2.6 Signing Requirements for the Novell Client Installation

2.6.1 Pre-distributing a Trusted Publisher Certificate for the Novell Client Installation

The Novell Client for Windows uses Microsoft Authenticode digital signatures to verify Novell, Inc. as the publisher of Novell Client drivers, as is required by the latest versions of Windows. During the Novell Client installation, Windows presents an approval dialog box which lets you confirm whether software from Publisher: Novell, Inc. should be installed.

An Always trust software from Novell, Inc. option is also available. If you select this option, Windows adds the Novell, Inc. certificate to the Windows Trusted Publishers certificate list for the current Windows machine. The next time this Windows machine encounters driver software signed with the same Novell, Inc. certificate, Windows proceeds with installation rather than prompting you again for confirmation.

If you want to keep Windows from presenting this installation approval (for the Novell Client or for any other driver software using publisher-signed Authenticode signatures), you can pre-distribute the publisher's public certificate used for Authenticode signing to the Windows machines Trusted Publishers certificate list prior to installation of the driver software.

For the Novell Client, the certificate used for Authenticode signing is the Verisign public certificate for Novell, Inc. The best way to obtain the correct certificate for use in the Trusted Publishers list is to install the Novell Client on a Windows machine, then select the Always trust software from Novell, Inc. option when prompted. Then use the Microsoft Certificate Management Console (certmgr.msc) to export the Novell, Inc. certificate visible in this Windows machine's Trusted Publishers certificate list.

The exported certificate can be used to pre-distribute Novell, Inc. as a Trusted Publishers certificate on Windows machines using any of the methods Microsoft makes available for pre-loading certificates used by Authenticode-signed software. This includes Microsoft support for distributing certificates during unattended installations of Windows, or through the use of Group Policies.

For more information on the options provided by Microsoft Windows for distributing software publisher certificates, see the Deploying Authenticode Digital Certificates in an Enterprise section of Using Authenticode to Digitally Sign Driver Packages for Windows Server 2003 (Authenticode.doc, http://www.microsoft.com/whdc/driver/install/authenticode.mspx), and the Microsoft Windows Group Policy documentation (http://www.microsoft.com/grouppolicy/).

2.6.2 Expiration of the Novell, Inc. Certificate

Certificates have an expiration date, and the certificate a software publisher uses will eventually change as the current certificate reaches expiration and a renewed certificate is obtained. For example, the certificate currently used to sign the Novell Client 2 SP1 for Windows (IR2) and later is valid until April 2013, so pre-distributing this certificate will work for future Novell Client software releases until April 2013.

Customers who pre-published the previous Novell, Inc. certificate which expired in April 2010 will need to predistribute the updated Novell, Inc. certificate which expires in 2013 in order to continue having Windows treat Novell, Inc. as a Trusted Publisher on the workstation. Customers can obtain the updated Novell, Inc. certificate from Novell Client for Windows releases which were published after April 2010, such as the Novell Client 2 SP1 (IR2) and later.

2.6.3 Effects of the Novell, Inc. Certificate Expiration

Expiration of the Novell, Inc. certificate does not mean that the Novell Client for Windows software will cease functioning, nor does it mean that installation of the Novell Client for Windows will fail. Expiration of the existing Novell, Inc. certificate simply prevents workstations where the Novell, Inc. certificate was pre-distributed as a Trusted Publisher from being able to automatically approve the publisher verification prompt Windows presents during installation of future Novell Client software that has been signed with the updated, non-expired Novell, Inc. certificate.

Novell Client software that was signed using the Novell, Inc. certificate which expired in April 2010 can continue being successfully installed and used even after April 2010. This is an intentional aspect of the Microsoft Authenticode signing behavior, which permits a signed file to also be given an independent time stamp signature. The time stamp signature allows Windows to validate that the signing certificate was valid at the time the files were signed, even if the signing certificate has subsequently expired.

2.6.4 Importing the Novell, Inc. Certificate as a Trusted Publisher on a Single Machine

As described earlier, the easiest method for installing the Novell, Inc. certificate used to sign a particular Novell Client release as a Trusted Publisher certificate for Windows is to use the Always trust software from Novell, Inc. option presented on the Windows publisher verification dialog during driver installation.

Should you want to import the Novell, Inc. certificate onto a single machine using the the Microsoft Certificate Management Console (certmgr.msc), an important aspect will be to import the Novell, Inc. certificate into the Trusted Publisher certificate list that will be available to the Windows machine during driver installation, as opposed to the per-user Trusted Publisher certificate list that is specific to the current logged-on user.

For example, on Windows 7 the following steps can be used to import the certificate as a Trusted Publisher available to the Windows driver installation process, such that a publisher verification dialog would not be presented when installing the Novell Client:

  1. Run CERTMGR.MSC (normally; do not have to force elevation via "Run as Administrator").

  2. From the View menu, select Options and enable "Physical certificate stores".

  3. Expand "Trusted Publishers" and select/highlight the "Local Computer" store.

  4. Right-click on the "Local Computer" store, and from "All Tasks" choose "Import".

  5. Browse to the Novell, Inc certificate which had been exported from a different Windows machine, and on the "Certificate Store" page of the import wizard, ensure "Trusted Publishers\Local Computer" is selected.

  6. Complete the Import wizard, and ensure the Novell, Inc. certificate shows under "Trusted Publishers\Local Computer" in the CERTMGR.MSC console.The selection of the Local Computer certificate store during the certificate import process is what ensures the Novell, Inc. certificate is being imported in a way that will be available as a Trusted Publisher to the Windows driver installation process. Again, this all happens automatically when using the Always trust software from Novell, Inc. option during an interactive Novell Client installation.

For additional information on the Trusted Publishers certificate store and the Local Computer certificate store, see Trusted Publishers Certificate Store and t.