After CCM (Client Control Mode) has been confirmed working, we can now attempt to switch to ACM (Admin Control Mode) if we want to overcome the user consent requirement.

This process is more involved as it requires rolling out our own certificates and adding a hash to each client's AMT if you cannot source a certificate from a trusted authority.

If you can obtain an AMT certificate (with the 2.16.840.1.113741.1.2.3 OID) from an authority already trusted in AMT, you can skip the certificate generation part entirely, and you will not have to add the root CA hash manually on each client.

Creating keys and certificates

Create a new working directory for your keys and certificates:

mkdir amt_certs
cd amt_certs

Keys must stay private so make sure to save them in a safe and secure place.

Create root CA key and certificate

The root CA (Certificate Authority) certificate will be used to sign the leaf AMT certificate, and the root CA certificate hash will be imported into each client's AMT.

First, create an OpenSSL configuration file called AMT_root_ca.cnf with the following content:

[req]
default_bits = 2048
default_keyfile = amtActivation.key
default_md = sha256
#encrypt_rsa_key = no
distinguished_name = req_distinguished_name
x509_extensions     = v3_ca
prompt = no

[req_distinguished_name]
C=<country>
ST=<state>
L=<city>
O=<organisation>
OU=Custom AMT Root CA
CN=<server FQDN>
emailAddress=<email address>

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical,digitalSignature,cRLSign,keyCertSign

Replacing the <country>, <state>, <city>, <organisation> and <email address> by whatever suits you. The <server FQDN> should match the FQDN already used throughout these articles (set in MPS_COMMON_NAME).

Then, execute the following command to create an AMT_root_ca.key key and an AMT_root_ca.crt root CA certificate:

openssl req -x509 -config AMT_root_ca.cnf -new -out AMT_root_ca.crt -newkey rsa:2048 -keyout AMT_root_ca.key -days 3650

OpenSSL will prompt for a passphrase to encrypt the key. Generate a new passphrase and store it in a password manager, you will need it to sign the leaf certificate.

You can confirm the content of your newly created certificate with the following command:

openssl x509 -noout -text -in AMT_root_ca.crt

Giving an output similar to:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: <redacted>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = <country>, ST = <state>, L = <city>, O = <organisation>, OU = Custom AMT Root CA, CN = <server FQDN>, emailAddress = <email address>
        Validity
            Not Before: <creation date>
            Not After : <creation date + 3650 days>
        Subject: C = <country>, ST = <state>, L = <city>, O = <organisation>, OU = Custom AMT Root CA, CN = <server FQDN>, emailAddress = <email address>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: <redacted>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: <redacted>
            X509v3 Authority Key Identifier: <redacted>
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: <redacted>

In particular, make sure the key algorithm is rsaEncryption with 2048 bit length. AMT is not compatible with ECDSA or other RSA bit-length.

The signature algorithm should be sha256WithRSAEncryption. sha1 is deprecated and removed since AMT 15.

Finally, the X509v3 extensions should contain CA:TRUE in Basic Constraints and (at least) Certificate Sign, CRL Sign in Key Usage.

An incorrect root CA certificate will either prevent importing in Open AMT Cloud Toolkit, for example causing null fields error if it is ECDSA-signed, or during activation causing a CERT_VERIFY_FAILED (code 4) in AddNextCertInChain when IsRootCertificate is true.

Create leaf AMT key and certificate request

First, create an OpenSSL configuration file called amtActivation.cnf with the following content:

[req]
default_bits = 2048
default_keyfile = amtActivation.key
encrypt_rsa_key = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C=<country>
ST=<state>
L=<city>
O=<organisation>
OU=Intel(R) Client Setup Certificate
CN=<server FQDN>
emailAddress=<email address>

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = critical,serverAuth,2.16.840.1.113741.1.2.3
subjectKeyIdentifier = hash

Replacing the <country>, <state>, <city>, <organisation> and <email address> by whatever suits you. The <server FQDN> must match the FQDN already used throughout these articles (set in MPS_COMMON_NAME). This FQDN will also be injected in the client's AMT configuration as the DNS suffix for certificate validation.

Note that Intel AMT either requires the custom OID 2.16.840.1.113741.1.2.3 in extendedKeyUsage (preferred method) or the Intel(R) Client Setup Certificate name (older method), we do both for good measures.

Then, execute the following command to create an amtActivation.key key and an amtActivation.csr leaf AMT certificate request:

openssl req -config amtActivation.cnf -new -out amtActivation.csr -newkey rsa:2048 -keyout amtActivation.key

Note that this key is not encrypted, so no passphrase is asked. The certificate bundle created later on will be encrypted instead.

