Differences

This shows you the differences between two versions of the page.

--- userspace:zertifikats_import [2012/06/19 11:00]
tobias created
+++ userspace:zertifikats_import [2019/02/18 23:26]
tobias
@@ Line 1: / Line 1: @@
+====== +++ Since new OPSI KIOSK application, this is not necessary anymore +++ ======
 ======ImportCert======
 Script by tobias \\
 Comments and improvements welcome \\
+This script comes with ABSOLUTELY NO WARRANTY \\
 Tested with opsi 4.0.2 \\
@@ Line 7: / Line 11: @@
 Tested with Windows 7 Enterprise x86 \\
-Import des opsiclientd Zertifikats
+If you want to use the OPSI Software Kiosk you have one Problem: The certificate errors.\\
-Das Script wandelt das PEM Zertifikat in ein DER Zertifikat um damit es in den Windows Zertifikatsspeicher Importiert werden kann.
+This OPSI-Package generates a new OPSI Client certificate with 2 domains in it.\\
-Nach diesem Vorgang wird keine Zertifikatswarnung mehr angezeigt.
+The hostname and localhost.\\
-Damit dies Script funktioniert, wird die "CertMgr.Exe" benötigt die sich im Windows SDK befindet.
+After that the script imports the new certificate into the local certificate storage on the Client.\\
-Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !
+Attention: Firefox has it's own Certificate Storage !\\
+Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !\\
+( comment from wolfbardo : you can use the mozilla-nss utils to import in mozilla certifikate storage \\
+see https://forum.opsi.org/wiki/userspace:mozilla_nss ) \\
+You need the CertMgr.Exe. \\
+Copy this tool into your package folder (%SCRIPTPATH%)\\
+CertMgr is available as part of the Windows SDK.      [[http://go.microsoft.com/fwlink/p/?linkid=84091]]
+Every time you reinstall or update the Opsi-Client-Agent you must set this package to setup again. The Opsi-Client-Agent installer will override your own certificate...
+After using this script, restart your client!
 ==== import.ins ====
 <code winst>
 [initial]
-message "Importiere Zertifikat in den Lokalen Zertifikatsspeicher"
 [Actions]
+Patches_opsiclientd_cnf %Systemdrive%\TEMP\opsiclientd.cnf
+message "Generiere Software Service Zertifikat"
+DosInAnIcon_generateCert
+message "Importiere Zertifikat in den Zertifikatsspeicher"
 DosInAnIcon_import
+[Patches_opsiclientd_cnf]
+Add [req] default_bits = 1024
+Add [req] encrypt_key = yes
+Add [req] distinguished_name = req_dn
+Add [req] x509_extensions = v3_req
+Add [req] prompt = no
+Add [req_dn] C=DE
+Add [req_dn] ST=Niedersachsen
+Add [req_dn] L=Braunschweig
+Add [req_dn] O=<company.domain>
+Add [req_dn] OU=OPSI-Client
+Add [req_dn] CN=%IPName%
+Add [req_dn] emailAddress=<mailadress>
+Add [v3_req] nsCertType = server
+Add [v3_req] basicConstraints = CA:FALSE
+Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+Add [v3_req] subjectAltName = @alt_names
+Add [alt_names]DNS.1 = %IPName%
+Add [alt_names]DNS.2 = localhost
+[DosInAnIcon_generateCert]
+"%ProgramFiles32Dir%\openssl\bin\openssl" req -new -x509 -days 1000 -nodes -config %Systemdrive%\TEMP\opsiclientd.cnf -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem"
 [DosInAnIcon_Import]
-message "Wandle Zertifikat in der um"
 "%ProgramFilesDir%\OpenSSL\bin\openssl" x509 -outform der -in "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -out "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der"
-message "Importiere Zertifikat in den Trusted Store"
 %scriptpath%\CertMgr.exe -add -c "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" -s -r localMachine AuthRoot
 </code>

OPSI DokuWiki

User Tools

Site Tools

Differences

Page Tools