OPSI DokuWiki

User Tools

Site Tools

Trace: zertifikats_import
userspace:zertifikats_import

This is an old revision of the document!

ImportCert

Script by tobias
Comments and improvements welcome
This script comes with ABSOLUTELY NO WARRANTY

Tested with opsi 4.0.2
Tested with opsi-winst 4.11.2.5
Tested with Windows 7 Enterprise x86

If you want to use the OPSI Software Kiosk you have one Problem: The certificate errors.
This OPSI-Package generates a new OPSI Client certificate with 2 domains in it.
The hostname and localhost.
After that the script imports the new certificate into the local certificate storage on the Client.

Attention: Firefox has it's own Certificate Storage !
Achtung: Firefox verwendet nicht den Windows Zertifikatsspeicher !

( comment from wolfbardo : you can use the mozilla-nss utils to import in mozilla certifikate storage
see https://forum.opsi.org/wiki/userspace:mozilla_nss )

You need the CertMgr.Exe.
Copy this tool into your package folder (%SCRIPTPATH%)
CertMgr is available as part of the Windows SDK. http://go.microsoft.com/fwlink/p/?linkid=84091

Every time you reinstall or update the Opsi-Client-Agent you must set this package to setup again. The Opsi-Client-Agent installer will override your own certificate…

After using this script, restart your client!

import.ins

[initial]
 
[Actions]
Patches_opsiclientd_cnf %Systemdrive%\TEMP\opsiclientd.cnf
message "Generiere Software Service Zertifikat"
DosInAnIcon_generateCert
message "Importiere Zertifikat in den Zertifikatsspeicher"
DosInAnIcon_import
 
[Patches_opsiclientd_cnf]
 
Add [req] default_bits = 1024
Add [req] encrypt_key = yes
Add [req] distinguished_name = req_dn
Add [req] x509_extensions = v3_req
Add [req] prompt = no
 
 
Add [req_dn] C=DE
Add [req_dn] ST=Niedersachsen
Add [req_dn] L=Braunschweig
Add [req_dn] O=<company.domain>
Add [req_dn] OU=OPSI-Client
Add [req_dn] CN=%IPName%
Add [req_dn] emailAddress=<mailadress>
 
Add [v3_req] nsCertType = server
Add [v3_req] basicConstraints = CA:FALSE
Add [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Add [v3_req] subjectAltName = @alt_names
 
 
Add [alt_names]DNS.1 = %IPName%
Add [alt_names]DNS.2 = localhost
 
 
 
[DosInAnIcon_generateCert]
 
"%ProgramFiles32Dir%\openssl\bin\openssl" req -new -x509 -days 1000 -nodes -config %Systemdrive%\TEMP\opsiclientd.cnf -out "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -keyout "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem"
 
 
[DosInAnIcon_Import]
 
"%ProgramFilesDir%\OpenSSL\bin\openssl" x509 -outform der -in "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -out "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der"
 
%scriptpath%\CertMgr.exe -add -c "%ProgramFilesDir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.der" -s -r localMachine AuthRoot
userspace/zertifikats_import.1368275723.txt.gz · Last modified: 2021/08/23 08:37 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki