SSL CA Install

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search

There are probably lots of ways to do this.

You will need CertMgr.exe. It's part of .NET Framework 2.0 Software Development Kit - you don't need the entire kit on your clients or in your WPKG installation, only CertMgr.exe.

CertMgr.exe is documented here. Basic usage as follows:

%programfiles%\Microsoft.NET\SDK\v2.0\Bin\CertMgr.Exe /add ca-cert.der /all /s /r localMachine root

This would install all CAs in ca-cet.der globally, for all users.

Example:

<package
 id="ssl_cert"
    name="ssl certificate"
    revision="1"
    reboot="false"
    priority="50"
    execute="once">
    <install cmd="%SOFTWARE%\pkg\ssl\CertMgr.Exe /add ca-cert.der /all /s /r localMachine root">
    </install>
</package>


With certutil

I tested this with W7 and higher.

<?xml version="1.0" encoding="UTF-8"?>

<packages:packages xmlns:packages="http://www.wpkg.org/packages"
        xmlns:wpkg="http://www.wpkg.org/wpkg" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.wpkg.org/packages ../xsd/packages.xsd">


<package
  id="ssl-cert-win"
  name="SSL-Zertifikate_Windows"
  revision="%version%"
  priority="0"
  reboot="false">

  <variable name="version" value="2017-05-30" />
  <variable name="versionfile" value="%SYSTEMROOT%\sslversion.txt" />
  <variable name="cafile" value="%SOFTWARE%\ssl\cacert.pem" />
  <variable name="caseriennummer" value="12345678abcdefgh" />

  <!-- check install date -->
  <check type="execute" path='%SETTINGS%\tools\compareStringAndFile.bat "%version%" "%versionfile%"' condition="exitcodeequalto" value="0"/>

  <!-- add cert to root -->
  <install cmd='certutil -addstore "ROOT" %cafile%'/>
  <!-- set install date -->
  <install cmd='%ComSpec% /c echo %version%>"%versionfile%"'/>

  <remove cmd='certutil -delstore "ROOT" %caseriennummer%'/>
  <remove cmd='%ComSpec% /c del "%versionfile%"'/>

  <upgrade include="remove" />
  <upgrade include="install" />

</package>

</packages:packages>

certutil is part of Windows.

The only extra file "compareStringAndFile.bat-Skript" is very simple:

@echo off

:: compare parameter 1 (string) with content of parameter 2 (file)

set /p FILECONTENT=<%2

set FILECONTENT="%FILECONTENT%"
REM echo %FILECONTENT%
REM echo %1

if %1 == %FILECONTENT% exit /B 0

REM echo "The strings are different!"
exit /B 1