intel confidential 1 configure pki web server certificates for each management controller
Post on 19-Dec-2015
228 views
TRANSCRIPT
Intel Confidential
2
Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™
• There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2• Intel® AMT Self Signed Certificate
• Used during PKI provisioning to secure the connection• Transparent to process
• Intel® AMT Provisioning Certificate• Used for Remote Configuration authentication by the Out of Band Service Point• Can be generated from Internal PKI Infrastructure or purchased from 3rd Party
CA (VeriSign*, GoDaddy*, Comodo, Starfield)• Provisioning certificate can be generated from internal PKI environment
• Require Internal Root hash to be imported into the MEBx• Requires Option 15 set on DHCP to support “Zero Touch” Configuration
• Intel® AMT Web Server Certificate• Used to secure a connection to Intel AMT client by the management console• Issued to the Intel AMT client during the provisioning process• ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft
Enterprise CA• PKI certificate key sizes <=2048-bits
Intel Confidential
3
Enterprise CA & Provision Certificate Configuration
• Assumes that a Microsoft Enterprise CA exists and is already configured• Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert• Intel AMT Provisioning Certificate (Used for Provisioning)
• Determine 3rd party or Self Generated• 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield)
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1• Self Generated from Internal PKI infrastructure
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2• Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step
• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3• Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro)
• Create New Web server Template• Recommend certificate name: ConfigMgr AMT Web Server Certificate• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver
• 802.1x RADIUS Certificate (Optional for 802.1x networks)• Create New RADIUS Client Template for 802.1x network• Allows AMT to securely authenticate to an 802.1x network without an OS present
• Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate• Ensure you select Supply in the request to provide the Subject Name• Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll
permissions• http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Intel Confidential
4
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com
Note: This is a Microsoft Enterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™
Right Click on Certificate Templates > Manage
Configure PKI Web Server Certificate Template
Intel Confidential
5
In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template
In the Duplicate Template Window
Select the radio button for Windows 2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window on the General Tab:
Enter ConfigMgr AMT Web Server Certificate
Proceed to next foil to set security rights on this template
Configure PKI Web Server Certificate Template
Intel Confidential
6
In the Properties of New Template window, click the Security tab
Click Add
Select ConfigMgr Primary Site Servers group
Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK
Close the Certificate Templates Console
Apply Security Permission to Web Server Certificate Template
Intel Confidential
7
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step)
Click OK
Issue Web Server Certificate Template
Intel Confidential
8
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.
Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential
9
Open your Certificate Authority issuing PKI Server - Click Start > Programs > Administrator Tools > Certification Authority
Expand DC1.vprodemo.com
Right Click on Certificate Templates > Manage
Configure RADIUS Client Certificate Template
Intel Confidential
10
In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template
In the Duplicate Template Window
Select the radio button for Windows 2003 Server, Enterprise Edition
Click OK
In the Properties of New Template Window
General Tab:
Enter ConfigMgr AMT 802.1X Client Authentication Certificate
Subject Name Tab:
Select Supply in the request
Click OK in the warning message
Proceed to next foil to set security rights on this template
Configure RADIUS Client Certificate Template
Intel Confidential
11
In the Properties of New Template window, click the Security tab
Click Add
Select ConfigMgr Primary Site Servers group
Click OK
With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll
Click OK
Close the Certificate Templates Console
Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template
Intel Confidential
12
In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue
In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step)
Click OK
Issue RADIUS Client Certificate Template
Intel Confidential
13
In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point
Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.
RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2
Intel Confidential
14
In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties
In the DC1.vprodemo.com Properties Window, select the Security tab
Click Add
Configure Root CA to Allow Revocation of Client Management Controller Certificates
Intel Confidential
15
Add the ConfigMgr Primary Site Servers group
Click OK
Select the ConfigMgr Primary Site Servers group
Check Allow Issue and Manage Certificates and Request Certificates permissions for this group
Click OK
Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).
Configure Root CA to Allow Revocation of Client Management Controller Certificates