Securely Manage Intel AMT with MeshCommander's TLS Mode

Table of Contents

1. Introduction
2. Setting Up an Intel AMT Machine in TLS Mode
   1. Connecting to the Mesh Commander Tool
   2. Adding a Certificate to AMT
   3. Enabling TLS with Mesh Commander
   4. Disconnecting and Reconnecting with TLS
3. Another Method to Enable TLS in AMT
   1. Disabling TLS
   2. Using the Certificate Manager
   3. Issuing a Certificate from the Certificate Manager
   4. Enabling TLS with the New Certificate
   5. Connecting with TLS
4. Conclusion

Setting Up an Intel AMT Machine in TLS Mode

In this article, we will discuss how to set up an Intel AMT machine in TLS mode using the Mesh Commander tool. TLS, or Transport Layer Security, is essential for encrypting network communication between the console (such as Mesh Commander) and AMT, ensuring secure management of the computer.

Connecting to the Mesh Commander Tool

To begin, open the Mesh Commander tool and connect to the AMT machine you want to set up. TLS mode is available for AMT 6 and higher. Once connected, navigate to the security settings tab.

Adding a Certificate to AMT

By default, AMT does not have any certificates and is not set up with TLS. To enable TLS, we need to add a certificate to AMT. In the security settings tab, click on "Issue Certificate" instead of "Add Certificate." Issuing a certificate generates a private key within AMT and sets up the certificate accordingly. You can provide the common name, organization, country, and other details for the certificate. After a few seconds, the certificate will be generated, and you can see its details.

Enabling TLS with Mesh Commander

Once the certificate has been issued, navigate to the TLS section and select the certificate you want to use. Choose the mode for remote and local connections, such as server authentication only or server authentication with non-TLS allowed. Selecting the appropriate mode will enable TLS for AMT. However, keep in mind that switching to a TLS mode may disconnect the current connection.

Disconnecting and Reconnecting with TLS

After enabling TLS, you can disconnect from the AMT machine and establish a TLS connection to port 60993. When reconnecting, the browser or tool will receive the TLS certificate. The first time you connect, the tool may warn you about an untrusted certificate. You can choose to connect anyway, and the certificate will be pinned for future connections. Subsequent connections will not Prompt any warnings.

Another Method to Enable TLS in AMT

Alternatively, you can enable TLS in AMT using the built-in Certificate Manager in Mesh Commander. This method allows you to create and manage your own root certificates for increased control.

Disabling TLS

Before configuring TLS with the Certificate Manager, first disable TLS in the security settings. This will reset AMT to its default non-TLS state.

Using the Certificate Manager

Access the Certificate Manager in the Mesh Commander menu. From here, you can create a root certificate with your desired information, such as organization name and location. This root certificate will serve as the trusted authority for AMT machines.

Issuing a Certificate from the Certificate Manager

Once the root certificate is created, you can issue certificates from the Certificate Manager, making use of the trusted root certificate. This ensures that the certificates generated by AMT are signed by the trusted root, establishing a chain of trust.

Enabling TLS with the New Certificate

After issuing a certificate from the Certificate Manager, return to the security settings and select the newly created certificate. Choose the appropriate TLS mode for remote and local connections.

Connecting with TLS

With TLS enabled using the custom root certificate, you can now connect to the AMT machine securely. The tool will recognize the trusted root certificate and establish a TLS connection without the need for certificate pinning.

Conclusion

In this article, we explored different methods for setting up an Intel AMT machine in TLS mode using the Mesh Commander tool. Whether by issuing a certificate or using the Certificate Manager, enabling TLS ensures secure communication between the console and AMT. By following the steps outlined in this article, you can easily configure your AMT machine for TLS and enhance the security of your management operations.

Highlights

• Set up an Intel AMT machine with TLS mode using Mesh Commander
• Add a certificate to AMT to enable TLS encryption
• Choose different TLS modes for remote and local connections
• Use the built-in Certificate Manager for custom root certificates
• Establish secure TLS connections without certificate pinning

FAQs

Q: What is TLS?
A: TLS stands for Transport Layer Security and is a cryptographic protocol used to secure network communication.

Q: Which version of AMT supports TLS mode?
A: AMT version 6 and higher supports TLS mode.

Q: Can I add my own root certificate for TLS?
A: Yes, using the Certificate Manager in Mesh Commander, you can create and manage your own root certificates for increased control.

Resources

• Mesh Commander Tool
• Intel AMT