Export (0) Print
Expand All

About Certificates for Out of Band Management

Updated: April 1, 2011

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

This topic provides details about the deployment and usage of the Configuration Manager 2007 SP1 and later public key infrastructure (PKI) certificates used with out of band management and covers the following areas:

noteNote
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

For a list of the certificate requirements, see Certificate Requirements for Out of Band Management.

For a step-by-step example deployment, see the following:

Certification Authority Requirements for Out of Band Management

The certificate deployment requirements for AMT provisioning include the use of automatically approving certificates so that the site server can request and immediately retrieve a certificate for each AMT-based computer that it provisions. To help secure automatic approval, security controls are required to help ensure that only trusted computers request certificates. The use of certificate templates with a Microsoft enterprise certification authority (CA) provides this level of security control by having access level controls on the certificate templates. Although you can automatically approve all certificate requests with a stand-alone Microsoft CA, this solution does not offer any security controls and is not supported with out of band management in Configuration Manager 2007 SP1 and later.

A Microsoft enterprise CA supports the following versions of certificate templates:

  • Version 1 was introduced with Windows Server 2000 and is supported with all server editions of Windows Server 2003 and Windows Server 2008.

  • Version 2 was introduced with Windows Server 2003 and is supported with the Enterprise and Datacenter Editions of Windows Server 2003 and Windows Server 2008. Version 2 templates are not supported with the Standard Editions of Windows Server 2003 and Windows Server 2008.

  • Version 3 was introduced with Windows Server 2008 and is supported with the Enterprise and Datacenter Editions of Windows Server 2008. However, these certificate templates create certificates that are not compatible with Configuration Manager and must not be used for either out of band management or native mode.

You can see the different template versions in the Certificate Templates MMC by referencing the Minimum Supported CAs column: version 1 templates are listed as Windows 2000, version 2 templates are listed as Windows Server 2003, Enterprise Edition, and version 3 templates are listed as Windows Server 2008.

Version 1 certificate templates allow you to configure the security permissions that help to secure who can read, enroll, and manage the templates. However, to change any other properties of the certificate template, such as its name, its intended purpose, and its validity period, you must use version 2 or version 3 templates.

Customizing the certificate templates for out of band management is recommended and might be required to deploy the provisioning certificate, as outlined in the following sections. Using a dedicated certificate template for all the certificates used by out of band management is a security best practice. Any template customization requires that the CA is running the Enterprise Edition of the Windows Server operating system.

Certificate Template Versions and the Provisioning Certificate

The provisioning certificate installed in each site that will manage AMT-based computers out of band often requires a specific object identifier (OID) that does not exist in the default certificate templates, in addition to the server authentication capability (OID 1.3.6.1.5.5.7.3.1). This means that an existing certificate template must be modified to include the custom object identifier. To do this, use a version 2 certificate template, because Configuration Manager does not support certificates that are created with a version 3 template. A version 2 template is not supported with the Standard Editions of Windows Server 2003 or Windows Server 2008.

However, if you are using an external CA for the provisioning certificate and the company provides its own method of requesting the certificate (for example, connecting to their Web enrollment site), you do not need to use a certificate template for the provisioning certificate.

If you are using an external CA that requires you to submit your request by using a certificate request file or if you are using your own internal CA to supply the provisioning certificate, you cannot use a version 1 certificate template when the certificate contains the custom OID. Instead, you must use a version 2 template so that it can be modified to include the custom OID. For an example deployment for submitting a certificate request to an external CA and using your own internal CA, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

Certificate Template Versions and the Certificates for AMT-Based Computers

Each AMT-based computer requires a certificate that is installed in the management controller memory, and this certificate requires server authentication capability only (OID 1.3.6.1.5.5.7.3.1). This requirement matches the default version 1 template named Web Server. You could therefore use the Web Server template, modifying only the security permissions so that the site server can read and enroll using this template.

However, if you duplicate the Web Server template, you have more control over the certificate that is used because you can change the name and description to identify that it is being used with out of band management. You can also change properties of the certificate, such as its validity period and the key size. Because of the greater control offered by version 2 templates, these templates are recommended for out of band management. Using these templates requires the Enterprise Edition of the Windows server operating system.

If you require a client certificate for 802.1X authenticated wired and wireless networks for Configuration Manager 2007 SP2, this also requires the Enterprise Edition of the Windows server operating system. For more information about this certificate, see The Optional Client Certificate for AMT-Based Computers in Configuration Manager 2007 SP2 Only.

