Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/rgl/create-amt-null-signed-csr

Generates a null signed Certificate Signing Request (CSR) to be feed into a Intel AMT device
https://github.com/rgl/create-amt-null-signed-csr

amt csr intel-amt

Last synced: 2 months ago
JSON representation

Generates a null signed Certificate Signing Request (CSR) to be feed into a Intel AMT device

Awesome Lists containing this project

README 

        
# About



[![build](https://github.com/rgl/create-amt-null-signed-csr/actions/workflows/build.yml/badge.svg)](https://github.com/rgl/create-amt-null-signed-csr/actions/workflows/build.yml)



Generates a null signed Certificate Signing Request (CSR) to be feed into a Intel AMT device.



This null signed CSR is used to convey the attributes that we want to add to the actual CSR generated by the Intel AMT device.



**NB** For a full example see the [TLS Section at rgl/intel-amt-notes](https://github.com/rgl/intel-amt-notes#tls-certificate).



# Usage



[Download the latest binary](https://github.com/rgl/create-amt-null-signed-csr/releases) and install it:



```bash

arch="$([ "$(uname -m)" == 'x86_64' ] && echo 'amd64' || echo 'arm64')"

url="$(wget -qO- https://api.github.com/repos/rgl/create-amt-null-signed-csr/releases/latest \

  | jq -r '.assets[].browser_download_url' \

  | grep -E "_$arch\.tgz$")"

wget -qO- "$url" | sudo tar xz -C /usr/local/bin/ create-amt-null-signed-csr

```



Export the AMT device public key using [`amtctrl`](https://github.com/nomis/intel-amt):



```bash

amtctrl test pki list keys | tail -n +2 >amt-public-key.pem

```



Create the null signed CSR, e.g.:



```bash

create-amt-null-signed-csr -pk amt-public-key.pem -cn 192.168.1.89 >amt-null-signed-csr.pem

openssl req -text -noout -in amt-null-signed-csr.pem

```



Request the AMT device to create the CSR from the null signed CSR:



```bash

amtctrl test pki request amt-null-signed-csr.pem 'Intel(r) AMT Key: Handle: 0' | tail -n +2 >amt-csr.pem

# show the csr content.

# NB verify that the public key is the same as the one in amt-public-key.pem

# NB verify that the verify is successful (Certificate request self-signature verify OK).

openssl req -verify -text -noout -in amt-csr.pem

```



## Alternative (OpenSSL 3)



The creation of the null signed CSR can also be done with OpenSSL 3 `-force_pubkey` as, e.g.:



```bash

amtctrl test pki list keys | tail -n +2 >amt-public-key.pem

openssl genrsa -out tmp-rsa-key.pem 2048

openssl x509 -x509toreq -new \

  -sha256 \

  -subj '/CN=192.168.1.89' \

  -signkey tmp-rsa-key.pem \

  -force_pubkey amt-public-key.pem \

  -out amt-null-signed-csr.pem

```



# Build



Install [Go 1.18](https://go.dev/dl/).



Build the binary:



```bash

go build

```



# Reference



* [Setup and Configuration of Intel AMT: Enroll a Certificate](https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fenrollacertificate1.htm)

* [MeshCommander - TLS & Mutual-TLS](https://www.youtube.com/watch?v=PNpQV6C0Gb8)