13 Replies Latest reply: Feb 15, 2013 7:08 PM by MrGadget RSS

    vpro certs

    Rookie

      I have a question regarding the amt vpro config.  From what i have read if we use enterprise mode and get a cert from one of the approved locations and get that cert on the provisioning server(landesk core) we can then use zero touch provisioning.  By zero touch i mean you have a vpro pc out there with the advanced agent on it and once you have set your vpro password in landesk it will automaticaly provision the pc and give you the vpro functionality.  Is this correct or am i reading it wrong?  also i am having trouble using the amtprovmgr2.exe command to generate a csr file for purchase of certificate.  I am using landesk 9.0.2.3 and i got this command from an older document.  Is this still the method used to get the info need in order to order your cert?

        • 1. Re: vpro certs
          LANDeskWizrd SSMMVPGroup

          You are correct in that they will zero touch provision if everything is configured correctly. The way the machine is able to find the server is by looking for a specific DNS name, can't remember the exact name right now. Is the doc you followed for the CSR creation this one http://community.landesk.com/support/docs/DOC-9307? I believe that is the same doc I used originally and it worked for me. What issues are you seeing when you try to generate the file?

          • 2. Re: vpro certs
            Rookie

            Yes that is the document i was using. When i run the command:( amtprovmgr2.exe -domainname ad.hs.uab.edu -country US -state "alabama" -city "Birmingham" -organization "uab") i get this

            <amt>

            To generate certificate signing request

             

            thats all it says and there are no .pem or .csr files created that i can find

            • 3. Re: vpro certs
              Rookie

              if i use one of the approved certs that means it will already be on the bios of the pc and will not have to have the oem vendor load it..correct.  If i gen'ed my own i would have to have them load it before shipping?

              • 4. Re: vpro certs
                LANDeskWizrd SSMMVPGroup

                Is ad.hs.uab.edu the FQDN of the LANDesk core server?

                 

                To answer your second question, does not need any cert loaded by the manufacturer. All it needs is to have vPro/AMT enabled and the machine will look for the DNS entry and provision itself. I believe the DNS entry is "ProvisionServer".

                • 5. Re: vpro certs
                  LANDeskWizrd SSMMVPGroup

                  Not sure if you are using GoDaddy for your cert but they are by far the easiest to setup. This document is what I used when setting it up originally http://communities.intel.com/servlet/JiveServlet/previewBody/2221-102-3-3990/Installing%20GoDaddyCertificate%20for%20Landesk%208.8_v1.2.pdf

                   

                  This is another helpful doc http://communities.intel.com/docs/DOC-2070

                  • 6. Re: vpro certs
                    Rookie

                    ok. it was a little misleading since the switch is call -domainName.  My command now looks like this: amtprovmgr2.exe -domainName vm-landesk-1.ad.hs.uab.edu -country US -state "Alabama" -city "Birmingham" -organization "UAB"

                     

                    what it returns is this:  <amt>

                                                      To generate certificate a signing request

                                                      Generate certificate signing request successfully

                     

                    then i assumed it would put those two files on the root of c:\program files <x86>\landesk\managementsuite\amtprov

                    but there is no .pem or .csr files their or anywhere else on core that i can find........i guess it could be a rights issue but i would think it would return an error.

                    • 7. Re: vpro certs
                      Rookie

                      Landeskwizard you are the man! I got it now thanks for all the help.

                      • 8. Re: vpro certs
                        Apprentice

                        Did you resolve the certification signing request problem?  I had the same issue initially especially if your LANDesk core is on Server 2008 and preassumably has UAC enabled.

                         

                        When you open a command line, make sure you right-click "Run as Administratror" and generate the signing request using this command prompt otherwise you will not have the rights to create files in that directory

                        • 9. Re: vpro certs
                          sfgraham Rookie

                          I had followed all the instructions for getting a GoDaddy cert and installing it, but it didn't work. I found the OU was not set to Intel(R) Client Setup Certificate even though I specified to GoDaddy it was for vPro Provisioning. I think GoDaddy only goes by the text in certreq.csr where you can not specify the OU using AMTProvMgr2.exe. Does anyone know how you get Intel(R) Client Setup Certificate set as the OU? I cannot find any documentation in this community, Intel or GoDaddy's support for that one piece of the puzzle, unless it's for a SCCM server. Also, does this mean GoDaddy did it wrong and I'll have to cancel and create a new cert?

                          • 10. Re: vpro certs
                            Apprentice

                            You will most likely have to be re-issued a new certificaiton. Did you specify Deluxe SSL cert when going through GoDaddy? I remember there was an option for vPro under Deluxe when I did my certifcate.

                             

                            http://www.godaddy.com/ssl/ssl-certificates.aspx?show_deluxe=1&ci=51160

                            • 11. Re: vpro certs
                              sfgraham Rookie

                              Thanks for the response Macado. GoDaddy said I would have to get a new cert. I did get a Deluxe cert and made sure it was for vPro, but the OU was set to Information Systems, which is the OU of the user account that generated the certreq.csr. So I'm thinking that's how that field was populated. I would think GoDaddy would know to change that value to Intel(R) Client Setup Certificate, but that didn't happen. I'll create a new cert request today and test it with openssl once I get it.

                               

                              Update: I found out why the OU was wrong. When filling out your customer information you must put Intel(R) Client Setup Certificate as your division and that becomes the OU. Do not use the billing info. The GoDaddy tech support didn't even know that was the case. Even if your CSR is correct, as mine was, they will overwrite it with your customer information. The instructions here and on Intel's site are a little out of date as GoDaddy has changed their site since they were posted.

                               

                              Message was edited by: DaddyG

                              • 12. Re: vpro certs
                                VaLr Apprentice

                                LANDeskWizrd : I have a question with the "AMTProvMgr2.exe"   -domainName Command.

                                 

                                Have I to specify the LANDESK SERVER NAME before the domain?

                                For example: AMTProvMgr2.exe -domainName LDMSCORE.vprodemo.com -country US

                                 

                                or i just have to specify the domanin only

                                For example: AMTProvMgr2.exe -domainName vprodemo.com -country US

                                 

                                Second Question:

                                 

                                What should i do in my DNS?   

                                 

                                *About my "Provisioning Server"


                                • 13. Re: vpro certs
                                  MrGadget Specialist

                                  The first one.

                                   

                                  In DNS make a CNAME (alias) provisionserver  set it to point to your core server.