Product guide

Certificates for TLS
You can use the Transport Layer Security (TLS) protocol to secure and authenticate communications
across your network.
Intel
®
AMT uses the Public Key Infrastructure (PKI) method of TLS, which provides secure
communication using an asymmetric public and private cryptographic key pair. The key pair is
retrieved and shared through a trusted authority, known as Certification Authority (CA). The CA
supplies digital certificates that can identify an individual or an organization. By default, McAfee ePO
Deep Command Root CA issues this certificate. You can also use Microsoft CA.
Remote configuration certificate
For Intel
®
AMT configuration, you can deploy a vendor-supplied certificate in your network.
To use Public Key Infrastructure (PKI), the Intel
®
AMT system must have a pre-programmed root
certificate hash. When using a vendor-supplied certificate for the configuration, you must:
Use a supported vendor. The list of supported vendors is based on the root certificate hashes
present in the Intel
®
AMT firmware and its versions. For the list of supported vendors, see http://
communities.intel.com/docs/DOC-2225.
Generate a Certificate Signing Request (CSR) and purchase the appropriate SSL certificate from the
vendor. For purchasing the correct SSL certificate, see http://communities.intel.com/docs/
DOC-1277.
Install the vendor certificate on the system where Intel
®
SCS Remote Configuration Service (RCS)
is running. For more information on installing the vendor certificate, see Installing a Vendor
Certificate in the Intel
®
Setup and Configuration Service (Intel
®
SCS) User Guide.
Server authentication certificate
A server authentication certificate is required for each Intel
®
AMT device for TLS.
When the Intel
®
AMT system is configured to use TLS, the configuration server automatically requests
a certificate from the root certificate. You can configure ePO Deep Command to use one of these:
McAfee ePO Deep Command Root CA — When the ePO Deep Command Management
Framework component is installed, it also installs a McAfee ePO Deep Command Root CA. This Root
CA signs the TLS certificates of the Intel
®
AMT system. Intel
®
RCS generates these certificates
during the configuration process. The TLS certificate of an Intel
®
AMT system is used for managing
the system.
Microsoft CA — You can set up a Microsoft CA server in a Windows server system. This system
acts as a selfsigned CA in your network, which can issue certificates for use with public key
security programs.
Custom CA — You can use a certificate from a custom root CA. Export the certificate from the root
CA with keys, then import it to ePO Deep Command.
Basics of Intel AMT configuration
Remote configuration
3
McAfee ePO Deep Command 2.1.0 Product Guide
41