The certificate information in this topic for out of band management for Configuration Manager 2007 SP1 and later assumes basic knowledge of PKI certificates. For more information about Microsoft PKI solutions, see the following references:

Note
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

This PKI solution requires Microsoft Certificate Services using certificate templates that are issued by an enterprise CA. Template-based certificates can be issued only by an enterprise CA running on the Enterprise Edition or on the Datacenter Edition of Windows Server 2003 or Windows Server 2008. However, do not use version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are not compatible with Configuration Manager. For more information about the certificate deployment and usage, see About Certificates for Out of Band Management.

For example step-by-step configuration for these certificates, see the following:

Important
The certificate steps explained in the preceding referenced topics must be met before you can use out of band management in a Configuration Manager 2007 SP1 or later site.

Certificates Required for Out of Band Management

The public key infrastructure (PKI) certificates required for out of band management in Configuration Manager 2007 SP1 or later are listed in the following table.

Configuration Manager Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

Out of band service point

AMT Provisioning

Web server (modified)

The server hosting the out of band service point site system role requires the Windows security permission of Read and Enroll for this certificate template.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3.

The subject name field must contain the fully qualified domain name (FQDN) of the server hosting the out of band service point.

Note
If you request an AMT provisioning certificate from an external CA rather than from your own internal CA and it does not support the AMT provisioning object identifier of 2.16.840.1.113741.1.2.3, you can alternatively specify the following text string as an OU attribute in the certificate subject name: Intel(R) Client Setup Certificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server hosting the out of band service point.

SHA-1 is the only supported hash algorithm.

Supported key lengths: 1024, 1536, and 2048 bits.

This certificate resides in the Windows Personal store in the Computer certificate store of the out of band service point site system server.

This AMT provisioning certificate is used to prepare computers for out of band management. It is configured in the out of band management component and then automatically installed on the out of band service point site system server.

You must request this certificate from a CA that supplies AMT provisioning certificates, and the BIOS extension for the AMT-based computers must be configured with the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA.

The server hosting the out of band service point must be able to chain successfully to the certificate's root CA. (The root CA certificate and intermediate CA certificate for VeriSign are installed by default with Windows.)

AMT-based computers

Server authentication

Web server

The server hosting the primary site server site system role requires the Windows security permission of Read and Enroll for this certificate template.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The subject name field must contain the FQDN of the AMT-based computer. This value is automatically supplied by the site server, so the certificate template must be configured with the subject value of Supplied in the request.

SHA-1 is the only supported hash algorithm.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not visible from Windows.

The primary site server requests this certificate for each AMT-based computer it provisions. The primary site server also revokes the certificate that it issued when AMT provisioning information is removed for AMT-based computers.

This solution requires that you have a Microsoft enterprise CA that automatically approves certificate requests from the primary site server, and that the issuing CA is configured with the Issue and Manage Certificates permission for the primary site server. The computer account for the site server must have DCOM permissions to request certificates from the issuing CA. Ensure that the site server computer is a member of the security group Certificate Service DCOM Access (for Windows Server 2008) or CERTSVC_DCOM_ACCESS (for Windows Server 2003 SP1 and later) in the domain where the issuing CA resides.

Important
When this certificate is installed on AMT-based computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length greater than 2048 bits.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers running the out of band management console, and encrypts all data transferred between them using Transport Layer Security (TLS).

Additional Certificate for Configuration Manager SP2 Only

If you will use a client certificate for 802.1X authenticated wired networks or wireless networks to support out of band management on these networks, the additional PKI certificate described in the following table is required.

Configuration Manager Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

AMT-based computers

Client authentication

Workstation Authentication

The server hosting the primary site server site system role requires the Windows security permission of Read and Enroll for this certificate template.

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The subject name field must contain the FQDN of the AMT-based computer. This value is automatically supplied by the site server, so the certificate template must be configured with the subject value of Supplied in the request.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not visible from Windows.

The primary site server requests this certificate for each AMT-based computer it provisions and subsequently updates. The primary site server does not revoke this certificate when AMT provisioning information is removed for AMT-based computers.

This solution requires that you have a Microsoft enterprise CA that automatically approves certificate requests from the primary site server, and that the issuing CA is configured with the Issue and Manage Certificates permission for the primary site server. The computer account for the site server must have DCOM permissions to request certificates from the issuing CA. Ensure that the site server computer is a member of the security group Certificate Service DCOM Access (for Windows Server 2008) or CERTSVC_DCOM_ACCESS (for Windows Server 2003 SP1 and later) in the domain where the issuing CA resides.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.

See Also