh the screen and open the newly issued certificate. Ensure that the certificate includes the private key, as this will be used to encrypt messages.
Select the Detail tab, and check the Subject of the certificate. Ensure that the OU entry is Intel(R) Client Setup Certificate, and that the CN entry is the FQDN of the target server.
Select the Certificate Path tab, and navigate to the Root Certificate which is found at the top of the certificate chain. Double click on the root certificate (e.g. VeriSign Class 3 Public Primary CA).
Within the Details of the Root Certificate, select Thumbprint. This is the certificate hash unique to this certificate and that has been loaded in the firmware of the Intel® vPro™ technology system. The list of certificate hashes is referenced in the FAQ article mentioned at the beginning of this article.
Run LoadCert.exe to Complete the Certificate Process
NOTE: This step ONLY applies to Altiris 6.x environments using SCS 3.x
With the certificate created, imported, and inspected - one final step remains: associate the issued certificate with the provisioning service. The LoadCert.exe utility located at c:\Program Files\Intel\AMTConfserver\Tools is used to perform this action.
Run the LoadCert.exe utility. A command window will appear providing brief instructions and a prompt to continue. Select Y and the Select Certificate window will appear showing all certificates in the Personal Folder of the Local Computer Certificate Store. Select the issued certificate, with an option to view the certificate first to validate it is the correct certificate.
At this point, the provisioning service within the Altiris OOBM server is ready to receive and process remote configuration requests using the issued VeriSign certificate. You will need to ensure Remote Configuration is enabled in the General settings of the Altiris provisioning interface. All remote configuration capable systems have the matching certificate hash preloaded. The certificate must be issued to the DNS context of the clients, which requires a validation of identity during the certificate purchase process.
With the certificate loaded, initiating of the provisioning process is accomplished via OOB Task Agent with Delayed Provisioning, or via the Intel® vPro™ Activator Utility. More information on each of these can be provided if needed - just make a note to this article.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.
Mar 07 2018, 9:10 AM