I’m transferring the query on the request of the moderator.

See https://neighborhood.intel.com/t5/Intel-vPro-Platform/TLS-Alert-Certificates-Unknown-occurs-during-the-Safe-Host/td-p/1569623.

—

Good day,

We’re implementing AMT provisioning on our personal with no answer like EMA.

We encountered an issue whereas implementing Safe Host-Based mostly Configuration to assist CSME 19 or increased.

1. Registered the AMT CA certificates.

> rpc amtinfo
Model : 15.0.47
Construct Quantity : 2521
SKU : 16392
Options : AMT Professional Company
Management Mode : pre-provisioning state
DNS Suffix : 192.168.1.10

> rpc amtinfo -cert
—Certificates Hashes—
…
Our AMT CA (Lively)
SHA256: cabc80186952320c73691e6c4d62379a7d9a52ca246e34881b83ad1a51b9ac12

2. StartConfigurationHBased

StartConfigurationHBased was known as as follows.

StartConfigurationHBased(
  ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA256,
  ServerCertHash [SHA_512_KEY_SIZE]byte = SHA 256 HASH of Provisioning Certificates,
  HostVPNEnable = False,
  SuffixListLen = 0,
  NetworkDnsSuffixList [320]byte
)

3. The Provisioning server is related to 127.0.0.1:16993.
However TLS Handshake Failure.

– Each the provisioning certificates and the CA certificates have been despatched.

– The hashes of the CA certificates and provisioning certificates are the identical as these despatched in steps 1 and a pair of.

Provisioning Certificates:

Certificates:
    Information:
        Model: 3 (0x2)
        Serial Quantity:
            01:8d:7c:e8:91:6a:64:14:68:54:96:b8:98:b1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Our AMT CA, C = KR
        Validity
            Not Earlier than: Feb  6 05:33:52 2024 GMT
            Not After : Feb  3 05:33:52 2034 GMT
        Topic: CN = 192.168.1.10, OU = Intel(R) Shopper Setup Certificates
        Topic Public Key Data:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Primary Constraints: essential
                CA:FALSE
            X509v3 Key Utilization: essential
                Digital Signature, Non Repudiation, Key Encipherment, Key Settlement
            X509v3 Prolonged Key Utilization: essential
                TLS Net Server Authentication, 2.16.840.1.113741.1.2.3
            X509v3 Topic Different Identify: 
                DNS:192.168.1.10
            X509v3 Topic Key Identifier: 
                58:CE:02:47:70:49:8C:C1:7B:DB:9E:FA:DE:C0:3D:8D:76:9A:5C:CA
            X509v3 Authority Key Identifier: 
                B7:FE:10:B2:C9:C8:E8:64:92:6E:17:D5:21:B1:40:72:66:A7:CF:89
            Netscape Cert Sort: 
                SSL Server
    Signature Algorithm: sha256WithRSAEncryption
    Signature Worth: ... 

Here’s a pattern mission that may be run standalone on a vPro PC: https://github.com/jclab-joseph/intel-vpro-hbased-problem-01

You possibly can check it after registering the certificates with setup.bin.

>amt-test.exe
2024/02/07 10:24:32 AMT Model:  15.0.47
2024/02/07 10:24:32 DNS SUFFIX:  amt-provisioning.check.com
2024/02/07 10:24:32 StartConfigurationHBased: AMT Cert Hash:  6d802ab34996d397a9b4ebf901edf0c38a9fa7b997917732aaf8de82bc0ad1bb0000000000000000000000000000000000000000000000000000000000000000
2024/02/07 10:24:33 tcp related. begin mtls...
2024/02/07 10:24:34 RECEIVED AMT HASH :  6d802ab34996d397a9b4ebf901edf0c38a9fa7b997917732aaf8de82bc0ad1bb
2024/02/07 10:24:34 RECEIVED AMT HASH **MATCHED** :)
2024/02/07 10:24:34 tls handshake failed:  distant error: tls: unknown certificates