With the December 2009 documentation update for the Configuration Manager library, we posted a new step-by-step guide for out of band management, to help customers deploy the PKI certificates with a Windows Server 2008 CA (http://technet.microsoft.com/en-us/library/dd252737.aspx).  One of the main differences with this guide from the equivalent step-by-step that used a Windows Server 2003 CA was that it didn't have a procedure for requesting an AMT provisioning certificate from an external (public) CA.  In the Windows Server 2003 CA step-by-step, we said follow any instructions provided by the CA company; otherwise use the Web enrollment procedure to create a certificate request file.

The reason why we didn't include the Web enrollment instructions for the Windows Server 2008 guide was because the later enrollment pages no longer allow you to request a certificate for the computer store.  You can request it for the User store and then export it, but this is an extra step and can untidily leave the certificate installed where it shouldn't be.  It's always better to request the certificate directly from where you are going to use it.

As with the native mode step-by-step guide for Windows Server 2008, using the command-line tool, Certreq.exe, seemed the best choice if the CA company didn't provide their own instructions (usually a form from their Web site).  There are many KBs that provide instructions on how to request certificates from a public CA (for example, http://support.microsoft.com/kb/321051).  However, these assume that you do not have your own enterprise CA and when we tried creating the certificate request file by using Certreq.exe it failed, because it was expecting a certificate template to be supplied.  The certificate template is used with our internal CA and not the public CA, so we weren't sure how much to supply in the inf file that is used to create the certificate request.

I've been working with our AMT tester, Wei Wei, to find a procedure using Certreq that successfully requested and installed an AMT provisioning certificate from VeriSign.  This certificate then successfully provisioned our AMT-based computers, so we knew that the certificate was correct.  Bear in mind that this certificate request method is not VeriSign's usual method to request a certificate, and we were using it more as a proof of concept.  If your chosen CA company does not supply their own instructions or you are having problems with this, following this example might be helpful.

These steps assume that you're following the step-by-step guide and have previously created the security group and certificate templates.  Note that because VeriSign does not support the Intel AMT provisioning OID, this certificate request uses the alternative method of supplying the OU attribute of "Intel(R) Client Setup Certificate".

You can put more options into the .inf file than our example, but we were looking for the minimum that had to be specified in order for the certificate to work.  It needs the following:

  • In the certificate Subject, the FQDN of the server that will be the out of band service point and the OU string of "Intel(R) Client Setup Certificate".
  • The Exportable = True option because you must export the certificate with the private key, so can that you can then import it into the Configuration Manager database.
  • The MachineKeySet = True option so that the certificate goes into the Computer store.
  • The request type to be PKCS10 so that it's suitable for a public CA.

And as we've discussed before, this file also needs to reference a certificate template on your internal CA or the certificate request will fail.

You must supply your own values in the Subject= line.  Ours looked similar to this:

Subject="CN=server4.childdom.microsoft.com,OU=Intel(R) Client Setup Certificate,O=Microsoft,L=Shanghai,c=CN"
To request and install the AMT provisioning certificate from an external certification authority

1. On the member server, create a folder to contain your certificate files.

2. Open Notepad, or a similar text file of your choice. Copy and paste the following text into the file:

[NewRequest]
Subject="CN=<server_name_FQDN),OU=Intel(R) Client Setup Certificate, O=<organization>,L=<locality>,c=<country>" 
KeyLength = 2048 
; Supported key sizes are 1024, 1536, and 2048
Exportable = TRUE 
MachineKeySet = TRUE 
RequestType = PKCS10 
[RequestAttributes]
CertificateTemplate = ConfigMgrAMTProvisioning

        

3. Save the file with the name amtprovisioning.inf, and save it in the certificates folder that you created.

4. Open a command window in the certificates folder that you created, type the following command, and then press Enter:

certreq -new amtprovisioning.inf amtprovisioning.req

5. Submit this certificate request file to the external CA, using any instructions that they provide.

6. When you receive the AMT provisioning certificate from the CA, it is likely to be in an email format. If they do not include their own instructions for processing their certificate response, use the following instructions:

  • If they emailed you a file named amtprovisioning.cer as an attachment, save this file into the certificates folder that you created on the member server.
  • If they emailed you base-64 encoded text to be copied, create an empty text file called amtprovisioning.cer in the same folder on the member server. Then paste the base-64 encoded text into it and save the file amtprovisoning.cer.

    Note: It is also possible that the certificate response file includes the certificate chain, as well as the certificate itself. When this is the case, the extension of the file will be .p7b rather than .cer

7. Open a command window in the certificates folder that you created, type the following command, and then press Enter:
certreq -accept amtprovisioning.cer

At this point, the AMT provisioning certificate from the public CA is now installed and is ready to be prepared for the out of band management component.  You can confirm this by opening the Certificates MMC and checking the certificates in the Computer store, Personal.  You should see there the certificate with the FQDN of the computer and Server Authentication listed under the Intended Purpose column.  If you double-click this certificate and then click the Details tab, you can also verify the Subject value contains the OU string of Intel(R) Client Setup Certificate.

Resume the step-by-step instructions and move onto the section "Preparing the AMT Provisioning Certificate for the Out of Band Management Component."

Note: This information was originally contributed by Carol Bailey on the Configuration Manager Team blog:

http://blogs.technet.com/configmgrteam/archive/2009/02/25/requesting-an-amt-provisioning-certificate-with-windows-server-2008-ca.aspx