Request and Install a Provisioning Certificate from VeriSign

snortfearServers

Dec 4, 2013 (3 years and 7 months ago)

79 views

Request and Install a Provisioning Certificate from
VeriSign

A provisioning

certificate is used to prepare vPro computer systems for out of band management


This certificate resides in the Windows Personal store in the Computer certificate store of the SCS
server.

The certificate is requested from a certification authority that supplies AMT provisioning certificates,
and the BIOS extension for the AMT
-
based

computers must be configured with the root certificate
thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external certification authority that provides AMT provisioning
certificate
s.

The SCS server must be able to chain successfully to the certificate's root certification authority. The
root certification authority certificate and intermediate certification authority certificate for VeriSign are
also downloadable from their web site
.

To use a provisioning certificate from
VeriS
ign
, follow the following tasks.

1.

Create Certificate Signing Request (CSR)


Logon to the
SCS

server


Click
Start

>
All Programs

>
Administrat
ive

Tools
>

Internet Information Server
(IIS) Manager



Expand <Comput
er
Name>(local computer)


C
lick

Web Sites


Right
-
c
lick

the

Default Web
Site
and click
Properties


Click the
Directory Security
tab


Click
Server Certificate



䍬ick
Next






Select
Create a new certificate…


Click
Next




Select
P
re
pare the request
now,
but send it later


Click
Next



Type a name for the new certificate
based on the name of the web site
you are using for provisioning, OR
accept the default web site name.



Click
Next



In the
Organization

field,
enter the legal name for your
company


Note
: The name will be
verified by VeriSign before
issuing the certificate


In the Organization Unite field,
type “
Intel(R) Client Setup
Certificate



Click
Next




In the
Common name

field, type the
FQDN

of the SCS server


Click
Next



Complete the
G
eographical
I
nformation

window
.



Click
Next



Enter a file name for the certificate
request.



Click
Next





Review the
Request
File Summary

page.


Click
Next


Click
Finish






2.

Submit Certificate
Signing Request (CSR)

to VeriSign




Open Internet Explorer on a
system with public internet
access


Type
http://www.verisign.com


Click
Buy SSL Certificates


C
lick

Buy
next to the
Secure
Site: SSL Certificates


Click
Continue








Select the Validity
Period of your
choice


In the
Enter the
number of servers
that will be
secured with this
certificate

field:


Type “
1



Click
Continue








Select the
Server
Platform
:
Microsoft


Select the
Server
Version
:
IIS6.0


Copy and paste the
contents of the CSR
created earlier into the

m慳t攠e敲t楦楣慴攠
p楧i楮i⁒敱 e獴s
E䍓利
” window


Click
Continue








Complete the
Organization
contact information


Click
Continue








Complete the
C
r
eate
Certificate Center sign
-
in
screen


Click
Continue








Complete the
Payment
Information
screen


Click
Continue


Review the
Order
Summary

screen,
and complete the
transaction








3.

Download VeriSign Root Certificate


Note
:
The exact location
o
f the
files mentioned below
and
their respective screen shots
may have changed as a result
of
occasional

site
modifications by the owner
….


From the VeriSign home page
http://www.verisign.com
,


Click
Support
, and sel
ect
SSL
certificates

from the drop
down list







Click
Download the Verisign
Root and Intermediate
Certificate Authority (CA)
Certificates

Note:
If th
e download option is
not displayed in the
Top
Issues

section,
type the
following in the

Ask a
Question


line
: How to
download the VeriSign Root
CA and Intermediate
Certificate Authority (CA)
Certificates

and click
Ask
.


From the
question

result, look
for, and select:
How to
download the VeriSign Root
CA and Intermediate
Certificate Authority (CA)
Certificates?






If you use the
“Ask
a Question”
option,
you should see a
screen like this:


To download the
VeriS
ign Root
CA
Certificate
only,
click the
Class 3
Public Primary
Certification
Authority 2028.cer


To also download
the
VeriSign
Intermediate
CA
Certificate
,
follow
the
AR657

link.


Download as
instructed






Note:
The root certificate’s hash must correspond to one of the following hashes installed by the OEM
on the vPro systems:



Verisign Class 3 Primary CA
-
C1:

742C
-
3192
-
E607
-
E424
-
EB45
-
4954
-
2BE1
-
BBC5
-
3E61
-
74E2



Verisign Class 3 Primary CA
-
G3:

132D
-
0D45
-
534B
-
6997
-
CDB2
-
D5C3
-
39E2
-
5576
-
609B
-
5CC6




4.

Install
and Export
VeriSign SSL
Certificate
via IIS on SCS Server


Logon to the
SCS

server
using the
same User ID that
ge
nerated the CSR


Click
Start

>
All Programs

>
Administrat
ive

Tools
>

Internet Information Server
(IIS) Manager



Expand <Computer
Name>(local computer)


C
lick

Web Sites


Right
-
c
lick

the

Default Web
Site
and click
Properties


Click the
Directory Security
tab


Click
Server Certificate



䍬ick
Next





Select
Process the pending request
and install the certificate


Click
Next




Click
Browse

to select the certificate file
received from VeriSign


Click
Next



Click
Next

to accept the default SSL
port
443



Click
Next




Review the
Certificate
Summary


Click
Next


Click
Finish





From the Default Web Site properties
page, click Directory Security tab


Click
View
Certificate







The installed certificate
should look similar to this:
Note the
following:



T桥⁏䥄



䥳s略搠d漺



䥳s略搠dy:



V慬i搠摡t敳:


Make sure that the “
You have
a private key that corresponds
to this certificate
” is shown


䍬ick⁴ 攠
Details

tab






Click
Copy to File…
, and the Certificate
Export Wizard opens


Click
Next






Select
Yes, export the private key

Click
Next






Select P
ersonal Information
Exchange


PKCS #12 (.PFX)


Select
Include all certificates in the
certification path if possible


Click
Next





Supply the private key password


Click
Next





Enter a
filename for the certificate (in
.pfx format), and click
Next





Click
Finish


Click
OK


Close
IIS




5.

Install VeriSign Intermediate & Root
Certificate
s on SCS Server

By default, VeriSign Intermediate and Root certificates should auto install into a
Microsoft Windows
Operating Systems environment. But if needed, follow the processes outlined below to install the
certificates:

Logon to the
SCS

server
using the
same User ID
that generated the CSR


Click
Start

>
Run
, and
type
mmc


Click
Next





Expand
T
r
usted Root Certification
Authorities



C
lick
Certificates
,
verify that the
Class 3 Public Primary Certification
Authority
root certificate is present.


If present, open it and verify the
thumbprint matches the previously
listed hash, as shown here
.


Click
OK



If the
Trusted Root Certification
Authorities
is absent from the list,
then right
-
click
Certificates

>
All
Tasks

>
Import
.



Click
Next,
select the location of the
downloaded root file
. Complete the
wizard.




Expand
Intermediate

Certification
Authorities



Click
Certificates,
verify that the
Class 3
Secure Server
C
A

intermediate certificate is present.


If present, open it.






Click
Certification Path
tab


Verify that the
Class 3 Secure Server
CA
i
s correctly chained to the VeriSign
Class 3 Public Primary CA root
certificate.


Click
OK
to close



A completed and correctly chained certificat
ion path

is shown below.