Describe the bug
Several validation gaps in the provisioning certificate (PFX) logic for domain profile upload may cause silent AMT activation failures or hard-to-debug errors after the certificate is stored:
- notBefore check: No cert in the chain should have a notBefore date in the future; currently, only notAfter is checked at domain.ts:136.
- Intel AMT Activation OID (2.16.840.1.113741.1.2.3): The EKU extension on the leaf cert must be true. Modeled in AMTKeyUsage, validated at cert generation in certManager, but not on upload.
- Chain integrity: Each certificate in the chain must be signed by the next cert up (do not just check hash structure or detect only self-signed root).
- Private key matched to leaf cert: The PFX should have at least one key and it must correspond to the leaf cert public key. Without this, createSignedString will fail at runtime.
- Minimum RSA key size: Both root and leaf certs must be at least 2048 bits for AMT requirements.
Steps to reproduce
- Upload a provisioning certificate PFX that:
- Has a future notBefore date.
- Lacks the Intel AMT EKU OID on the leaf cert.
- Includes broken or self-signed linkages in the chain.
- Misses the private key or contains a key not matching the leaf cert.
- Uses a key size below 2048 bits on root or leaf.
- Attempt AMT domain profile provisioning and observe behavior (activation may seem successful but will fail later, or error will be obscure).
Expected behavior
All provisioning certificates uploaded for a domain profile are immediately and explicitly validated against:
- notBefore <= today for all chain certs
- Leaf EKU OID 2.16.840.1.113741.1.2.3 must be true
- Each cert in the chain is signed correctly by the one above
- Private key exists and matches leaf cert
- Key size >= 2048 bits (root/leaf)
Any failure results in a meaningful error message at upload time, before the cert is stored or domain activation attempted.
Screenshots
No response
AMT Version
All supported versions
Configuration Mode
ACM
Operating System
All supported Operating Systems
AMT Device Information
No response
Service Deployment Information
No response
Additional context
Related concerns: Checks in domain.ts (notAfter), certManager (EKU on gen, not upload); failures show up as activation errors, not as cert upload errors.
Refer to AMT provisioning and FQDN certificate chain requirements for details.
Describe the bug
Several validation gaps in the provisioning certificate (PFX) logic for domain profile upload may cause silent AMT activation failures or hard-to-debug errors after the certificate is stored:
Steps to reproduce
Expected behavior
All provisioning certificates uploaded for a domain profile are immediately and explicitly validated against:
Any failure results in a meaningful error message at upload time, before the cert is stored or domain activation attempted.
Screenshots
No response
AMT Version
All supported versions
Configuration Mode
ACM
Operating System
All supported Operating Systems
AMT Device Information
No response
Service Deployment Information
No response
Additional context
Related concerns: Checks in domain.ts (notAfter), certManager (EKU on gen, not upload); failures show up as activation errors, not as cert upload errors.
Refer to AMT provisioning and FQDN certificate chain requirements for details.