Added strictCommonName option for matching the Intel AMT ACM activation cert.

certoperations.js

@@ -247,14 +247,20 @@ module.exports.CertificateOperations = function (parent) {
                 // Get the certificate common name
                 var certCommonName = r.certs[0].subject.getField('CN');
                 if (certCommonName == null) { amtacmactivation.acmCertErrors.push("Unable to get Intel AMT activation certificate common name."); continue; }
-                var certCommonNameSplit = certCommonName.value.split('.');
-                var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
-                var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
-                if (topLevelNum != null) {
-                    while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); }
-                    acmconfig.cn = certCommonNameSplit.join('.');
-                } else {
+                if (amtacmactivation.strictcommonname == true) {
+                    // Use the certificate common name exactly
                     acmconfig.cn = certCommonName.value;
+                } else {
+                    // Check if Intel AMT will allow some flexibility in the certificate common name
+                    var certCommonNameSplit = certCommonName.value.split('.');
+                    var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
+                    var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
+                    if (topLevelNum != null) {
+                        while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); }
+                        acmconfig.cn = certCommonNameSplit.join('.');
+                    } else {
+                        acmconfig.cn = certCommonName.value;
+                    }
                 }
 
                 delete acmconfig.cert;

meshcentral-config-schema.json

@@ -934,6 +934,7 @@
             "additionalProperties": false,
             "properties": {
               "log": { "type": "string" },
+              "strictCommonName": { "type": "boolean", "default": false, "description": "When set to true, the certificate common name needs to match exactly the Intel AMT trusted FQDN or DHCP Option 15. If false, some flexibility may be given to the matching." },
               "certs": {
                 "type": "object",
                 "additionalProperties": {

sample-config-advanced.json

@@ -367,6 +367,7 @@
       ],
       "_amtAcmActivation": {
         "log": "amtactivation.log",
+        "strictCommonName": false,
         "certs": {
           "mycertname": {
             "certfiles": [