Why is my certificate template missing from Intel SCS Console?

When creating an Intel AMT Configuration profile with Transport Layer Security (TLS), a target Microsoft Certificate Authority (CA) and certificate template must be specified.  When using TLS with Intel AMT, a Server Authentication certificate must be defined and applied into the firmware of each system.   The easiest choice is the WebServer certificate template.   In some environments, this template might be disabled or removed due to security policies.

The following steps summarize the required steps.

First - if a valid Server Authentication certificate template has not be published, a screen similar to the following will occur.   The certificate template field is blank with no available options


Within the Microsoft Enterprise CA, duplicate the WebServer certificate template.  When prompted, select the default option for "Windows 2003 Server, Enterprise Edition"


Provide the details for the certificate template.   Shown below the certificate template name is "Intel AMT TLS Cert".


On the security tab, provide access to the template for the logon account of RCSserver.   In this example, RCSserver is running under the Network Service Account of a system with hostname SCS8, thus the select "SCS8$".   Grant the "Read" and "Enroll" permissions


Next, issue the certificate template.   Right click on Certificate Templates under the target Microsoft CA (Note: Required only for Microsoft Enterprise CA to issue certificate templates to the Microsoft Active Directory.   Microsoft Standalone CA implementations do not include this option.)


With the certificate template issued...


... in the Intel SCS console, select "Refresh CAs &Templates".   Via the pull down list, select the target certificate template.


Two final reminders - ensure the logon account for RCSserver (the server component of the Intel SCS installation) has rights to "Issue and Manage Certificates" along with "Request Certificates" as required for the Web Enrollment process.


And ensure the Policy Module setting allows for automatically issuing certificates


The above information is provided in the Intel SCS User Guide.   This article provides a summary and reminder