Sign leaf AMT certificate with root CA certificate

Create an OpenSSL configuration file called amtActivationx509.cnf with the following content:

authorityKeyIdentifier = keyid,issuer:always

Execute the following command to create the leaf AMT certificate from the certificate request and sign it with the root CA certificate:

openssl x509 -req -in amtActivation.csr -CA AMT_root_ca.crt -CAkey AMT_root_ca.key -CAcreateserial -out amtActivation.crt -days 3650 -sha256 -copy_extensions copyall -extfile amtActivationx509.cnf

OpenSSL will prompt for the root CA key passphrase.

Note the usage of -copy_extensions copyall which will copy the X509v3 extensions from the request into the certificate. This is required to obtain the proper 2.16.840.1.113741.1.2.3 OID in the final certificate.

You can confirm the content of your newly created certificate with the following command:

openssl x509 -noout -text -in amtActivation.crt

Giving an output similar to:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: <redacted>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = <country>, ST = <state>, L = <city>, O = <organisation>, OU = Custom AMT Root CA, CN = <server FQDN>, emailAddress = <email address>
        Validity
            Not Before: <creation date>
            Not After : <creation date + 3650 days>
        Subject: C = <country>, ST = <state>, L = <city>, O = <organisation>, OU = Intel(R) Client Setup Certificate, CN = <server FQDN>, emailAddress = <email address>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: <redacted>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, 2.16.840.1.113741.1.2.3
            X509v3 Subject Key Identifier: <redacted>
            X509v3 Authority Key Identifier: 
                <redacted>
                DirName:/C=<country>/ST=<state>/L=<city>/O=<organisation>/OU=Custom AMT Root CA/CN=<server FQDN>/emailAddress=<email address>
                serial:<redacted>
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: <redacted>

In particular, make sure the key algorithm is rsaEncryption with 2048 bit length. AMT is not compatible with ECDSA or other RSA bit-length.

The signature algorithm should be sha256WithRSAEncryption. sha1 is deprecated and removed since AMT 15.

Finally, the X509v3 extensions should contain (at least) Digital Signature in Key Usage and TLS Web Server Authentication, 2.16.840.1.113741.1.2.3 in Extended Key Usage.

An incorrect leaf AMT certificate will either prevent importing in Open AMT Cloud Toolkit, for example causing null fields error if it is ECDSA-signed, or during activation causing a CERT_VERIFY_FAILED (code 4) in AddNextCertInChain when IsRootCertificate is false, or AUTH_FAILED (code 5) in AdminSetup.

Create a certificate bundle

Create an amtActivation.pfx PKCS12 bundle containing the root CA certificat, the leaf AMT certificate and the leaf AMT key:

openssl pkcs12 -export -in amtActivation.crt -inkey amtActivation.key -out amtActivation.pfx -name "Intel(R) RCFG Certificate" -certfile AMT_root_ca.crt

OpenSSL will prompt for a passphrase to encrypt the bundle. Generate a new passphrase and store it in a password manager, you will need it to import the bundle in Open AMT Cloud Toolkit.

Import the certificate bundle in Open AMT Cloud Toolkit

Log in to the web UI, click on the Domains tab then click the Add New + button.

Choose a name for the configuration.

Type in the server FQDN in Domain Name. This must match the CN in the leaf AMT certificate.

Choose the amtActivation.pfx bundle to upload.

Type in the passphrase used to encrypt the bundle, then save.

Create an ACM profile

We will reuse the CIRA configuration created in part 3.

In the web UI, select the Profiles tab and click the + Add New button.

Choose a name for the profile (different from the CCM profile).

Select Admin Control Mode as the Activation Mode.

Keep all AMT Features enabled (IDE Redirect, KVM, SOL).

Choose None for User Consent.

Uncheck the Generate Random AMT Password For Each Device option. Although less secure, it is much easier to manage a single password for all devices.

Set an AMT Password and save it somewhere safe. It will be required to unenroll the device if need be.

Uncheck the Generate Random MEBX Password For Each Device option. Although less secure, it is much easier to manage a single password for all devices.

Set an MEBX Password and save it somewhere safe. It will be required to enter the MEBx UI on the device if need be.

Select your preferred network configuration, DHCP or STATIC (static IP). DHCP is highly recommended for simplicity's sake. If static IP is chosen, you can keep the IP Synchronization Enabled option enabled and install the LMS agent on the client (covered in part 4) to automatically set the IP in AMT.

Select CIRA as Connection Configuration and choose your previously created CIRA Configuration.

You can add tags as needed.

Finally, save the profile.

Enroll a client

In the next article, we will add the root CA certificate hash to a client's AMT as well as set the DNS suffix in order to enroll a client in Admin Control Mode.