[Fusioninventory-devel] Provide the Windows agent installer a CA .pem file for him to store alongside the agent?
DUVERGIER Claude
devel.fusioninventory.ml at claude.duvergier.fr
Fri May 23 11:13:41 UTC 2014
Le 23/05/2014 10:26, Kevin Roy a écrit :
> Hi Claude,
>
> Le 23 mai 2014 01:53, "DUVERGIER Claude"
> <devel.fusioninventory.ml at claude.duvergier.fr
> <mailto:devel.fusioninventory.ml at claude.duvergier.fr>> a écrit :
>> I'm moving to secured GLPI-Agent communications and I've a question
>> relating to certificate location on agent side (I get FusionInventory
>> Agent won't/can't read Windows certificate store).
>>
>> The "/ca-cert-file" command line option (or the corresponding GUI field)
>> allows me to specify the CA I want the agent to trust (id. the one(s)
>> that signed the certificate the GLPI server is using).
>>
>> Currently the installer reads the provided filepath and stores it (the
>> path) in the registry for the agent to use it at runtime.
>>
>> The thing is: At final I would like that CA file to be stored in the
>> agent installation dir (the must would be in %ProgramData% be FI isn't
>> using that, yet).
>
> Why do you need to install the certificate in install directory ? You
> can use the %ProgramData% to store the certificate and tell this path to
> the installer.
Actually I only though about %ProgramData% when typing my e-mail :p
I don't really *need* the certificate to be inside Agent's installation
directory, I've only thought, having no other place (Windows system) it
would be better to store it there.
>> *Question:*
>> Is there a way to tell the installer to read that filepath, copy the
>> file into the agent's installation base directory (into "certs\"
>> subdirectory for example) and store that new path into registry for
>> agent to use when running ?
>
> Actually no. I don't know if the maintainer of windows has planned to
> add this kind of behavior. I can only suggest you to create a feature
> request in the forge.
>
>> The closest I get is to copy the file myself (via scripts) and use the
>> following command line options:
>>
>> > /installdir="C:\Program Files\FusionInventory-Agent"
> /ca-cert-file="C:\Program
>> Files\FusionInventory-Agent\certs\my_trusted_cas.pem"
>>
>> I'm using "/installdir" just to be sure, in case the default location
>> ("C:\Program Files\FusionInventory-Agent") changes in future release.
>
> The installdir option is the best way to achieve your current need.
>
>> The other option I have is to, similar to *nix systems, create a central
>> CA "repo" on disk (say "C:\etc\ssl\certs") for any software like FI to
> use.
>
> This is another good way to achieve this.
Thanks for the feedback: now I have to decide whether I'll be acting
"solo" (and use %ProgramData%) or "open" (and use
"%systemdrive%\etc\ssl\certs").
>
> Cheers,
> --
> Kevin Roy
--
DUVERGIER Claude
More information about the Fusioninventory-devel
mailing list