The Client uses Microsoft Authenticode digital signatures to verify Novell, Inc. as the publisher of Client drivers, as is required by the latest versions of Windows. During the Client installation, Windows presents an approval dialog box which lets you confirm whether software from. should be installed.
Anoption is also available. If you select this option, Windows adds the Novell, Inc. certificate to the Windows certificate list for the current Windows machine. The next time this Windows machine encounters driver software signed with the same Novell, Inc. certificate, Windows proceeds with installation rather than prompting you again for confirmation.
If you want to keep Windows from presenting this installation approval (for the Client or for any other driver software using publisher-signed Authenticode signatures), you can pre-distribute the publisher's public certificate used for Authenticode signing to the Windows machinescertificate list prior to installation of the driver software.
For the Client, the certificate used for Authenticode signing is the Verisign public certificate for Novell, Inc. The best way to obtain the correct certificate for use in the certmgr.msc) to export the Novell, Inc. certificate visible in this Windows machine's certificate list.list is to install the Client on a Windows machine, then select the option when prompted. Then use the Microsoft Certificate Management Console (
The exported certificate can be used to pre-distribute Novell, Inc. as acertificate on Windows machines using any of the methods Microsoft makes available for pre-loading certificates used by Authenticode-signed software. This includes Microsoft support for distributing certificates during unattended installations of Windows, or through the use of Group Policies.
For more information on the options provided by Microsoft Windows for distributing software publisher certificates, see the
Deploying Authenticode Digital Certificates in an Enterprise section of Using Authenticode to Digitally Sign Driver Packages for Windows Server 2003 (Authenticode.doc, http://www.microsoft.com/whdc/driver/install/authenticode.mspx), and the Microsoft Windows Group Policy documentation (http://www.microsoft.com/grouppolicy/).
Certificates have an expiration date, and the certificate a software publisher uses will eventually change as the current certificate reaches expiration and a renewed certificate is obtained. For example, the certificate currently used to sign the Novell Client 2 SP1 for Windows (IR2) and later is valid until April 2013, so pre-distributing this certificate will work for future Novell Client software releases until April 2013.
Customers who pre-published the previous Novell, Inc. certificate which expired in April 2010 will need to predistribute the updated Novell, Inc. certificate which expires in 2013 in order to continue having Windows treat Novell, Inc. as a Trusted Publisher on the workstation. Customers can obtain the updated Novell, Inc. certificate from Client releases which were published after April 2010, such as the Novell Client 2 SP1 (IR2) and later.
Expiration of the Novell, Inc. certificate does not mean that the Client for Open Enterprise Server will cease functioning, nor does it mean that installation of the Client for Open Enterprise Server will fail. Expiration of the existing Novell, Inc. certificate simply prevents workstations where the Novell, Inc. certificate was pre-distributed as a Trusted Publisher from being able to automatically approve the publisher verification prompt Windows presents during installation of future Client software that has been signed with the updated, non-expired Novell, Inc. certificate.
Client software that was signed using the Novell, Inc. certificate which expired in April 2010 can continue being successfully installed and used even after April 2010. This is an intentional aspect of the Microsoft Authenticode signing behavior, which permits a signed file to also be given an independent time stamp signature. The time stamp signature allows Windows to validate that the signing certificate was valid at the time the files were signed, even if the signing certificate has subsequently expired.
As described earlier, the easiest method for installing the Novell, Inc. certificate used to sign a particular Client release as a Trusted Publisher certificate for Windows is to use the Always trust software from Novell, Inc. option presented on the Windows publisher verification dialog during driver installation.
Should you want to import the Novell, Inc. certificate onto a single machine using the Microsoft Certificate Management Console (certmgr.msc), an important aspect will be to import the Novell, Inc. certificate into the Trusted Publisher certificate list that will be available to the Windows machine during driver installation, as opposed to the per-user Trusted Publisher certificate list that is specific to the current logged-on user.
For example, on Windows 7 the following steps can be used to import the certificate as a Trusted Publisher available to the Windows driver installation process, such that a publisher verification dialog would not be presented when installing the Client:
Run CERTMGR.MSC (normally; do not have to force elevation via "Run as Administrator").
From the View menu, select Options and enable "Physical certificate stores".
Expand "Trusted Publishers" and select/highlight the "Local Computer" store.
Right-click on the "Local Computer" store, and from "All Tasks" choose "Import".
Browse to the Novell, Inc certificate which had been exported from a different Windows machine, and on the "Certificate Store" page of the import wizard, ensure "Trusted Publishers\Local Computer" is selected.
Complete the Import wizard, and ensure the Novell, Inc. certificate shows under "Trusted Publishers\Local Computer" in the CERTMGR.MSC console.The selection of the Local Computer certificate store during the certificate import process is what ensures the Novell, Inc. certificate is being imported in a way that will be available as a Trusted Publisher to the Windows driver installation process. Again, this all happens automatically when using the Always trust software from Novell, Inc. option during an interactive Client installation.