2.6 Signing Requirements for the Client Installation

The Client uses Microsoft Authenticode digital signatures to verify Novell, Inc. as the publisher of Client drivers, as is required by the latest versions of Windows. During the Client installation, Windows presents an approval dialog box which lets you confirm whether software from Publisher: Novell, Inc. should be installed.

An Always trust software from Novell, Inc. option is also available. If you select this option, Windows adds the Novell, Inc. certificate to the Windows Trusted Publishers certificate list for the current Windows machine. The next time this Windows machine encounters driver software signed with the same Novell, Inc. certificate, Windows proceeds with installation rather than prompting you again for confirmation.

If you want to keep Windows from presenting this installation approval (for the Client or for any other driver software using publisher-signed Authenticode signatures), you can pre-distribute the publisher's public certificate used for Authenticode signing to the Windows machines Trusted Publishers certificate list prior to installation of the driver software.

For the Client, the certificate used for Authenticode signing is the Verisign public certificate for Novell, Inc. The best way to obtain the correct certificate for use in the Trusted Publishers list is to install the Client on a Windows machine, then select the Always trust software from Novell, Inc. option when prompted. Then use the Microsoft Certificate Management Console (certmgr.msc) to export the Novell, Inc. certificate visible in this Windows machine's Trusted Publishers certificate list.

The exported certificate can be used to pre-distribute Novell, Inc. as a Trusted Publishers certificate on Windows machines using any of the methods Microsoft makes available for pre-loading certificates used by Authenticode-signed software. This includes Microsoft support for distributing certificates during unattended installations of Windows, or through the use of Group Policies.

For more information on the options provided by Microsoft Windows for distributing software publisher certificates, see the Deploying Authenticode Digital Certificates in an Enterprise section of Using Authenticode to Digitally Sign Driver Packages for Windows Server 2003 (Authenticode.doc, http://www.microsoft.com/whdc/driver/install/authenticode.mspx), and the Microsoft Windows Group Policy documentation (http://www.microsoft.com/grouppolicy/).

Certificates have a start date and an expiration date, and the certificate a software publisher uses to digitally sign their release will eventually change as the current certificate reaches expiration and a new certificate is obtained.

For example, the Novell, Inc. certificate used to sign the Novell Client 2 SP1 for Windows (IR2) release till the Novell Client 2 SP3 for Windows (IR1) release is valid from April 2010 to April 2013, so pre-distributing this certificate will work for automatically approving any of the Novell Client software releases that occurred in this time period.

The next Novell Client for Windows release after April 2013, such as the Novell Client 2 SP3 for Windows (IR2), will be signed with a new Novell, Inc. certificate which is valid from April 2013 to April 2016. Customers who want to pre-distribute the Novell, Inc. certificate necessary to approve Client releases that occur during the time period April 2013 to April 2016 must obtain the updated certificate from one of the post April 2013 releases, and then distribute this updated Novell, Inc. certificate as a Trusted Publisher on the workstations.

Expiration of the Novell, Inc. certificate does not mean that the Client for Open Enterprise Server will cease functioning, nor does it mean that installation of the Client for Open Enterprise Server will fail. Expiration of the existing Novell, Inc. certificate simply prevents workstations where the Novell, Inc. certificate was pre-distributed as a Trusted Publisher from being able to automatically approve the publisher verification prompt Windows presents during installation of future Client software that has been signed with the updated, non-expired Novell, Inc. certificate.

Client software that was signed using the Novell, Inc. certificate which expired in April 2010 can continue being successfully installed and used even after April 2010. This is an intentional aspect of the Microsoft Authenticode signing behavior, which permits a signed file to also be given an independent time stamp signature. The time stamp signature allows Windows to validate that the signing certificate was valid at the time the files were signed, even if the signing certificate has subsequently expired.

Expiration of the Novell, Inc. certificate does not mean that the Client for Open Enterprise Server will cease functioning, nor does it mean that installation of the Client for Open Enterprise Server will fail after the expiration date. It also does not mean that the expired Novell, Inc. certificate should be removed from the Trusted Publishers store on the workstation.

Expiration of the existing Novell, Inc. certificate simply means that no future releases of the Client software will be signed with this same certificate. The next Client release after the expiration date will be signed with a different Novell, Inc. certificate, with a new start date and a new expiration date.

Windows continues to consider the expired Novell, Inc. certificate as valid. That is, Windows will continue being able to successfully verify software that had been signed with this certificate during the time period when the certificate was not yet expired.

This behavior of an expired certificate still being able to be validated is an intentional aspect of the Microsoft Authenticode signing behavior, which permits a signed file to also be given an independent time stamp signature. The time stamp signature allows Windows to validate that the signing certificate was valid at the time the files were signed, even if the signing certificate has subsequently expired.

For the Novell Client 2 SP1 for Windows (IR2) release till the Novell Client 2 SP3 for Windows (IR1) releases which were signed with the Novell, Inc. certificate valid from April 2010 to April 2013, Windows will continue verifying and allowing this software to install and run even after April 2013.

This also means that if you have the Novell, Inc. certificate valid from April 2010 to April 2013 installed as a Trusted Publisher on the workstation, this certificate need to remain in the Trusted Publisher certificate store even after April 2013, to permit Windows to continue pre-approving the trusted publisher prompt that will occur when installing any of these previous Novell Client 2 SP1 for Windows (IR2) till Novell Client 2 SP3 for Windows (IR1) releases that were signed with this certificate, which is expired now.

Only having the latest Novell, Inc. certificate in the Trusted Publishers certificate store does not guarantee the pre-approval of the publisher verification prompt that Windows presents during Client for Open Enterprise Server installation. More specifically, you must have the certificate that was used to sign that particular release of the Client being installed, Which might be the latest Novell, Inc. certificate or a previous Novell, Inc. certificate (expired now) depending upon when the particular Client release was made. Windows supports importing or maintaining multiple versions of the Novell, Inc. certificate (both expired and non-expired) concurrently, as needed to have the certificate necessary for the version(s) of Client being installed.

As described earlier, the easiest method for installing the Novell, Inc. certificate used to sign a particular Client release as a Trusted Publisher certificate for Windows is to use the Always trust software from Novell, Inc. option presented on the Windows publisher verification dialog during driver installation.

Should you want to import the Novell, Inc. certificate onto a single machine using the Microsoft Certificate Management Console (certmgr.msc), an important aspect will be to import the Novell, Inc. certificate into the Trusted Publisher certificate list that will be available to the Windows machine during driver installation, as opposed to the per-user Trusted Publisher certificate list that is specific to the current logged-on user.

For example, on Windows 7 the following steps can be used to import the certificate as a Trusted Publisher available to the Windows driver installation process, such that a publisher verification dialog would not be presented when installing the Client:

For additional information on the Trusted Publishers certificate store and the Local Computer certificate store, see Trusted Publishers Certificate Store and t.

Client for Open Enterprise Sever 2 SP4 (IR3) and later is signed using a new Micro Focus SHA-2 certificate, due to Windows’ deprecation of SHA-1 certificates.

For successful installation of Client on Windows 7 and Windows Server 2008 R2, ensure to install the Microsoft Security Update KB3033929 to add support for SHA-2 certification.