Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Existing root certificate generates warning

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Existing root certificate generates warning


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: cat-users AT geant.net
  • Subject: Re: [cat-users] Existing root certificate generates warning
  • Date: Mon, 03 Sep 2012 10:28:30 +0200
  • List-archive: <http://mail.geant.net/mailman/private/cat-users>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

I would like to hear a bit more about the problem, to make sure that it
is already taken care of.

Normally, when one tries to install an existing certificate, the user
will not be prompted. The user does get prompted when the certificate
gets installed in another store. The current code now tries to avoid the
situation where the installer would try to install a certificate in
user's store while it already may exist in the root store, which is most
likely the situation which appeared in the problem you mention. Thus, as
Stefan says, this should work just fine in our beta1 code.

Tomasz



W dniu 2012-09-03 10:00, Stefan Winter pisze:
> Hi,
>
>> One of our client sites is trying to avoid their users being
>> prompted/warned
>> unnecessarily during a profile install, where possible. Their SSL
>> certificate
>> root CA is "AddTrust External CA Root", which already exists on (all?)
>> Windows
>> 7 devices of their users. During the install Win7 generates a prompt,
>> asking if
>> the existing root CA of that name should be overwritten.
>>
>> Would it be possible to have CAT allow them to download an installer, the
>> Windows 7 installer in this case but perhaps others too, without the root
>> certificate bundled with it, so that this prompt could be avoided?
>>
>> Of course, the assumption here is that their root certificate already
>> exists
>> amongst the list of well-known CA's in all (standard) Windows 7 clients -
>> is it
>> safe to make that assumption on the basis of exploring just a few standard
>> installs of Windows 7?
> Thanks for this... we've heard that a couple of times now. This is
> really Tomasz's domain of work, but as he's busy the next few days,
> here's what I (think I) remember:
>
> Tomasz implemented a sanity check in the beta1 code that would examine
> the system before launching the actual install.
>
> One of the checks was whether the CA cert is already present in the
> system(or user? or both?) store, and if so skip the installation of the
> CA cert.
>
> I believe this would fix the issue you mention. It does not require two
> different installers BTW, it's a scripted action in the default one.
>
> You can test this on the new beta1 release - which I hope we can finish
> and deploy later this week.
>
> Greetings,
>
> Stefan Winter
>


--
Tomasz Wolniewicz

twoln AT umk.pl
http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page