150 likes | 356 Views
Configure PKI Web Server Certificates for each Management Controller . Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™. There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2
E N D
Configure PKI Web Server Certificates for each Management Controller
Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™ • There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2 • Intel® AMT Self Signed Certificate • Used during PKI provisioning to secure the connection • Transparent to process • Intel® AMT Provisioning Certificate • Used for Remote Configuration authentication by the Out of Band Service Point • Can be generated from Internal PKI Infrastructure or purchased from 3rd Party CA (VeriSign*, GoDaddy*, Comodo, Starfield) • Provisioning certificate can be generated from internal PKI environment • Require Internal Root hash to be imported into the MEBx • Requires Option 15 set on DHCP to support “Zero Touch” Configuration • Intel® AMT Web Server Certificate • Used to secure a connection to Intel AMT client by the management console • Issued to the Intel AMT client during the provisioning process • ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft Enterprise CA • PKI certificate key sizes <=2048-bits
Enterprise CA & Provision Certificate Configuration • Assumes that a Microsoft Enterprise CA exists and is already configured • Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert • Intel AMT Provisioning Certificate (Used for Provisioning) • Determine 3rd party or Self Generated • 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield) • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1 • Self Generated from Internal PKI infrastructure • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2 • Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3 • Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro) • Create New Web server Template • Recommend certificate name: ConfigMgr AMT Web Server Certificate • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver • 802.1x RADIUS Certificate (Optional for 802.1x networks) • Create New RADIUS Client Template for 802.1x network • Allows AMT to securely authenticate to an 802.1x network without an OS present • Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate • Ensure you select Supply in the request to provide the Subject Name • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate
Configure PKI Web Server Certificate Template • Open your Certificate Authority issuing PKI Server - Click Start > Programs> Administrator Tools > Certification Authority • Expand DC1.vprodemo.com • Note: This is a MicrosoftEnterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™ • Right Click on Certificate Templates > Manage
Configure PKI Web Server Certificate Template • In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template • In the Duplicate Template Window • Select the radio button for Windows 2003 Server, Enterprise Edition • Click OK • In the Properties of New Template Window on the General Tab: • Enter ConfigMgr AMT Web Server Certificate • Proceed to next foil to set security rights on this template
Apply Security Permission to Web Server Certificate Template • In the Properties of New Template window, click the Security tab • Click Add • Select ConfigMgr Primary Site Servers group • Click OK • With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll • ClickOK • Close the Certificate Templates Console
Issue Web Server Certificate Template • In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue • In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step) • Click OK
Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2 • In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point • Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.
Configure RADIUS Client Certificate Template • Open your Certificate Authority issuing PKI Server - Click Start > Programs> Administrator Tools > Certification Authority • Expand DC1.vprodemo.com • Right Click on Certificate Templates > Manage
Configure RADIUS Client Certificate Template • In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template • In the Duplicate Template Window • Select the radio button for Windows 2003 Server, Enterprise Edition • Click OK • In the Properties of New Template Window • General Tab: • Enter ConfigMgr AMT 802.1X Client Authentication Certificate • Subject Name Tab: • Select Supply in the request • Click OK in the warning message • Proceed to next foil to set security rights on this template
Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template • In the Properties of New Template window, click the Security tab • Click Add • Select ConfigMgr Primary Site Servers group • Click OK • With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll • ClickOK • Close the Certificate Templates Console
Issue RADIUS Client Certificate Template • In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue • In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step) • Click OK
RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2 • In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point • Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.
Configure Root CA to Allow Revocation of Client Management Controller Certificates • In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties • In the DC1.vprodemo.com Properties Window, select the Security tab • Click Add
Configure Root CA to Allow Revocation of Client Management Controller Certificates • Add the ConfigMgr Primary Site Servers group • Click OK • Select the ConfigMgr Primary Site Servers group • Check Allow Issue and Manage Certificatesand Request Certificates permissions for this group • Click OK • Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).