You are here: Preparing the Certification Authority > Using Intel SCS with a Microsoft CA > Defining Enterprise CA Templates

Defining Enterprise CA Templates

If you use Intel SCS with an Enterprise CA to configure Intel AMT features to use certificate-based authentication, you must define certificate templates.

Note:

This procedure shows how to create a template containing the correct settings for Intel AMT. For settings specific to your organization (such as certificate expiration), specify the values you require. You must also make sure that the CA and the template are not defined to put certificate requests into the pending status. For more information, see Request Handling.

To create a certificate template:

  1. From your Certificate Authority server, select Start > Run. The Run window opens.
  2. Enter mmc and click OK. The Microsoft Management Console window opens.
  3. If the Certificate Templates plug-in is not installed, perform these steps:
    1. Select File > Add/Remove Snap-in. The Add/Remove Snap-in window opens.
    2. Click Add. The Add Standalone Snap-in window opens.
    3. From the list of available snap-ins, select Certificate Templates, click Add and then click Close. The Add Standalone Snap-in window closes.
    4. Click OK. The Add/Remove Snap-in window closes and the Certificate Templates snap-in is added to the Console Root tree.
  4. From the Console Root tree, double-click Certificate Templates. The list of templates is shown in the right pane.

  5. In the right-pane, right-click the User template and select Duplicate Template. The Duplicate Template window opens.

    Note:
    Intel SCS supports only version 2 certificate templates. Version 3 certificate templates are not supported and cannot be selected in the configuration profile (they will not be shown in the list).
  6. Make sure that you select Windows Server 2003 Enterprise.
  7. Click OK. The Properties of New Template window opens.

  8. Make sure that the Publish certificate in Active Directory check box is NOT selected.
  9. In the Template display name field, enter a meaningful name. For example, name a template used to generate 802.1x client certificates “802.1x”.
  10. Change the validity and renewal periods as required by local policy and click Apply.
  11. Click the Request Handling tab. The Request Handling tab opens.

    Note:
    In the Minimum key size field, do not define a value higher than 2048. The maximum key size supported by Intel SCS is 2048.
  12. Click the CSPs button. The CSP Selection window opens.

  13. In the list of requests, select the Microsoft Strong Cryptographic Provider check box and click OK. The CSP Selection window closes.
  14. Click the Subject Name tab and select Supply in the request.
  15. Click the Security tab. The Security tab opens.
  16. Make sure that the user running the Configurator (or the group the user is in) is included in the list of users and has the Read and Enroll permissions.
  17. If this is a template for TLS, do these steps:
    1. Click the Extensions tab. The Extensions tab opens.
    2. From the list of extensions, select Application Policies and click Edit. The Edit Application Policies Extension window opens.
    3. Click Add. The Add Application Policy window opens.
    4. From the list of Application policies, select Server Authentication and click OK (the Server Authentication policy contains this OID: 1.3.6.1.5.5.7.3.1).
    5. Click OK to return to the Properties of New Template window.
      Note:

      If you define Mutual TLS in the configuration profile, each application that needs to communicate with the Intel AMT device will need a certificate. In addition to the Server Authentication OID (added in step 15 d), the certificate must contain these OIDs:

      • For remote access: 2.16.840.1.113741.1.2.1
      • For local access: 2.16.840.1.113741.1.2.2

      You can add these OIDs to this template (by clicking New in the Add Application Policy window). You must then install a certificate, based on this template, in the certificate store of the user running the application.

  18. Click OK. The Properties of New Template window closes.
  19. Select Start > Programs > Administrative Tools > Certification Authority.
  20. From the Console Root tree, select Certificate Authority > Certificate Templates.
  21. Right-click in the right pane and select New > Certificate Template to Issue. The Enable Certificate Templates window opens.
  22. Select the template that you just created and click OK. The Enable Certificate Templates window closes and the template is added to the right pane with the other certificate templates.
  23. Restart the CA (to publish the new template in the Active Directory).