This step-by-step example contains procedures that guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager 2007 SP1 and later requires for out of band management and AMT. For more information about out of band management in Configuration Manager, see Overview of Out of Band Management.

Note
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

The procedures in this example use Microsoft Certificate Services, using Windows Server 2003, Enterprise Edition with an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept.

Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the certificate requirements for AMT and out of band management, see Certificate Requirements for Out of Band Management.

Important
AMT provisioning in Configuration Manager 2007 SP1 and later requires Microsoft Certificate Services, using an enterprise CA and certificate templates. For more information about the certificate deployment requirements and usage, see About Certificates for Out of Band Management.

In This Section

Test Network Requirements

The example has the following requirements:

  • The test network is running Active Directory Domain Services with Microsoft Windows Server 2003, and it is installed as a single domain, single forest.

  • You have a domain controller running Windows Server 2003 Enterprise Edition, Service Pack 2, which has the following items installed on it:

    • Internet Information Services (IIS).

    • Certificate Services installed as an enterprise root CA.

      Note
      Ensure that IIS is installed before installing Certificate Services so that Web enrollment is configured.
  • You have one computer that has Windows Server 2003 (Standard Edition or Enterprise Edition) Service Pack 1 installed on it and designated as a member server.

  • You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all the procedures in this example deployment.

Overview

PKI certificates must be prepared and installed prior to managing computers out of band in Configuration Manager 2007. This example provides the steps to deploy the certificates required for provisioning computers for AMT so that they can be managed out of band. For more information about configuration of for out of band management, see Configuring Out of Band Management.

The following table lists the PKI certificates that are required for managing AMT computers out of band and describes how they are used in a Configuration Manager 2007 SP1 or later site.

Certificate Requirement Certificate Description

AMT provisioning certificate

This certificate is used to prepare AMT-based computers for out of band management by Configuration Manager 2007 SP1.

For more information about AMT provisioning, see About AMT Provisioning for Out of Band Management.

Web server certificate

This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers.

After this certificate is installed, it authenticates the AMT-based computers to the out of band service point site system server and to computers running the out of band management console, and encrypts all data transferred between them using Transport Layer Security (TLS).

Client authentication certificate

Applicable to Configuration Manager 2007 SP2 only: If you will manage AMT-based computers out of band when they are on an 802.1X authenticated wired or wireless connection, this might require the use of a client authentication certificate (required with EAP-TLS authentication and optional with EAP-TTLS/MSCHAPv2 and PEAPv0/EAP-MSCHAPv2 authentication methods). This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers.

After this certificate is installed, it is used to authenticate the AMT-based computer to the RADIUS server so that it can be authenticated and authorized for network access.

For more information about the certificates, see Certificate Requirements for Out of Band Management.

Follow the steps in this example to achieve the following goals:

  • Create Windows security groups to be used with the certificate templates.

  • Request, install, and prepare the AMT provisioning certificate.

  • Prepare Web server certificates by configuring a certificate template on the issuing CA.

  • Applicable to Configuration Manager 2007 SP2 only: Prepare client authentication certificates for use with 802.1X client authentication by configuring a certificate template on the issuing CA.

Creating Windows Security Groups for the Site System Servers

Use the following procedure to create Windows security groups for the site system servers. These security groups will be used to help ensure that only the required servers can use the two certificate templates required for AMT provisioning.

To create Windows security groups for the site system servers

  1. On the domain controller, click Start, Programs, Administrative Tools, Active Directory Users and Computers.

  2. Right-click the domain, click New, and then click Group.

  3. In the New Object – Group dialog box, enter ConfigMgr Primary Site Servers as the Group name, and then click OK.

  4. In Directory Users and Computers, right-click the group you have just created, and then click Properties.

  5. Click the Members tab, and then click Add to select the member server.

  6. Click OK, and then click OK again to close the group properties dialog box.

  7. Repeat steps 2 through 6, this time naming the group ConfigMgr Out of Band Service Points.

  8. Restart your member server (if running) so that it can pick up the new group membership.

    Note
    In the test environment, there is only one server to add, which will be used for both the primary site server and the out of band service point. However, in a production environment, it is likely that you will have multiple primary sites that will support out of band management and that you will install the out of band service point on a different server than the site server. It is therefore good practice to assign permissions to two groups and add all your primary site servers to one group and all your out of band service point site systems to the other group. Creating security groups for these servers enables you to assign permissions so that only these servers can request these certificates.

Requesting, Installing, and Preparing the AMT Provisioning Certificate

This step has the following procedures:

Request the provisioning certificate from your internal CA only if the AMT-based computers are configured with the certificate thumbprint of your internal root CA. For more information about choosing between an external CA and using your internal CA, see About Certificates for Out of Band Management. For help with locating your internal root certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

Requesting and Installing the AMT Provisioning Certificate from an External Certification Authority

Important
If you have alternative instructions from the company issuing the AMT provisioning certificate, use their instructions in preference to the steps in the following procedure. This is particularly important if the issuing company cannot support the AMT provisioning object identifier and instead must use the OU attribute of Intel(R) Client Setup Certificate. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).

To request and install the AMT provisioning certificate from an external CA

  1. On the domain controller running the Windows Server 2003 console, click Start, Programs, Administrative Tools, Certification Authority.

  2. Expand the name of your CA, and then click Certificate Templates.

  3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

  4. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

  6. Click the Request Handling tab, and select Allow private key to be exported.

  7. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

  8. In the Edit Application Policies Extension dialog box, click Add.

  9. In the Add Application Policy dialog box, click New.

  10. In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

  11. Click OK, and then click OK in the Add Application Policy dialog box.

  12. Click OK in the Edit Application Policies Extension dialog box.

  13. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.

  14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  15. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.

  16. Select the following Allow permissions for this group: Read and Enroll.

  17. Click OK, and close the Certificate Templates administrator console, certtmpl – [Certificate Templates].

  18. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  19. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

    Note
    If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2003.

  20. Do not close Certification Authority.

  21. On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv, where <server> is the name or IP address of the enterprise CA.

  22. On the Welcome page, select Request a certificate.

  23. On the Request a Certificate page, select advanced certificate request.

  24. On the Advanced Certificate Request page, select Create and submit a request to this CA.

  25. On the Advanced Certificate Request page, specify the following:

    1. Select ConfigMgr AMT Provisioning for the Certificate Template.

      Note
      If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure.
    2. Type the fully qualified domain name (FQDN) of the out of band service point in the Name field.

    3. Type a contact e-mail address for your company in the E-Mail field.

    4. Type the name of your company in the Company field.

    5. Type the name of your company's department in the Department field.

    6. Type your company's city name in the City field.

    7. Type your company's state (full name or abbreviation) in the State field.

    8. Type your company's country code and region in the Country/Region field.

    9. Under the section Key Options, enable Store certificate in the local computer certificate store.

    10. Under the section Additional Options, click PKC10, click Save request to file, and then type in the full path and name for the offline certificate request file, such as C:\certreq_amt_<servername>.txt, where <servername> is the host name of the out of band service point.

    11. Type your choice of name for Friendly Name, such as ConfigMgr AMT Provisioning Certificate for <FQDN>, where <FQDN> is the fully qualified name of the out of band service point.

  26. Click Save.

  27. Click Yes when prompted in the Potential Scripting Violation dialog box.

  28. Click Yes when prompted in the Certificate Enrollment dialog box.

  29. Click OK to confirm that the request was saved to file.

  30. Exit Internet Explorer.

  31. Send the file to the external CA using any instructions that they provide.

  32. When you receive the AMT provisioning certificate from the CA, it is likely to be in an e-mail format. Copy the text and paste it into Notepad, saving the file with a .p7b extension. Make sure that you can access the file from the member server.

  33. On the member server, click Start, click Run, type MMC in the Run dialog box, and then click OK.

  34. In the empty console, click File, and then click Add/Remove Snap-in.

  35. In the Add or Remove Snap-ins dialog box, click Add.

  36. Select Certificates from Available snap-ins, and then click Add.

  37. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  38. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  39. In the Add Standalone Snap-in dialog box, click Close.

  40. In the Add or Remove Snap-ins dialog box, click OK.

  41. In the console, expand Certificates (Local Computer).

  42. Expand Personal, and then right-click Certificates.

  43. Click All Tasks, and click Import.

  44. In the Welcome to the Certificate Import Wizard page, click Next,

  45. On the File to Import page, click Browse to navigate to the saved file with the .p7b extension, and then click Next.

  46. Select Place all certificates in the following store, click Next, and then click Finish.

  47. Press F5 to refresh, and you should now see the provisioning certificate displayed.

  48. Do not close Certificates (Local Computer).

The AMT provisioning certificate from an external CA is now installed and is ready to be prepared for the out of band management component.

