You are here: Introduction > Intel AMT and Security Considerations > Digital Signing of Files

Digital Signing of Files

The executable and DLL files of the Intel SCS components are digitally signed by Intel and include a time-stamp. (This does not include third-party files.) Using digital signatures increases security because it gives an indication that the file is genuine and has not been changed.

The ACU.dll is a library used by the Intel SCS components to do configuration tasks on Intel AMT devices. When running a command from the Configurator CLI, the Configurator tries to authenticate the signature of the ACU.dll. If authentication fails, the task is not permitted and the Configurator returns an error message.

This authentication is also done on external files run by the Configurator. This is the default behavior of the Configurator, but it can be changed per command (see CLI Global Options). When running CLI commands remotely or in a deployment package, it is not recommended to change this default.

The digital signature is authenticated against a trusted root certificate supplied by AddTrust External CA Root. The time-stamp is authenticated against a trusted root certificate supplied by Commodo. These certificates are located in the user trusted root certificate store of the operating system on the Intel AMT system. The certificates are automatically included in most of the operating system versions supported by the Intel SCS components.

Note:
  • Some Windows versions (for example, Windows 8) do not include all of the necessary trusted root certificates. If these systems also do not have access to the Internet, authentication will fail. For more information, see Exit Code 110.
  • In some environments, authentication of the digital signature can increase the configuration time by up to two minutes