The AMT Provisioning Certificate

The following sections provide information about whether you can use your own internal CA or must use an external CA to request the provisioning certificate, and information about the certificate Subject name requirements.

Choosing Between an External CA and Using Your Internal CA

Configuration Manager cannot manage AMT-based computers out of band until they are provisioned. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed.

If you plan to use your internal CA to supply the provisioning certificate, one of the following conditions must be true:

  • Your computer supplier provided you with a customized firmware image that includes the certificate thumbprint of your internal root certificate. This is recommended for security reasons, to help protect against rogue provisioning servers. For more information about using a customized firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.

  • You will manually add the certificate thumbprint of your internal root certificate to each computer that will be provisioned for out of band management in Configuration Manager 2007 SP1 or later. Refer to your computer manufacturer instructions for information about how to configure the AMT certificate hash option with your certificate thumbprint value.

If you need more information about how to locate the certificate thumbprint of your internal root certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

Certificate Subject Name Requirements

During the AMT provisioning process, Configuration Manager configures the host name and DNS suffix in the AMT BIOS extensions with the FQDN of the AMT-based computer retrieved from the Configuration Manager database. The DNS suffix is then checked against the subject name in the provisioning certificate. The subject name in the provisioning certificate contains the FQDN of the site system server configured with the out of band service point role.

If the FQDN of the AMT-based computer shares the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning succeeds. If the FQDN of the AMT-based computer does not share the same namespace as the FQDN specified in the AMT provisioning certificate, AMT provisioning fails.

The following are examples of when the AMT-based computer shares the same namespace as the out of band service point:

  • The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.

  • The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.contoso.com.

  • The FQDN of the AMT-based computer is computer1.sales.contoso.com, and the FQDN of the out of band service point is server1.marketing.contoso.com.

In the preceding examples, the AMT-based computer and the out of band service point share the contoso.com namespace.

The following are examples of when the AMT-based computer does not share the same namespace as the out of band service point:

  • The FQDN of the AMT-based computer is computer1.contoso.com, and the FQDN of the out of band service point is server1.northwindtraders.com.

  • The FQDN of the AMT-based computer is computer1.northwindtraders.com, and the FQDN of the out of band service point is server1.contoso.com.

In the preceding examples, the AMT-based computer and the out of band service point do not share a common namespace. Consequently, AMT provisioning will fail, even if both computers belong to the same Active Directory forest. Additionally, out of band management does not support a disjointed namespace. For example, an AMT-based computer that has an FQDN of computer1.contoso.com but resides in the Active Directory domain named na.corp.contoso.com cannot be successfully provisioned by out of band management.

The provisioning certificate is installed on the out of band service point site system server, and this server's FQDN must be supplied in the provisioning certificate's subject name. If you are using your own internal CA to supply the provisioning certificate, the FQDN of the out of band service point site system server can be automatically configured with the certificate request. For more information, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

ImportantImportant
You cannot provision AMT-based computers if they do not share the same namespace as the out of band service point. This means that AMT-based computers from a different Active Directory forest cannot be provisioned, and forests with a noncontiguous namespace will be unable to use out of band management unless the AMT-based computers and out of band service point belong to the same DNS tree. Disjointed namespaces within the same tree are also not supported.

Renewing the AMT Provisioning Certificate

Because an expired AMT provisioning certificate will result in provisioning failure, ensure that you renew your AMT provisioning certificate and configure out of band management with the new certificate before the original expires. Ensure that you request a new certificate well before the existing certificate expires, which is particularly important if you are using an external CA for your provisioning certificate.

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

noteNote
You must configure the out of band management component configuration properties with the new certificate. Installing the new certificate into the Certificates local store in the out of band service point site system computer is not sufficient. For more information, see How to Configure AMT Provisioning.

For more information about using status messages to monitor out of band management, see How to Monitor Out of Band Management.

For more information about site status configuration, see How to Configure Site Status Configuration.

The Web Server Certificate for AMT-Based Computers

Although it is more typical to think of workstation computers serving as a client to a Web site on a server, the opposite is true with out of band management. The AMT-based computers run a Web server component within their firmware, and the computers that manage them (the out of band service point, and any computer running the out of band management console) act as the clients.

The certificate installed in the AMT memory requires server authentication capability so that it is authenticated to the computers that manage it and so that data sent between them is encrypted using transport layer security (TLS). TLS is an industry standard protocol closely related to SSL 3.0 and helps to secure against message tampering, interception, and forgery. For more information about TLS, see http://go.microsoft.com/fwlink/?LinkId=108709.

