1 / 15

Configure PKI Web Server Certificates for each Management Controller

Configure PKI Web Server Certificates for each Management Controller . Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™. There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2

irving
Download Presentation

Configure PKI Web Server Certificates for each Management Controller

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configure PKI Web Server Certificates for each Management Controller

  2. Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™ • There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2 • Intel® AMT Self Signed Certificate • Used during PKI provisioning to secure the connection • Transparent to process • Intel® AMT Provisioning Certificate • Used for Remote Configuration authentication by the Out of Band Service Point • Can be generated from Internal PKI Infrastructure or purchased from 3rd Party CA (VeriSign*, GoDaddy*, Comodo, Starfield) • Provisioning certificate can be generated from internal PKI environment • Require Internal Root hash to be imported into the MEBx • Requires Option 15 set on DHCP to support “Zero Touch” Configuration • Intel® AMT Web Server Certificate • Used to secure a connection to Intel AMT client by the management console • Issued to the Intel AMT client during the provisioning process • ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft Enterprise CA • PKI certificate key sizes <=2048-bits

  3. Enterprise CA & Provision Certificate Configuration • Assumes that a Microsoft Enterprise CA exists and is already configured • Two Certificates Required: Intel® AMT Provisioning & Intel AMT TLS Web Server Cert • Intel AMT Provisioning Certificate (Used for Provisioning) • Determine 3rd party or Self Generated • 3rd Party CA (VeriSign*, Go Daddy*, Comodo, Starfield) • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning1 • Self Generated from Internal PKI infrastructure • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2 • Export Cert for ConfigMgr 2007 SP2 / WS-MAN Translator in later configuration step • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning3 • Web Server Certificate (Intel AMT TLS Cert used for securely managing vPro) • Create New Web server Template • Recommend certificate name: ConfigMgr AMT Web Server Certificate • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTwebserver • 802.1x RADIUS Certificate (Optional for 802.1x networks) • Create New RADIUS Client Template for 802.1x network • Allows AMT to securely authenticate to an 802.1x network without an OS present • Recommend certificate name: ConfigMgr AMT 802.1X Client Authentication Certificate • Ensure you select Supply in the request to provide the Subject Name • Primary site server computer account (ConfigMgr 2007 SP2 Server) must have Read/Enroll permissions • http://technet.microsoft.com/en-us/library/cc431417.aspx#BKMK_AMTClientCertificate

  4. Configure PKI Web Server Certificate Template • Open your Certificate Authority issuing PKI Server - Click Start > Programs> Administrator Tools > Certification Authority • Expand DC1.vprodemo.com • Note: This is a MicrosoftEnterprise Certificate Authority, Standalone CAs are not supported with ConfigMgr 2007 SP2 for Intel® vPro™ • Right Click on Certificate Templates > Manage

  5. Configure PKI Web Server Certificate Template • In the Certificate Templates Console on the right hand window pane, right click on Web Server and select Duplicate Template • In the Duplicate Template Window • Select the radio button for Windows 2003 Server, Enterprise Edition • Click OK • In the Properties of New Template Window on the General Tab: • Enter ConfigMgr AMT Web Server Certificate • Proceed to next foil to set security rights on this template

  6. Apply Security Permission to Web Server Certificate Template • In the Properties of New Template window, click the Security tab • Click Add • Select ConfigMgr Primary Site Servers group • Click OK • With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll • ClickOK • Close the Certificate Templates Console

  7. Issue Web Server Certificate Template • In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue • In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template created in the previous step) • Click OK

  8. Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2 • In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point • Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system during the provisioning process and used for TLS session during management of Intel AMT.

  9. Configure RADIUS Client Certificate Template • Open your Certificate Authority issuing PKI Server - Click Start > Programs> Administrator Tools > Certification Authority • Expand DC1.vprodemo.com • Right Click on Certificate Templates > Manage

  10. Configure RADIUS Client Certificate Template • In the Certificate Templates Console on the right hand window pane, right click on Workstation Authentication and select Duplicate Template • In the Duplicate Template Window • Select the radio button for Windows 2003 Server, Enterprise Edition • Click OK • In the Properties of New Template Window • General Tab: • Enter ConfigMgr AMT 802.1X Client Authentication Certificate • Subject Name Tab: • Select Supply in the request • Click OK in the warning message • Proceed to next foil to set security rights on this template

  11. Apply Security Permission to ConfigMgr AMT 802.1X Client Authentication Certificate Template • In the Properties of New Template window, click the Security tab • Click Add • Select ConfigMgr Primary Site Servers group • Click OK • With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll • ClickOK • Close the Certificate Templates Console

  12. Issue RADIUS Client Certificate Template • In the Certification Authority Window, Right Click on Certificate Templates > New > Certificate Template to Issue • In the Enable Certificate Templates Window, select ConfigMgr AMT 802.1X Client Authentication Certificate (this template created in the previous step) • Click OK

  13. RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2 • In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point • Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state.

  14. Configure Root CA to Allow Revocation of Client Management Controller Certificates • In the Certification Authority Window, right click on DC1.vprodemo.com and select Properties • In the DC1.vprodemo.com Properties Window, select the Security tab • Click Add

  15. Configure Root CA to Allow Revocation of Client Management Controller Certificates • Add the ConfigMgr Primary Site Servers group • Click OK • Select the ConfigMgr Primary Site Servers group • Check Allow Issue and Manage Certificatesand Request Certificates permissions for this group • Click OK • Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked).

More Related