Using the new VeriSign G5 certificate

Version 3

    Applies to all versions of LANDesk Management Suite

     

    Description

    Recently VeriSign changed the root certificate that is being used in newly issued or renewed SSL certificates. This includes certificates use for Intel vPro/AMT Zero-Touch configuration. Because of this change, many vPro/AMT devices cannot be successfully provisioned using the new certificate

     

    Problem

    In order for a machine to successfully complete a zero-touch, certificate based provision, it must be aware of what root certificates are valid and permitted to be used for ZTC. Beginnning in vPro version 2.6 hashes from the set of approved certificates have been included in the vPro/AMT firmware. For information on the included certificate hashes see : Validating certificates for Zero Touch Provisioning

     

    Resolution

    Because some older machines will not have the newer VeriSign G5 hash, VeriSign has created a new special certificate "path" that has a very common certificate as the root. These new certificates can be found here: http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html

     

    To use the new VeriSign certificate with old machines do the following:

    1. Open the certificate that you got from VeriSign
    2. Select the "Details" tab
    3. Select "Copy to File"
    4. Export the certificate as a Base-64 encoded x.509 (.CER)
    5. Rename the exported file to corecacert.pem
    6. Copy the text from the box labeled "Primary Intermediate CA Certificate"
    7. Paste into Notepad. Make sure there are no spaces before or after.
    8. Save as trusted_cert_intermediate_primary.pem
    9. Repeat this process for the other box labeled "Secondary SSL Intermediate CA Certificate"
    10. Save as trusted_cert_intermediate.pem

     

    You will then need to get the standard VeriSign certificate named something like "Class 3 Public Primary Certificate Authority". The thumbprint/hash will be 742C-3192-....-74e2. Save that file in Notepad, or using the "Copy to File" option as a Base-64 encoded x.509 and name it trusted_cert.pem. This file can usually be found in the IE certificate store or something similar.

     

    Once these files are complete, put them onto the core server at \\Core\ldmain\amtprov\certStore\cert_X. X can be any number as needed for other certificates already on the core. It is recommended that this "patch" certificate not be primary so it should go in cert_2. You may need to create that directory. Only one cert per folder. You should create a standard 3 layer certificate chain with the G5 cert for newer machines to use and put it in cert_1.

     

    LANDesk Management Suite 9 SP3

    The necessary changes and updates to LANDesk files and programs is already part of SP3. No additional steps are required.

     

    LANDesk Management Suite 9 SP2

    A special file must also be updated on the core server. It is attached to this document. Rename and replace the following file on the core server:

     

    \\CORE\ldmain\amtprov\amtprov\certgenerator\clientsecscripts\gencoreCertchain.bat

     

    Once this is in place, the full chain should generate correct and machines should be able to provision successfully.