This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures that guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager 2007 SP1 and later requires for out of band management and AMT. For more information about out of band management in Configuration Manager, see Overview of Out of Band Management.
Note |
---|
The information in this topic applies only to Configuration Manager 2007 SP1 and later. |
The procedures in this example use Active Directory Certificate Services, using Windows Server 2008, Enterprise Edition, with an enterprise CA and certificate templates. The steps are appropriate for a test network only, as a proof of concept.
Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the certificate requirements for AMT and out of band management, see Certificate Requirements for Out of Band Management.
Important |
---|
AMT provisioning in Configuration Manager 2007 SP1 and later requires Microsoft Active Directory Certificate Services, using an enterprise CA and certificate templates. For more information about the certificate deployment requirements and usage, see About Certificates for Out of Band Management. |
In This Section
The following sections of this example cover creating and deploying the certificates that are required for a Configuration Manager 2007 SP1 and later site to manage computers out of band:
Creating a Windows Security Group for the Out of Band Service Point Site System Servers
Requesting, Installing and Preparing the AMT Provisioning Certificate
Preparing the Web Server Certificates for AMT Computers
Preparing the Client Authentication Certificates for 802.1X AMT-Based Computers
Test Network Requirements
The example has the following requirements:
- The test network is running Active Directory
Domain Services with Windows Server 2008, and it is installed
as a single domain, single forest.
- You have a domain controller running Windows
Server 2008, Enterprise Edition, which has the following
server role installed: Active Directory Certificate Services
installed as an enterprise root CA.
- You have one computer that has Windows
Server 2008 (Standard Edition or Enterprise Edition) installed
and is designated as a member server.
- You can log in with a root domain
administrator account or an enterprise domain administrator account
and use this account for all the procedures in this example
deployment.
Overview
PKI certificates must be prepared and installed prior to managing computers out of band in Configuration Manager 2007 SP1 and later. This example provides the steps to deploy the certificates required for provisioning computers for AMT so that they can be managed out of band. For more information about configuration of Configuration Manager 2007 SP1 and later for out of band management, see Configuring Out of Band Management.
The following table lists the PKI certificates that are required for managing AMT computers out of band and describes how they are used in a Configuration Manager 2007 site.
Certificate Requirement | Certificate Description |
---|---|
AMT provisioning certificate |
This certificate is used to prepare AMT-based computers for out of band management by Configuration Manager 2007 SP1. For more information about AMT provisioning, see About AMT Provisioning for Out of Band Management. |
Web server certificate |
This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers. After this certificate is installed, it authenticates the AMT-based computers to the out of band service point site system server and to computers running the out of band management console, and encrypts all data transferred between them using Transport Layer Security (TLS). |
Client authentication certificate |
Applicable to Configuration Manager 2007 SP2 only: If you will manage AMT-based computers out of band when they are on an 802.1X authenticated wired or wireless connection, this might require the use of a client authentication certificate (required with EAP-TLS authentication and optional with EAP-TTLS/MSCHAPv2 and PEAPv0/EAP-MSCHAPv2 authentication methods). This certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers. After this certificate is installed, it is used to authenticate the AMT-based computer to the RADIUS server so that it can be authenticated and authorized for network access. |
For more information about the certificates, see Certificate Requirements for Out of Band Management.
Follow the steps in this example to achieve the following goals:
- Create Windows security groups to be used
with the certificate templates.
- Request, install, and prepare the AMT
provisioning certificate.
- Prepare Web server certificates by
configuring a certificate template on the issuing CA.
- Applicable to Configuration Manager
2007 SP2 only: Prepare client authentication certificates for
use with 802.1X client authentication by configuring a certificate
template on the issuing CA.
Creating Windows Security Groups for the Site System Servers
Use the following procedure to create Windows security groups for the site system servers. These security groups will be used to help ensure that only the required servers can use the two certificate templates required for AMT provisioning.
To create Windows security groups for the site system servers
-
On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Right-click the domain, click New, and then click Group.
-
In the New Object – Group dialog box, enter ConfigMgr Primary Site Servers as the Group name, and then click OK.
-
In Directory Users and Computers, right-click the group you have just created, and then click Properties.
-
Click the Members tab, and then click Add to select the member server.
-
Click OK, and then click OK again to close the group properties dialog box.
-
Repeat steps 2 through 6, this time naming the group ConfigMgr Out of Band Service Points.
-
Restart your member server (if running) so that it can pick up the new group membership.
Note In the test environment, there is only one server to add, which will be used for both the primary site server and the out of band service point. However, in a production environment, it is likely that you will have multiple primary sites that will support out of band management and that you will install the out of band service point on a different server than the site server. It is therefore good practice to assign permissions to two groups and add all your primary site servers to one group and all your out of band service point site systems to the other group. Creating security groups for these servers enables you to assign permissions so that only these servers can request these certificates.
Requesting, Installing, and Preparing the AMT Provisioning Certificate
This step has the following procedures:
- Requesting and installing the AMT
provisioning certificate by using only one of the following
procedures, depending on your requirements:
- Preparing the AMT Provisioning
Certificate for the Out of Band Management Component
Request the provisioning certificate from your internal CA only if the AMT-based computers are configured with the certificate thumbprint of your internal root CA. For more information about choosing between an external CA and using your internal CA, see About Certificates for Out of Band Management. For help with locating your internal root certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.
Requesting and Installing the AMT Provisioning Certificate from an External CA
Use the instructions from the company issuing the AMT provisioning certificate, which will often involve requesting the certificate from the company’s public Web site. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).
Important |
---|
External CAs might not support the Intel AMT provisioning object identifier. When this is the case, use the alternative method of supplying the OU attribute of Intel(R) Client Setup Certificate. |
The AMT provisioning certificate from an external CA should be installed into the Computer Personal certificate store on the member server that will host the out of band service point. When this procedure is complete, it is ready to be prepared for the out of band management component.
Requesting and Installing the AMT Provisioning Certificate from an Internal CA
To request and install the AMT provisioning certificate from an internal CA
-
On the domain controller running the Windows Server 2008 console, click Start, Programs, and then click Certification Authority.
-
Expand the name of your CA, and then click Certificate Templates.
-
Right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
-
In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.
-
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Important Do not select Windows 2008 Server, Enterprise Edition. -
In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.
-
Click the Request Handling tab, and select Allow private key to be exported.
-
Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.
-
Click the Extensions tab, make sure Application Policies is selected, and then click Edit.
-
In the Edit Application Policies Extension dialog box, click Add.
-
In the Add Application Policy dialog box, click New.
-
In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.
-
Click OK, and then click OK in the Add Application Policy dialog box.
-
Click OK in the Edit Application Policies Extension dialog box.
-
In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.
-
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
-
Click Add, enter ConfigMgr Out of Band Service Points in the text box, and then click OK.
-
Select the following Allow permissions for this group: Read and Enroll.
-
Click OK, and close the Certificate Templates console.
-
In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
-
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.
Note If you cannot complete steps 19 or 20, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008. -
Do not close Certification Authority.
-
On the member server, click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
-
In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins list, and then click Add.
-
In the Certificate snap-in dialog box, select Computer account, and then click Next.
-
In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
-
In the Add or Remove Snap-ins dialog box, click OK.
-
In the console, expand Certificates (Local Computer), and then click Personal.
-
Right-click Certificates, click All Tasks, and then click Request New Certificate.
-
On the Before You Begin page, click Next.
-
If you see the Select Certificate Enrollment Policy page, click Next.
-
On the Request Certificates page, select ConfigMgr AMT Provisioning from the list of displayed certificates, and then click Enroll.
Note If you cannot see this certificate template displayed, check that you restarted the member server (if it was running) after you configured the security group in the earlier procedure. -
On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. You should now see the provisioning certificate displayed.
Do not close Certificates (Local Computer).
The AMT provisioning certificate from your internal CA is now installed and is ready to be prepared for the out of band management component.
Preparing the AMT Provisioning Certificate for the Out of Band Management Component
To prepare the AMT provisioning certificate for the out of band management component
-
In Certificates (Local Computer) running on the member server, right-click the provisioning certificate, click All Tasks, and then click Export.
-
In the Certificate Export Wizard, click Next.
-
On the Export Private Key page, select Yes, export the private key, and then click Next.
-
On the Export File Format page, ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected, and then select Include all certificates in the certificate path if possible.
-
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
-
On the File to Export page, specify the path and name of the file that you want to export, and then click Next.
-
Click Finish in the Completing the Certificate Export Wizard page, and then click OK in the Certificate Export Wizard dialog box.
-
Store the file securely, and ensure that you can access it from the Configuration Manager console.
The AMT provisioning certificate is now ready to be configured for the out of band management component. For more information, see How to Configure AMT Provisioning.
Preparing the Web Server Certificates for AMT-Based Computers
Use the following procedure to prepare the Web server certificates for AMT-based computers.
To create and issue the Web server certificate template on the CA
-
On the domain controller running Certification Authority, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.
-
In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
-
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Important Do not select Windows 2008 Server, Enterprise Edition. -
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate.
-
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
-
Click Add, enter ConfigMgr Primary Site Servers in the text box, and then click OK.
-
Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.
-
Click OK, and close the Certificate Templates console.
-
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
-
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.
-
Close Certification Authority.
The AMT Web server template is now ready to provision AMT computers with Web server certificates.
Preparing the Client Authentication Certificates for 802.1X AMT-Based Computers
For Configuration Manager 2007 SP2 only: If you will use client certificates for 802.1X authenticated wired or wireless networks, use the following procedure to prepare the client authentication certificates for AMT-based computers.
To create and issue the client authentication certificate template on the CA
-
On the domain controller running the Certification Authority management console, right-click Certificate Templates, and click Manage to load the Certificate Templates management console.
-
In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
Important Do not select Windows 2008 Server, Enterprise Edition. -
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate.
-
Click the Subject Name tab, and then click Supply in the request. Click OK in the warning dialog box for this setting.
-
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
-
Click Add, enter ConfigMgr Primary Site Servers in the text box, and then click OK.
-
Select the following Allow permissions for this group: Read and Enroll.
-
Click OK, and close the Certificate Templates management console, certtmpl – [Certificate Templates].
-
In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
-
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK.
-
Close Certification Authority.
The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication.