Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Prevent DHCP option 15 check (.local domain)

JWint3
Beginner
2,101 Views

We currently have an internal domain with a .local ending and are aiming for the Remote Configuration via PKI for our AMT Systems (9.x and up). The problem here

is the DHCP option 15 check, that does not work because publicly trusted CAs no longer issue certificates with internal names. As an alternative a Intel representative

suggested to set an external name at the internal DHCP Option 15, but this is not possible because many devices in our environment rely on the correct local entry.

Another suggestion requires physical contact with the device which we want to prevent. Spoofing of DHCP or additional Reservations only for the process of initial AMT configuration

is also frowned upon.

My question is if there are any other ways to solve this problem we havent found yet. Thank you.

For reference:

0 Kudos
3 Replies
idata
Employee
864 Views

Hello duncanwebb,

 

 

Regarding your question if possible to create a provisioning certificate for internal Domain name.

 

 

I see that our Intel colleague provided you with some really good answers on this.

 

 

If there is anything else we can help please feel free to ask.

 

 

Best regards,

 

 

Henry A.
0 Kudos
idata
Employee
864 Views

Hello duncanwebb,

 

 

I just wanted to follow and verify if there is anything else I can help you with.

 

 

If there is anything else we can help please feel free to ask.

 

 

Best regards,

 

 

Henry A.
0 Kudos
idata
Employee
864 Views

Hello duncanwebb,

 

 

We are following up on a case that is still open with the issue "if possible to create a provisioning certificate for internal Domain name", we know that this is important for you to get it resolved and it is also equally important for us to get you the right solution. Since we have not seen an update for 4 days, the case will automatically close after 2 business days. You can still re-open the case by logging into your web portal or replying to this email so that all previous interactions around this case will carry through.".

 

 

If there is anything else we can help please feel free to ask.

 

 

Best regards,

 

 

Henry A.
0 Kudos
Reply