Validating certificates for Zero Touch Provisioning

Version 9

    Verified Product Versions

    Endpoint Manager 9.6

    Applies to all version of LANDesk Management Suite

     

    After getting a certificate back from the third party vendor you can make sure that they certificate sent back will work with Intel vPro by doing the following.

     

    The Enhanced Key Usage (EKU) must contain an Intel AMT unique OID or the OU value in the Subject field must be “Intel(R) Client Setup Certificate”.

     

    Validating the Enhanced Key Usage (EKU)

     

    The Enhanced Key Usage (EKU) field is a list of OIDs separated by commas. It should contain an Intel AMT unique OID (2.16.840.1.113741.1.2.3) if possible. It must contain the “SSL Server” OID (an IANA pre- defined OID).

     

    • The file that is extracted to be corecacert.pem file can be renamed to have .cer or .crt extension then opened
    • Once opened switch to the details tab and scroll down to Enhanced Key Usage Field
    • Make sure it contain the AMT unique OID (2.16.840.1.113741.1.2.3)

    vpro.jpg

     

    Validating the the Organization Unit

    When creating the CSR file there is not an option to give the Organization Unit. It is hard coded to be Intel(R) Client Setup Certificate. When a certificate comes back it still needs to be Organization Unit: Intel(R) Client Setup Certificate. It has been seen that when a certificate comes back that the OU is set to a different value even though the CSR has it set. The certificate will not work with vPro if it is anything other than Intel(R) Client Setup Certificate and the vendor would need to be contacted to correct it.

     

    • The file that is extracted to be corecacert.pem file can be renamed to have .cer or .crt extension then opened
    • Once opened switch to the details tab and scroll down to the Subject it will list the OU that was set by the certificate Vendor
    • Make sure that the OU is Intel(R) Client Setup Certificate

    ou.png

     

     

    Validating the Certificate HASH file

    Each Intel vPro BIOS is loaded with HASH files to match certificates that third party vendors supply. Depending on the BIOS that is installed on a machine it will support a variety of different hash files.

     

    All BIOS releases will have the default five hashes listed:

    • 742C-3192-E607-E424-EB45-4954-2BE1-BBC5-3E61-74E2 - VeriSign G1
    • 132D-0D45-534B-6997-CDB2-D5C3-39E2-5576-609B-5CC6 - VeriSign G3
    • 2796-BAE6-3F18-01E2-7726-1BA0-D777-7002-8F20-EEE4 - Go Daddy Class 2 CA
    • D1EB-23A4-6D17-D68F-D925-64C2-F1F1-6017-64D8-E349  - Comodo
    • AD7E-1C28-B064-EF8F-6003-4020-14C3-D0E3-370E-B58A - Starfield Class 2 CA

     

    Newer BIOS releases (or updates) may also have the following:

    • A1DB-6393-916F-17E4-1855-0940-0415-C702-40B0-AE6B - Verisign G1.5
    • 8537-1CA6-E550-143D-CE28-0347-1BDE-3A09-E8F8-770F - VeriSign G2
    • 4EB6-D578-499B-1CCF-5F58-1EAD-56BE-3D9B-6744-A5E5 - VeriSign G5

     

    The certificate file that the HASH file is in will be the trusted_cert. Change the extention to a .cer or .crt to open and select the details tab and scroll down to the thumbprint.

     

    thumb.png