VeriSign and GoDaddy Changes to Root Certificates for vPro Provisioning
If you're preparing to configure Intel vPro Technology, and are using the remote configuration process (i.e. certificate based provisioning) - the following information may of interest.
First - keep in mind that remote configuration provides the crucial step of first authentication for a brand new system. Once Intel vPro Technology is configured - the remote configuration process for that client system is no longer needed unless the BIOS is fully reset or the system board is replaced.
Within Intel vPro platforms there are a defined list of certificate hashes from VeriSign, GoDaddy, Comodo, and Starfield. For convenience - here is the original list of certificate hashes
- VeriSign Class 3 Public Primary CA – G1 -74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2
- VeriSign Class 3 Public Primary CA – G3 - 13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6
- Go Daddy Class 2 CA - 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
- Comodo AAA CA - d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49
- Starfield Class 2 CA - ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a
There is a handy tool available at http://communities.intel.com/docs/DOC-2734 for selecting the appropriate certificate.
Within the past year, VeriSign reissued their root certificate thus changing from a G1 to G2. This required a firmware update to Intel vPro for the new certificate hash to be applied to the firmware. An overview on this situation - including versions of Intel AMT firmware and full list of certificate hashes is mentioned at http://communities.intel.com/community/openportit/vproexpert/blog/2010/02/12/verisign-provisioning-certs
Thus to the list above - if a newer version of the firmware is applied to the platform - has added the VeriSIgn G2 certificate
- VeriSign Class 3 Public Primary CA – G2 (See the table in article linked above) - 85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f
Another change happened when GoDaddy started issuing Premium certificates on main part of their website, instead of the Deluxe certificates needed for vPro configuration. The key difference we care about here is the root certificate hash - also called the thumbprint - as listed above. For now - GoDaddy has a process for requesting Deluxe certificates used for vPro. This is described at http://help.godaddy.com/article/5260
Lastly - I've often been asked if a trial certificate from one of the vendors can be obtained for vPro provisioning. Similarly - can an internally generated certificate be used. In both cases - the technical answer is yes with the caveat that you insert the matching certificate hash in the firmware. This might be helpful for testing purposes and I briefly mention the USBfile tool and link to a Microsoft article on how to do this (see http://www.symantec.com/connect/articles/alternative-approaches-and-tools-configuring-intel-vpro-technology). However - after you've touched and updated the hashes on a few clients, you might ask yourself a question.... why not use preshared keys (the security keys option which generates a setup.bin in the Altiris console).
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.