Out of band management does not use mutual PKI authentication; although the AMT-based computer is authenticated to the computer managing it, there is no corresponding client PKI certificate on the computer managing it. Instead, these communications are secured using a TLS connection and the following user accounts:

  • Windows user accounts using Kerberos authentication to run the out of band management console.

  • AMT Provisioning and Discovery Accounts using HTTP Digest authentication.

  • AMT MEBx Account using HTTP Digest authentication.

  • AMT User Accounts using Kerberos authentication.

  • AMT Remote Admin Account using HTTP Digest authentication.

Renewing the Web Server Certificate for AMT-Based Computers

An expired Web server certificate that is not renewed for AMT-based computers will result in Configuration Manager being unable to manage that computer out of band.

Configuration Manager monitors the certificates that it deploys to the AMT-based computers and automatically requests a new certificate before the original certificate expires. This helps to ensure seamless continuity and a sufficient grace period if the issuing CA cannot be immediately contacted.

When you install an out of band service point, an out of band management maintenance task is automatically enabled that periodically checks the remaining validity period of certificates that it has issued to AMT-based computers. It makes this check every 7 days and requests a new certificate when the expiration period is 42 days or less.

If you need to adjust these settings or initiate a check for certificates that are near expiration, see How to Customize Maintenance Tasks for Out of Band Management.

noteNote
If the out of band service point in Configuration Manager 2007 SP2 connects to an AMT-based computer by using a wireless network connection, certificate renewal is not possible.

The Optional Client Certificate for AMT-Based Computers in Configuration Manager 2007 SP2 Only

Configuration Manager 2007 SP2 supports out of band management on 802.1X authenticated wired networks and wireless networks. In these scenarios, a client certificate might be required by the AMT-based computer for authentication to the RADIUS server. When the RADIUS server is configured for EAP-TLS authentication, a client certificate is always required. When the RADIUS server is configured for EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, the RADIUS configuration specifies whether a client certificate is required or not.

The site server requests client certificates for AMT-based computers during the provisioning process, or if the AMT-based computer is already provisioned without a valid client certificate and you update the management controller on a wired connection. You can specify a single a client certificate template to be used when you configure support for 802.1X authenticated wired networks and up to 8 different client certificate templates to be used when you configure support for different wireless networks. However, as a security best practice and to ease administration, specify the same certificate template unless you have a good business reason to use different client certificates (such as different key sizes and validity dates, or a different root CA). This additional certificate, also installed in the AMT memory, requires client authentication capability only (OID 1.3.6.1.5.5.7.3.2) so that the AMT-based computer can be authenticated to the RADIUS server. After authentication succeeds, the AMT-based computer can be authorized and configured for network access. This certificate is never used to authenticate the computer to the Configuration Manager infrastructure.

When more than one client certificate is requested for a single AMT-based computer, AMT keeps track of each certificate so that the correct client certificate is used with the corresponding configuration. For example, if you specify a second wireless profile and configure it to use a different certificate template from the one specified in the first wireless profile, the certificate requested and installed for the second wireless profile will never be used when the AMT-based computer connects to a wireless network by using the first wireless profile.

In addition to the client authentication capability in the certificate template, it must also specify Supply in the request so that the site server requesting the certificates can supply the FQDN and the UPN of each AMT-based computer. The FQDN is required for AMT storage and the UPN value is used for authentication to the RADIUS sever. You must use a customized certificate template to configure a certificate template that has both client authentication capability and Supply in the request. The closet certificate template to use is Workstation Authentication, which you can duplicate and then customize for the certificate subject configuration and modify the security permissions. Configuring a duplicate certificate template requires the Enterprise Edition of the Windows server operating system. For more information about how to configure an example certificate template for the optional client authentication certificate, see the step-by-step example deployments referenced at the beginning of this topic.

Renewing the Client Certificate for AMT-Based Computers

An expired client certificate that is not renewed for AMT-based computers will result in Configuration Manager being unable to manage that computer out of band by using the associated 802.1X authenticated wired network or wireless networks.

In addition to monitoring the Web server certificates that it deploys to AMT-based computers, Configuration Manager monitors all client certificates that it deploys and automatically requests new certificates before the originals expires. For more information about certificate renewal for out of band management, see the previous section for renewing the Web server certificate for AMT-based computers.

