You are here: Defining Intel AMT Profiles > Defining Transport Layer Security (TLS)

Defining Transport Layer Security (TLS)

The Transport Layer Security (TLS) window of the Configuration Profile Wizard lets you define TLS settings to apply to the Intel AMT system. When TLS is enabled, the Intel AMT device authenticates itself with other applications using a server certificate. If mutual TLS authentication is enabled, any applications that interact with the device must supply client certificates that the device uses to authenticate the applications.

Note:
You cannot use a configuration profile containing TLS settings to configure Intel AMT systems that have Cryptography disabled.

To configure TLS settings:

  1. From the Select the method for creating the certificate drop-down list, select the source for the certificate that will be installed in the Intel AMT device:
    • Request certificate from Microsoft CA – By default, the settings for this option are displayed. If you are using a Microsoft* CA, continue to step 2.
    • Use certificate from a file – For information about this method and the necessary file format, see Using Predefined Files Instead of a CA Request. If you select this option, define the file locations and continue from step 3.
  2. If the certificate will be requested from a Microsoft CA, do these steps:
    1. From the Certificate Authority drop-down list, select the certification authority. Intel SCS automatically detects if the selected CA is a Standalone root CA or an Enterprise root CA.
    2. If you are using an Enterprise root CA, you must select the template that will be used to create the certificate. From the Server Certificate Template drop-down list, select the template that you defined for TLS. For information how to create a template for TLS, see step 15 of Defining Enterprise CA Templates.
    3. Define the Common Names that will be included in the Subject Name of the generated certificate. For more information, see Defining Common Names in the Certificate.
      Note:
      • To use this option, Intel SCS must have access to the CA during configuration (see Required Permissions on the CA).
      • If you are creating the profile on a computer that does not have access to the CA, the drop-down lists will not display the CA or the templates. If necessary, you can manually supply the CA name (in the format FQDN\CA Name) and the name of the template. When entering these values manually, you must also select the type of CA (Enterprise CA or Standalone CA).
  3. (Optional) To enable mutual TLS:
    1. Select Use mutual authentication for remote interface.
    2. Define the trusted root certificates that will be used by Intel AMT systems configured with this profile (see Defining Trusted Root Certificates).
    3. (Optional) Define advanced mutual TLS settings (see Defining Advanced Mutual Authentication Settings).

See Also:

Standalone or Enterprise CA