[Fusioninventory-devel] Provide the Windows agent installer a CA .pem file for him to store alongside the agent?

Kevin Roy kiniou at gmail.com
Fri May 23 08:26:44 UTC 2014 

Hi Claude,

Le 23 mai 2014 01:53, "DUVERGIER Claude" <
devel.fusioninventory.ml at claude.duvergier.fr> a écrit :
> I'm moving to secured GLPI-Agent communications and I've a question
> relating to certificate location on agent side (I get FusionInventory
> Agent won't/can't read Windows certificate store).
>
> The "/ca-cert-file" command line option (or the corresponding GUI field)
> allows me to specify the CA I want the agent to trust (id. the one(s)
> that signed the certificate the GLPI server is using).
>
> Currently the installer reads the provided filepath and stores it (the
> path) in the registry for the agent to use it at runtime.
>
> The thing is: At final I would like that CA file to be stored in the
> agent installation dir (the must would be in %ProgramData% be FI isn't
> using that, yet).

Why do you need to install the certificate in install directory ? You can
use the %ProgramData% to store the certificate and tell this path to the
installer.

> *Question:*
> Is there a way to tell the installer to read that filepath, copy the
> file into the agent's installation base directory (into "certs\"
> subdirectory for example) and store that new path into registry for
> agent to use when running ?

Actually no. I don't know if the maintainer of windows has planned to add
this kind of behavior. I can only suggest you to create a feature request
in the forge.

> The closest I get is to copy the file myself (via scripts) and use the
> following command line options:
>
> > /installdir="C:\Program Files\FusionInventory-Agent"
/ca-cert-file="C:\Program
> Files\FusionInventory-Agent\certs\my_trusted_cas.pem"
>
> I'm using "/installdir" just to be sure, in case the default location
> ("C:\Program Files\FusionInventory-Agent") changes in future release.

The installdir option is the best way to achieve your current need.

> The other option I have is to, similar to *nix systems, create a central
> CA "repo" on disk (say "C:\etc\ssl\certs") for any software like FI to
use.

This is another good way to achieve this.

Cheers,
--
Kevin Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/fusioninventory-devel/attachments/20140523/d7e1766e/attachment.html>

More information about the Fusioninventory-devel mailing list