Intel® Endpoint Management Assistant requirements for Intel® AMT version 14 or later
Unable to provision endpoints with Intel® AMT version 14 or later even when the Intel® EMA configuration was working before with older AMT versions.
In some scenarios, Certificate vendors have renewed off the old Certificate chain, which will result in the intermediate chaining up to a SHA1 Signature Algorithm root CA.
Starting from Intel® Management Engine (ME) version 15.0 firmware for Intel®Chipset H platform, and Intel® ME 16.0 firmware for all platforms, Intel is removing support of SHA1 root certificates and RSA key sizes smaller than 2048 bits for Intel® AMT provisioning.
In those releases and later, it is no longer possible to add SHA1 hashes, and none of the certificates in the certificate chain can be SHA1-based, including the root certificate.
Source: Intel® AMT SDK Implementation and Reference Guide
The Certificate vendor needs to reissue the certificate that is signed by an intermediate cert. that supports SHA256 Signature Algorithm. That intermediate will map to the root CA that supports Intel AMT.
In the case of DigiCert, the required intermediate CA’s are shown below.
The chain supports SHA256 Signature Algorithm.
If the Certificate vendor issued a certificate that does not chain up to the DigiCert Global CA G2, then contact the vendor to reissue a certificate chain that looks like the screenshot above.