How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher

Intel® Active Management Technology (Intel® AMT) MEBx BIOS is not allowing to add a Hash of 2048 bits (SHA256). The SHA256 Hash string is too long, and the MEBx interface does not support it yet.

The available options are:

• Buy a third-party Certificate from the link below. Go to the Vendor Certificates to Support Intel® AMT section at the bottom of the page.
• Create a self-certificate using the Creating a Certificate Template section in the Intel® Setup and Configuration Software (Intel® SCS) User Guide.

1. From your Certificate Authority server, open the Microsoft Management Console Window.
   1. Select Start > Run.
   2. Enter mmc and click OK.
2. If the Certificate Templates plug-in is not installed, perform these steps:
   1. Select File > Add/Remove Snap-in.
   2. Click Add.
   3. From the list of available snap-ins, select Certificate Templates, click Add, and then click Close.
   4. Click OK. The Add/Remove Snap-in window closes, and the Certificate Templates snap-in is added to the Console Root tree.
3. From the Console Root tree, double-click Certificate Templates. The list of templates is shown in the right pane.
4. In the right-pane, right-click the Computer template and select Duplicate Template.
5. Click the General tab. Make sure that the Publish certificate in the Active Directory check box is NOT selected.
6. In the Template display name field, enter a name for the template.
7. Click the Extensions tab. From the list of extensions, select Application Policies and click Edit. The Edit Application Policies Extension window opens.
8. Click Add.
9. Click New.
10. Enter a policy name, and in the Object Identifier field, enter this OID for remote configuration: 2.16.840.1.113741.1.2.3.
11. Click OK to return to the Add Application Policy window, click OK to return to the Edit Application Policies Extension window, and click OK to return to the Properties of New Template window.
12. Click the Subject Name tab and select Supply in the request.
13. Click the Request Handling tab and select the Allow private key to be exported check box.
14. Click OK.
15. Open the Certification Authority from Server Manager Tools or type certsrv.msc from Run window.
16. From the tree in the left pane, select Certificate Templates.
17. Right-click in the right pane and select New > Certificate Template to Issue.
18. In the Enable Certificate Templates window, select the template that you just created and click OK. The template is now included in the right pane with the other certificate templates.
19. Restart the CA (to publish the new template into Active Directory).

Then, follow the instructions on how to install the Hash manually using the USBFile.exe tool. It is possible to download it from Intel® Active Management Technology SDK.