Script by tobias
Comments and improvements welcome
This script comes with ABSOLUTELY NO WARRANTY
Tested with opsi 4.0.2
Tested with opsi-winst 4.11.2.5
Tested with Windows 7 Enterprise x86
If you want to use the OPSI Software Kiosk you have one Problem: The certificate errors.
This OPSI-Package generates a new OPSI Client certificate with 2 domains in it.
The hostname and localhost.
After that the script imports the new certificate into the local certificate storage on the Client.
Attention: Firefox has it's own Certificate Storage !
Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !
( comment from wolfbardo : you can use the mozilla-nss utils to import in mozilla certifikate storage
see https://forum.opsi.org/wiki/userspace:mozilla_nss )
You need the CertMgr.Exe.
Copy this tool into your package folder (%SCRIPTPATH%)
CertMgr is available as part of the Windows SDK. http://go.microsoft.com/fwlink/p/?linkid=84091
Every time you reinstall or update the Opsi-Client-Agent you must set this package to setup again. The Opsi-Client-Agent installer will override your own certificate…
After using this script, restart your client!
[initial] [Actions] Patches_opsiclientd_cnf %Systemdrive%\TEMP\opsiclientd.cnf message "Generiere Software Service Zertifikat" DosInAnIcon_generateCert message "Importiere Zertifikat in den Zertifikatsspeicher" DosInAnIcon_import [Patches_opsiclientd_cnf] Add [req] default_bits = 1024 Add [req] encrypt_key = yes Add [req] distinguished_name = req_dn Add [req] x509_extensions = v3_req Add [req] prompt = no Add [req_dn] C=DE Add [req_dn] ST=Niedersachsen Add [req_dn] L=Braunschweig Add [req_dn] O=<company.domain> Add [req_dn] OU=OPSI-Client Add [req_dn] CN=%IPName% Add [req_dn] emailAddress=<mailadress> Add [v3_req] nsCertType = server Add [v3_req] basicConstraints = CA:FALSE Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment Add [v3_req] subjectAltName = @alt_names Add [alt_names]DNS.1 = %IPName% Add [alt_names]DNS.2 = localhost [DosInAnIcon_generateCert] "%ProgramFiles32Dir%\openssl\bin\openssl" req -new -x509 -days 1000 -nodes -config %Systemdrive%\TEMP\opsiclientd.cnf -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" [DosInAnIcon_Import] "%ProgramFilesDir%\OpenSSL\bin\openssl" x509 -outform der -in "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -out "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" %scriptpath%\CertMgr.exe -add -c "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" -s -r localMachine AuthRoot