Generates a null signed Certificate Signing Request (CSR) to be feed into a Intel AMT device.
This null signed CSR is used to convey the attributes that we want to add to the actual CSR generated by the Intel AMT device.
NB For a full example see the TLS Section at rgl/intel-amt-notes.
Download the latest binary and install it:
arch="$([ "$(uname -m)" == 'x86_64' ] && echo 'amd64' || echo 'arm64')"
url="$(wget -qO- https://api.github.com/repos/rgl/create-amt-null-signed-csr/releases/latest \
| jq -r '.assets[].browser_download_url' \
| grep -E "_$arch\.tgz$")"
wget -qO- "$url" | sudo tar xz -C /usr/local/bin/ create-amt-null-signed-csrExport the AMT device public key using amtctrl:
amtctrl test pki list keys | tail -n +2 >amt-public-key.pemCreate the null signed CSR, e.g.:
create-amt-null-signed-csr -pk amt-public-key.pem -cn 192.168.1.89 >amt-null-signed-csr.pem
openssl req -text -noout -in amt-null-signed-csr.pemRequest the AMT device to create the CSR from the null signed CSR:
amtctrl test pki request amt-null-signed-csr.pem 'Intel(r) AMT Key: Handle: 0' | tail -n +2 >amt-csr.pem
# show the csr content.
# NB verify that the public key is the same as the one in amt-public-key.pem
# NB verify that the verify is successful (Certificate request self-signature verify OK).
openssl req -verify -text -noout -in amt-csr.pemThe creation of the null signed CSR can also be done with OpenSSL 3 -force_pubkey as, e.g.:
amtctrl test pki list keys | tail -n +2 >amt-public-key.pem
openssl genrsa -out tmp-rsa-key.pem 2048
openssl x509 -x509toreq -new \
-sha256 \
-subj '/CN=192.168.1.89' \
-signkey tmp-rsa-key.pem \
-force_pubkey amt-public-key.pem \
-out amt-null-signed-csr.pemInstall Go 1.18.
Build the binary:
go build