An Intel AMT device is prepared for remote configuration by having security certificate hashes added to the Intel AMT firmware. There are two sources of hashes within the Intel AMT firmware:
These hashes correspond to certificates from commercial SSL certificate providers. Several of these hashes are added to the firmware by Intel. Others can be added by the computer OEM in partnership with commercial certificate providers. In this case, you must request a security certificate from the certificate provider that corresponds to the hash you want to use.
These hashes are based on your own root certification authority. In this case, you issue the necessary certificate from your own certification authority. You can use this method for evaluation of the Remote Configuration feature in a lab environment before you purchase a commercial certificate from a certificate provider.
The hash that you must add to the Intel AMT firmware is displayed at the Thumbprint field of the trusted root CA certificate.
These hashes can be added to the Intel AMT firmware by an OEM (on your request) or you can flash the firmware yourself. You can also enter the hash into the MEBx manually, through the Setup and Configuration > TLS PKI > Manage Certificate Hashes menu.
When you power-on the computer, the Intel AMT device starts sending Hello messages to the ProvisionServer host name (OOB site server computer). As part of the Hello message, the Intel AMT device sends all of the hashes to the configuration server. Out of Band Management Component authenticates to the Intel AMT device with a certificate compatible with one of the hashed root certificates and installs PID-PPS key pairs automatically on the Intel AMT device (initializes the device).
The remote configuration workflow is as follows:
The Intel AMT computer is connected to the network and plugged-in for the first time.
The Intel AMT device opens its network interface for 24 hours, and starts sending Hello messages.
The interface is open for 24 hours only the first time that it is enabled. If the time runs out before the setup and configuration completes or the Intel AMT device is unconfigured or partially unconfigured, any subsequent calls to start configuration will open the interface for only six hours.
Intel SCS on the configuration server extracts the hashes from the Hello message.
Intel SCS sends a certificate chain that includes a trusted root certificate matching one of the received hashes.
The Intel AMT device validates the Intel SCS certificate. Intel AMT checks that the OID or the OU is correct and that it is derived from a certification authority that matches one of the root certificate hashes.
The Intel AMT device verifies that the suffix matches the DNS suffix in the Intel SCS certificate.
Intel SCS and the Intel AMT device perform a complete mutual authentication session key exchange:
The Intel AMT device uses a self-signed certificate and sends its public key.
Intel SCS creates a TLS session master key, encrypts it with the Intel AMT device public key, and sends it to the Intel AMT device.
The device decrypts the master key with its private key. The key is the shared secret used to establish the setup and configuration TLS session.
One-Time Password (OTP) verification: Intel SCS requests the OTP from the Intel AMT device. The device sends the OTP securely. The SCS verifies the OTP for correctness.
Intel SCS changes the Intel AMT password from its default and completes the setup and configuration process.