With the December 2009 documentation update for the Configuration Manager library, we posted a new step-by-step guide for out of band management, to help customers deploy the PKI certificates with a Windows Server 2008 CA (http://technet.microsoft.com/en-us/library/dd252737.aspx). One of the main differences with this guide from the equivalent step-by-step that used a Windows Server 2003 CA was that it didn't have a procedure for requesting an AMT provisioning certificate from an external (public) CA. In the Windows Server 2003 CA step-by-step, we said follow any instructions provided by the CA company; otherwise use the Web enrollment procedure to create a certificate request file.
The reason why we didn't include the Web enrollment instructions for the Windows Server 2008 guide was because the later enrollment pages no longer allow you to request a certificate for the computer store. You can request it for the User store and then export it, but this is an extra step and can untidily leave the certificate installed where it shouldn't be. It's always better to request the certificate directly from where you are going to use it.
As with the native mode step-by-step guide for Windows Server 2008, using the command-line tool, Certreq.exe, seemed the best choice if the CA company didn't provide their own instructions (usually a form from their Web site). There are many KBs that provide instructions on how to request certificates from a public CA (for example, http://support.microsoft.com/kb/321051). However, these assume that you do not have your own enterprise CA and when we tried creating the certificate request file by using Certreq.exe it failed, because it was expecting a certificate template to be supplied. The certificate template is used with our internal CA and not the public CA, so we weren't sure how much to supply in the inf file that is used to create the certificate request.
I've been working with our AMT tester, Wei Wei, to find a procedure using Certreq that successfully requested and installed an AMT provisioning certificate from VeriSign. This certificate then successfully provisioned our AMT-based computers, so we knew that the certificate was correct. Bear in mind that this certificate request method is not VeriSign's usual method to request a certificate, and we were using it more as a proof of concept. If your chosen CA company does not supply their own instructions or you are having problems with this, following this example might be helpful.
These steps assume that you're following the step-by-step guide and have previously created the security group and certificate templates. Note that because VeriSign does not support the Intel AMT provisioning OID, this certificate request uses the alternative method of supplying the OU attribute of "Intel(R) Client Setup Certificate".
You can put more options into the .inf file than our example, but we were looking for the minimum that had to be specified in order for the certificate to work. It needs the following:
And as we've discussed before, this file also needs to reference a certificate template on your internal CA or the certificate request will fail.
You must supply your own values in the Subject= line. Ours looked similar to this:
Subject="CN=server4.childdom.microsoft.com,OU=Intel(R) Client Setup Certificate,O=Microsoft,L=Shanghai,c=CN"
1. On the member server, create a folder to contain your certificate files.
2. Open Notepad, or a similar text file of your choice. Copy and paste the following text into the file:
[NewRequest] Subject="CN=<server_name_FQDN),OU=Intel(R) Client Setup Certificate, O=<organization>,L=<locality>,c=<country>" KeyLength = 2048 ; Supported key sizes are 1024, 1536, and 2048 Exportable = TRUE MachineKeySet = TRUE RequestType = PKCS10 [RequestAttributes] CertificateTemplate = ConfigMgrAMTProvisioning
[NewRequest]
Subject="CN=<server_name_FQDN),OU=Intel(R) Client Setup Certificate, O=<organization>,L=<locality>,c=<country>"
KeyLength = 2048
; Supported key sizes are 1024, 1536, and 2048
Exportable = TRUE
MachineKeySet = TRUE
RequestType = PKCS10
[RequestAttributes]
CertificateTemplate = ConfigMgrAMTProvisioning
3. Save the file with the name amtprovisioning.inf, and save it in the certificates folder that you created.
4. Open a command window in the certificates folder that you created, type the following command, and then press Enter:
certreq -new amtprovisioning.inf amtprovisioning.req
5. Submit this certificate request file to the external CA, using any instructions that they provide.
6. When you receive the AMT provisioning certificate from the CA, it is likely to be in an email format. If they do not include their own instructions for processing their certificate response, use the following instructions:
7. Open a command window in the certificates folder that you created, type the following command, and then press Enter: certreq -accept amtprovisioning.cer
At this point, the AMT provisioning certificate from the public CA is now installed and is ready to be prepared for the out of band management component. You can confirm this by opening the Certificates MMC and checking the certificates in the Computer store, Personal. You should see there the certificate with the FQDN of the computer and Server Authentication listed under the Intended Purpose column. If you double-click this certificate and then click the Details tab, you can also verify the Subject value contains the OU string of Intel(R) Client Setup Certificate.
Resume the step-by-step instructions and move onto the section "Preparing the AMT Provisioning Certificate for the Out of Band Management Component."
Note: This information was originally contributed by Carol Bailey on the Configuration Manager Team blog:
http://blogs.technet.com/configmgrteam/archive/2009/02/25/requesting-an-amt-provisioning-certificate-with-windows-server-2008-ca.aspx
Ed Price - MSFT edited Original. Comment: Title casing