Generates a null signed Certificate Signing Request (CSR) to be feed into a Intel AMT device.

This null signed CSR is used to convey the attributes that we want to add to the actual CSR generated by the Intel AMT device.

NB For a full example see the TLS Section at rgl/intel-amt-notes.


Download the latest binary and install it:

arch="$([ "$(uname -m)" == 'x86_64' ] && echo 'amd64' || echo 'arm64')"
url="$(wget -qO- https://api.github.com/repos/rgl/create-amt-null-signed-csr/releases/latest \
  | jq -r '.assets[].browser_download_url' \
  | grep -E "_$arch\.tgz$")"
wget -qO- "$url" | sudo tar xz -C /usr/local/bin/ create-amt-null-signed-csr

Export the AMT device public key using amtctrl:

amtctrl test pki list keys | tail -n +2 >amt-public-key.pem

Create the null signed CSR, e.g.:

create-amt-null-signed-csr -pk amt-public-key.pem -cn >amt-null-signed-csr.pem
openssl req -text -noout -in amt-null-signed-csr.pem

Request the AMT device to create the CSR from the null signed CSR:

amtctrl test pki request amt-null-signed-csr.pem 'Intel(r) AMT Key: Handle: 0' | tail -n +2 >amt-csr.pem
# show the csr content.
# NB verify that the public key is the same as the one in amt-public-key.pem
# NB verify that the verify is successful (Certificate request self-signature verify OK).
openssl req -verify -text -noout -in amt-csr.pem

Alternative (OpenSSL 3)

The creation of the null signed CSR can also be done with OpenSSL 3 -force_pubkey as, e.g.:

amtctrl test pki list keys | tail -n +2 >amt-public-key.pem
openssl genrsa -out tmp-rsa-key.pem 2048
openssl x509 -x509toreq -new \
  -sha256 \
  -subj '/CN=' \
  -signkey tmp-rsa-key.pem \
  -force_pubkey amt-public-key.pem \
  -out amt-null-signed-csr.pem


Install Go 1.18.

Build the binary:

go build



View Github