Note that because VeriSign does not support the Intel AMT provisioning OID, this certificate request uses the alternative method of supplying the OU attribute of "Intel(R) Client Setup Certificate". These steps assume that you're following theĪnd have previously created the security group and certificate templates. If your chosen CA company does not supply their own instructions or you are having problems with this, following this example might be helpful. Bear in mind that this certificate request method is not VeriSign's usual method to request a certificate, and we were using it more as a proof of concept. This certificate then successfully provisioned our AMT-based computers, so we knew that the certificate was correct. I've been working with our AMT tester, Wei Wei, to find a procedure using Certreq that successfully requested and installed an AMT provisioning certificate from The certificate template is used with our internal CA and not the public CA, so we weren't sure how much to supply in the inf file that is used to create the certificate request. However, these assume that you do not have your own enterprise CA and when we tried creating the certificate request file by using Certreq.exe it failed, because it was expecting a certificate template to be supplied.
#Windows server 2008 security certificate how to#
There are many KBs that provide instructions on how to request certificates from a public CA (for example, It's always better to request the certificate directly from where you are going to use it.Īs with the native mode step-by-step guide for Windows Server 2008, using the command-line tool, Certreq.exe, seemed the best choice if the CA company didn't provide their own instructions (usually a form from their Web site). You can request it for the User store and then export it, but this is an extra step and can untidily leave the certificate installed where it shouldn't be. The reason why we didn't include the Web enrollment instructions for the Windows Server 2008 guide was because the later enrollment pages no longer allow you to request a certificate for the computer store.
In the Windows Server 2003 CA step-by-step, we said follow any instructions provided by the CA company otherwise use the Web enrollment procedure to create a certificate request file.
One of the main differences with this guide from the equivalent step-by-step that used a Windows Server 2003 CA was that it didn't have a procedure for requesting an AMT provisioning certificate from an external (public) CA.
#Windows server 2008 security certificate update#
With the December documentation update for the Configuration Manager library, we posted a new step-by-step guide for out of band management, to help customers deploy the PKI certificates with a Windows Server 2008 CA ( First published on CloudBlogs on Feb, 25 2009