About the Intel AMT Remote Configuration feature
An Intel AMT device is prepared for remote configuration by having security
certificate hashes added to the Intel AMT firmware. There are two sources of
hashes within the Intel AMT firmware:
These hashes correspond to certificates from commercial SSL certificate
providers, such as Verisign. Several of these hashes are added to the
firmware by Intel. Others can be added by the computer OEM in
partnership with commercial certificate providers. In this case, you must
request a security certificate from the certificate provider that
corresponds to the hash you want to use.
Certificate
provider
These hashes are based on your own root certification authority. In this
case, you issue the necessary certificate from your own certification
authority. You can use this method for evaluation of the Remote
Configuration feature in a lab environment before you purchase a
commercial certificate from a certificate provider.
The hash that you must add to the Intel AMT firmware is displayed at
the Thumbprint field of the trusted root CA certificate.
These hashes can be added to the Intel AMT firmware by an OEM (on
your request) or you can flash the firmware yourself. You can also enter
the hash into the MEBx manually, through the Setup and Configuration
> TLS PKI > Manage Certificate Hashes menu.
Self-provided
When you power-on the computer, the Intel AMT device starts sending Hello
messages to the ProvisionServer host name (OOB site server computer). As part
of the Hello message, the Intel AMT device sends all of the hashes to the
configuration server. Out of Band Management Component authenticates to the
Intel AMT device with a certificate compatible with one of the hashed root
certificates and installs PID-PPS key pairs automatically on the Intel AMT device
(initializes the device).
The remote configuration workflow is as follows:
67
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management