The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Louis Twomey <louis.twomey AT heanet.ie>]

Thanks Tomasz, and Stefan. The beta1 code sounds like it does exactly what the
client wants. I'll ask them to test again with the current version and if 
there
are any further issues I'll let you know.

Thanks again,
Louis.

"Tomasz Wolniewicz" wrote the following on 03/09/12 09:28:
> I would like to hear a bit more about the problem, to make sure that it
> is already taken care of.
> 
> Normally, when one tries to install an existing certificate, the user
> will not be prompted. The user does get prompted when the certificate
> gets installed in another store. The current code now tries to avoid the
> situation where the installer would try to install a certificate in
> user's store while it already may exist in the root store, which is most
> likely the situation which appeared in the problem you mention. Thus, as
> Stefan says, this should work just fine in our beta1 code.
> 
> Tomasz
> 
> 
> 
> W dniu 2012-09-03 10:00, Stefan Winter pisze:
>> Hi,
>>
>>> One of our client sites is trying to avoid their users being 
>>> prompted/warned
>>> unnecessarily during a profile install, where possible. Their SSL 
>>> certificate
>>> root CA is "AddTrust External CA Root", which already exists on (all?) 
>>> Windows
>>> 7 devices of their users. During the install Win7 generates a prompt, 
>>> asking if
>>> the existing root CA of that name should be overwritten.
>>>
>>> Would it be possible to have CAT allow them to download an installer, the
>>> Windows 7 installer in this case but perhaps others too, without the root
>>> certificate bundled with it, so that this prompt could be avoided?
>>>
>>> Of course, the assumption here is that their root certificate already 
>>> exists
>>> amongst the list of well-known CA's in all (standard) Windows 7 clients - 
>>> is it
>>> safe to make that assumption on the basis of exploring just a few standard
>>> installs of Windows 7?
>> Thanks for this... we've heard that a couple of times now. This is
>> really Tomasz's domain of work, but as he's busy the next few days,
>> here's what I (think I) remember:
>>
>> Tomasz implemented a sanity check in the beta1 code that would examine
>> the system before launching the actual install.
>>
>> One of the checks was whether the CA cert is already present in the
>> system(or user? or both?) store, and if so skip the installation of the
>> CA cert.
>>
>> I believe this would fix the issue you mention. It does not require two
>> different installers BTW, it's a scripted action in the default one.
>>
>> You can test this on the new beta1 release - which I hope we can finish
>> and deploy later this week.
>>
>> Greetings,
>>
>> Stefan Winter
>>
> 
> 

-- 
HEAnet Limited                               
louis.twomey AT heanet.ie
5 George's Dock, IFSC, Dublin 1              Tel: +353-1-6609040
Web: http://www.heanet.ie                    Fax: +353-1-6603666
Registered in Ireland, no 275301             PGP key: C77D9256

--- Please consider the environment before printing this e-mail ---