====== +++ Since new OPSI KIOSK application, this is not necessary anymore +++ ====== ======ImportCert====== Script by tobias \\ Comments and improvements welcome \\ This script comes with ABSOLUTELY NO WARRANTY \\ Tested with opsi 4.0.2 \\ Tested with opsi-winst 4.11.2.5 \\ Tested with Windows 7 Enterprise x86 \\ If you want to use the OPSI Software Kiosk you have one Problem: The certificate errors.\\ This OPSI-Package generates a new OPSI Client certificate with 2 domains in it.\\ The hostname and localhost.\\ After that the script imports the new certificate into the local certificate storage on the Client.\\ Attention: Firefox has it's own Certificate Storage !\\ Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !\\ ( comment from wolfbardo : you can use the mozilla-nss utils to import in mozilla certifikate storage \\ see https://forum.opsi.org/wiki/userspace:mozilla_nss ) \\ You need the CertMgr.Exe. \\ Copy this tool into your package folder (%SCRIPTPATH%)\\ CertMgr is available as part of the Windows SDK. [[http://go.microsoft.com/fwlink/p/?linkid=84091]] Every time you reinstall or update the Opsi-Client-Agent you must set this package to setup again. The Opsi-Client-Agent installer will override your own certificate... After using this script, restart your client! ==== import.ins ==== [initial] [Actions] Patches_opsiclientd_cnf %Systemdrive%\TEMP\opsiclientd.cnf message "Generiere Software Service Zertifikat" DosInAnIcon_generateCert message "Importiere Zertifikat in den Zertifikatsspeicher" DosInAnIcon_import [Patches_opsiclientd_cnf] Add [req] default_bits = 1024 Add [req] encrypt_key = yes Add [req] distinguished_name = req_dn Add [req] x509_extensions = v3_req Add [req] prompt = no Add [req_dn] C=DE Add [req_dn] ST=Niedersachsen Add [req_dn] L=Braunschweig Add [req_dn] O= Add [req_dn] OU=OPSI-Client Add [req_dn] CN=%IPName% Add [req_dn] emailAddress= Add [v3_req] nsCertType = server Add [v3_req] basicConstraints = CA:FALSE Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment Add [v3_req] subjectAltName = @alt_names Add [alt_names]DNS.1 = %IPName% Add [alt_names]DNS.2 = localhost [DosInAnIcon_generateCert] "%ProgramFiles32Dir%\openssl\bin\openssl" req -new -x509 -days 1000 -nodes -config %Systemdrive%\TEMP\opsiclientd.cnf -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" [DosInAnIcon_Import] "%ProgramFilesDir%\OpenSSL\bin\openssl" x509 -outform der -in "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -out "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" %scriptpath%\CertMgr.exe -add -c "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" -s -r localMachine AuthRoot