Table of Contents

+++ Since new OPSI KIOSK application, this is not necessary anymore +++

ImportCert

Script by tobias
Comments and improvements welcome
This script comes with ABSOLUTELY NO WARRANTY

Tested with opsi 4.0.2
Tested with opsi-winst 4.11.2.5
Tested with Windows 7 Enterprise x86

If you want to use the OPSI Software Kiosk you have one Problem: The certificate errors.
This OPSI-Package generates a new OPSI Client certificate with 2 domains in it.
The hostname and localhost.
After that the script imports the new certificate into the local certificate storage on the Client.

Attention: Firefox has it's own Certificate Storage !
Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !

( comment from wolfbardo : you can use the mozilla-nss utils to import in mozilla certifikate storage
see https://forum.opsi.org/wiki/userspace:mozilla_nss )

You need the CertMgr.Exe.
Copy this tool into your package folder (%SCRIPTPATH%)
CertMgr is available as part of the Windows SDK. http://go.microsoft.com/fwlink/p/?linkid=84091

Every time you reinstall or update the Opsi-Client-Agent you must set this package to setup again. The Opsi-Client-Agent installer will override your own certificate…

After using this script, restart your client!

import.ins

[initial]
 
[Actions]
Patches_opsiclientd_cnf %Systemdrive%\TEMP\opsiclientd.cnf
message "Generiere Software Service Zertifikat"
DosInAnIcon_generateCert
message "Importiere Zertifikat in den Zertifikatsspeicher"
DosInAnIcon_import
 
[Patches_opsiclientd_cnf]
 
Add [req] default_bits = 1024
Add [req] encrypt_key = yes
Add [req] distinguished_name = req_dn
Add [req] x509_extensions = v3_req
Add [req] prompt = no
 
 
Add [req_dn] C=DE
Add [req_dn] ST=Niedersachsen
Add [req_dn] L=Braunschweig
Add [req_dn] O=<company.domain>
Add [req_dn] OU=OPSI-Client
Add [req_dn] CN=%IPName%
Add [req_dn] emailAddress=<mailadress>
 
Add [v3_req] nsCertType = server
Add [v3_req] basicConstraints = CA:FALSE
Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Add [v3_req] subjectAltName = @alt_names
 
 
Add [alt_names]DNS.1 = %IPName%
Add [alt_names]DNS.2 = localhost
 
 
 
[DosInAnIcon_generateCert]
 
"%ProgramFiles32Dir%\openssl\bin\openssl" req -new -x509 -days 1000 -nodes -config %Systemdrive%\TEMP\opsiclientd.cnf -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem"
 
 
[DosInAnIcon_Import]
 
"%ProgramFilesDir%\OpenSSL\bin\openssl" x509 -outform der -in "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -out "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der"
 
%scriptpath%\CertMgr.exe -add -c "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" -s -r localMachine AuthRoot