Requesting and Installing the AMT Provisioning Certificate from an Internal CA

To request and install the AMT provisioning certificate from an internal CA

  1. On the domain controller running the Windows Server 2003 console, click Start, Programs, Administrative Tools, Certification Authority.

  2. Expand the name of your CA, and then click Certificate Templates.

  3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

  4. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

  6. Click the Request Handling tab, and select Allow private key to be exported.

  7. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.

  8. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

  9. In the Edit Application Policies Extension dialog box, click Add.

  10. In the Add Application Policy dialog box, click New.

  11. In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

  12. Click OK, and then click OK in the Add Application Policy dialog box.

  13. Click OK in the Edit Application Policies Extension dialog box.

  14. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.

  15. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  16. Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.

  17. Select the following Allow permissions for this group: Read and Enroll.

  18. Click OK, and close the Certificate Templates administrator console, certtmpl – [Certificate Templates].

  19. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  20. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

    Note
    If you cannot complete steps 19 or 20, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2003.

  21. Do not close Certification Authority.

  22. On the member server, click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

  23. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click Add.

  24. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  25. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

  26. In the Add Standalone Snap-in dialog box, click Close.

  27. In the Add/Remove Snap-in dialog box, click OK.

  28. In the console that now displays Certificates (Local Computer), expand Certificates (Local Computer), and then click Personal.

  29. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  30. On the Welcome to the Certificate Request Wizard page, click Next.

  31. On the Certificates Type page, select ConfigMgr AMT Provisioning from the list of displayed certificates, and then click Next.

    Note
    If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure.

  32. On the Certificate Friendly Name and Description page, optionally enter a friendly name and description to help you identify this certificate, and then click Next.

  33. On the Completing the Certificate Request Wizard page, click Finish.

  34. You should see the Certificate Request Wizard dialog box informing you that the certificate request was successful. Click OK.

  35. You should now see the provisioning certificate displayed.

  36. Do not close Certificates (Local Computer).

The AMT provisioning certificate from your internal CA is now installed and is ready to be prepared for the out of band management component.

Preparing the AMT Provisioning Certificate for the Out of Band Management Component

To prepare the AMT provisioning certificate for the out of band management component

  1. In Certificates (Local Computer) running on the member server, right-click the provisioning certificate, click All Tasks, and then click Export.

  2. In the Certificate Export Wizard, click Next.

  3. On the Export Private Key page, select Yes, export the private key, and then click Next.

  4. On the Export File Format page, ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected, and then select Include all certificates in the certificate path if possible.

  5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  6. Click Next, and on the File to Export page, specify the path and name of the file that you want to export, and then click Next.

  7. Click Finish in the Completing the Certificate Export Wizard page, and then click OK in the Certificate Export Wizard dialog box.

  8. Store the file securely, and ensure that you can access it from the Configuration Manager console.

The AMT provisioning certificate is now ready to be configured for the out of band management component. For more information, see How to Configure AMT Provisioning.

Preparing the Web Server Certificates for AMT-Based Computers

Use the following procedure to prepare the Web server certificates for AMT-based computers.

To create and issue the Web server certificate template on the CA

  1. On the domain controller running the Certification Authority management console, right-click Certificate Templates, and click Manage to load the Certificate Templates management console.

  2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate.

  4. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  5. Click Add, enter ConfigMgr Primary Site Servers in the text box, and then click OK.

  6. Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.

  7. Click OK, and close the Certificate Templates management console, certtmpl – [Certificate Templates].

  8. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  9. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.

  10. Close Certification Authority.

The AMT Web server certificate template is now ready to provision AMT computers with Web server certificates.

Preparing the Client Authentication Certificates for 802.1X AMT-Based Computers

For Configuration Manager 2007 SP2 only: If you will use client certificates for 802.1X authenticated wired or wireless networks, use the following procedure to prepare the client authentication certificates for AMT-based computers.

To create and issue the client authentication certificate template on the CA

  1. On the domain controller running the Certification Authority management console, right-click Certificate Templates, and click Manage to load the Certificate Templates management console.

  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

  3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate.

  4. Click the Subject Name tab, and then click Supply in the request.

  5. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  6. Click Add, enter ConfigMgr Primary Site Servers in the text box, and then click OK.

  7. Select the following Allow permissions for this group: Read and Enroll.

  8. Click OK, and close the Certificate Templates management console, certtmpl – [Certificate Templates].

  9. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  10. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK.

  11. Close Certification Authority.

The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication.

See Also