Securing the Intel vPro Platform

With the Intel vPro Technology, IT managers can remotely configure and manage business PCs that are networked together on the vPro platform. VeriSign SSL Intel Client Setup Certificates enable connections that are secure and trusted. What does that mean for partners of Secure128? You can effectively tap into the market of IT infrastructure and enterprise configuration sales.

Securing the Intel vPro Platform 

Intel vPro helps IT managers save time and maintain common configurations across an enterprise by easily pushing updates to networked PCs. However, it's critical that those updates are secure. VeriSign SSL certificates can protect the network from unauthorized access and pushing malicious updates.

Issuing SSL certificates for an Intel vPro environment doesn't have to be tricky either. You can do it right in the Secure128 customer portal. The following is a great knowledge base article with more information:

Obtain a Provisioning Certificate for Intel vPro or Intel AMT Platforms
Problem
Intel(R) Client Setup Certificate
Information on obtaining a certificate for Intel vPro or Intel AMT

Resolution
For Intel vPro or Intel AMT, there are requirements on the type of SSL certificate ordered and the contents of the CSR. The types of VeriSign SSL certificates that are compatible with the Intel® platform are:

  • Secure Site (Standard SSL)
  • Secure Site Pro (Premium SSL)  

NOTE: Certificates for Intel® platforms also require a specific OU field in the CSR: "Intel(R) Client Setup Certificate" (without the quotes).
VeriSign recommends using IIS to request, install and export the SSL certificate -

  • For new enrollments, please click here for CSR generation instructions; for renewals, please click here for CSR generation instructions.
  • When the SSL certificate is issued, please install per instructions for Microsoft IIS 5 or 6.
Prior to exporting, it's important to ensure that all certificates are installed correctly. Please open the Certificates snap-in in MMC per this solution, then check the following:

  • The new SSL certificate should be located in the Certificates folder under Personal.
  • The correct Intermediate CA's should be located in the Certificates folder under Intermediate Certification Authorities. In case the Intermediate CA's haven't been installed, you can click here for the Intermediate Certificates and instructions on downloading.
  • The below identified Verisign Root certificates must not be located in any certificate store on the server where the Provisioning Certificate for Intel® vPro or Intel® AMT Platform is installed.
If either of these certificates is installed on the Provisioning server, the server will return an un-trusted chain to the Intel® vPro or Intel® AMT clients.

The following two Verisign Roots must not be installed on the Provisioning server.

The VeriSign "G1.5" Class 3 PCA Root

Organization (O): VeriSign, Inc.
Organizational Unit (OU): Class 3 Public Primary Certification Authority
Country (C): US
Valid from: 1/28/1996
Valid to: 8/2/2028
Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be

The VeriSign "G5" Class 3 PCA Root

Organization (O): VeriSign, Inc.
Common Name (CN): VeriSign Class 3 Public Primary Certification Authority - G5
Organizational Unit (OU): VeriSign Trust Network
Organizational Unit (OU): (c) 2006 VeriSign, Inc. - For authorized use only
Country (C): US
Valid from: 11/7/2006
Valid to: 7/16/2036
Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
 
• The VeriSign "G1.3" Class 3 PCA Root must be located in the Certificates folder under Trusted Root Certification Authorities - details as follows (note the serial number is different to above):


Organization (O): VeriSign, Inc.
Organizational Unit (OU): Class 3 Public Primary Certification Authority
Country (C): US
Valid from: 1/28/1996
Valid to: 8/1/2028
Serial no.: 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
 
Once all certificates are correctly installed, the SSL certificate can be exported to a PFX file. For instructions, please see this article.