CRL Checking and Certificate Revocation for Out of Band Management Certificates

The following sections cover certificate revocation and certificate revocation list (CRL) checking for the provisioning certificate on the out of band service point, the Web server certificate on the AMT-based computers, and the optional client certificate on the AMT-based computers in Configuration Manager 2007 SP2.

CRL Checking for the Provisioning Certificate

AMT-based computers do not support downloading a certificate revocation list (CRL) to check whether the provisioning certificate is revoked. This means that AMT-based computers will still accept a provisioning certificate that has been revoked by the issuing CA. If you know that the provisioning certificate has been revoked, delete it from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the out of band management component properties. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

CRL Checking for the Web Server Certificate

CRL checking by the Configuration Manager computers that connect to the AMT-based computers (the out of band service point site system, and any computer running the out of band management console) is performed by Windows Remote Management (WinRM). Versions of WinRM that are natively installed with operating systems prior to Windows Server 2008 R2 and Windows 7 do not support CRL checking. Versions of WinRM that are installed with Windows Server 2008 R2 and Windows 7 do support CRL checking. You might also be able to download and install later versions of WinRM that support CRL checking for earlier operating systems.

The different versions of WinRM and their capability to support CRL checking results in the following behavior with out of band management:

  • When CRL checking is not supported by the out of band service point site system and any computer running the out of band management console, these computers will still accept a Web server certificate that has been revoked for an AMT-based computer.

  • When CRL checking is supported by the out of band service point site system and any computer running the out of band management console, these computers will not accept a Web server certificate that has been revoked for an AMT-based computer. Additionally, as further protection against untrusted certificates, out of band management communication will fail in these scenarios if the CRL cannot be accessed. (For example, it is offline or network communication problems prevents access.)

noteNote
Typically, computers that do not perform CRL checking are running operating systems prior to Windows Server 2008 R2 and Windows 7.

The Web server certificate issued to each AMT-based computer during the provisioning process is automatically revoked by Configuration Manager in the following scenarios:

  • You remove the provisioning information from the computer, using Configuration Manager. The site server revokes the certificate with the revocation reason of Superseded.

  • You provision the computer and Configuration Manager discovers a certificate previously issued to the same AMT-based computer. This might happen if the AMT-based computer is locally configured with the option to remove provisioning configuration in the BIOS extensions. The site server revokes the certificate with the revocation reason of Superseded and requests a new certificate.

  • The out of band management maintenance task Evaluate Provisioned AMT Computer Certificates runs according to its configured schedule. When a certificate is found to be within the configured expiration period for renewal, the site server revokes the certificate with the revocation reason of Superseded and requests a new certificate. For more information about this maintenance task, see the previous section “Renewing the Web Server Certificate for AMT-Based Computers.”

  • For Configuration Manager 2007 SP2 only: You block a Configuration Manager client that is provisioned for AMT. The site server revokes the certificate with the revocation reason of Superseded. For more information about this scenario, see About Blocking Clients and Out of Band Management.

The Web server certificate is not revoked when you update the data in the management controller.

The primary site server computer must have the permission Issue and Manage Certificate on the issuing certification authority.

ImportantImportant
Make sure that you communicate to your PKI administrators the circumstances in which the Web server certificates can be automatically revoked by Configuration Manager. Explain that this action is an expected process for certificate management rather than denoting a security problem with the AMT-based computers.

CRL Checking for the Optional Client Certificate

The optional client certificate is used for authentication to a RADIUS server and is never used to authenticate to the Configuration Manager infrastructure. This means that it is the RADIUS server that performs CRL checking for this client certificate. Consult the documentation for your RADIUS solution about whether CRL checking is supported and the resulting behavior for AMT-based computers if their client certificate is revoked or the CRL cannot be accessed.

noteNote
Microsoft RADIUS solutions perform CRL checking. For example, Network Policy Server on Windows Server 2008 performs CRL checking for AMT-based computers and rejects connection requests when the client certificate is revoked or cannot be verified because the CRL is not accessible.

The client certificates issued to each AMT-based computer are automatically revoked by Configuration Manager and with the same revocation reason of Superseded for the same scenarios as it revokes the Web server certificate. Additionally, depending on your configuration, a client certificate (or multiple client certificates) might be revoked whenever you update the management controller and you have configured the client certificate template on the Configuration Manager 802.1X wired network configuration or for one of the wireless profiles.

ImportantImportant
Make sure that you communicate to your PKI administrators the circumstances in which the client certificates can be automatically revoked by Configuration Manager. Explain that this action is an expected process for certificate management rather than denoting a security problem with the AMT-based computers.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft