Search

Signing power state transition scripts with digital certificates

Surveyor 6.x

Knowledge Base

As a security measure, every script that can run as part of a power state transition rule must be signed with a digital certificate, and the certificate for the script must be installed on both the client and the Surveyor server.

You can use a self-signed certificate, or a certificate signed by a recognized Certificate Authority (CA). If multiple certificates are installed on the Surveyor server, you can select a specific certificate for each script.

Using self-signed certificates

A CA certificate and a code signing certificate must be installed on the Surveyor server. The public portion of both certificates must be installed on each client machine.

To create a self-signed root CA certificate use the makecert program distributed with the Windows .NET 2.0 SDK.

  1. Make sure that the folder containing the makecert and certMgr executable is in your Windows path system variable.
  2. On the machine hosting Surveyor server, run the following from the command prompt:
    makecert -n "CN=Local Surveyor Script Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
  3. Enter and re-enter a password.

    Two files are created: root.cer is the certificate that will be distributed to clients, and root.pvk is the private key portion that will be used to sign the code signing certificate.

  4. Create a code signing certificate by running the following command:
    makecert -pe -n "CN=Local Verdiem Scripting User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
  5. Enter the password you created for the CA certificate.
  6.  Install the public portion of the CA certificate on the client machine.

    Copy the root.cer file to the client machine and run the certmgr.exe program:

    certmgr.exe /add root.cer /s /r localMachine root

If you don't want users to be required to verify that they trust the publisher, you must install the code signing certificate, in addition to the CA certificate, on the client machine:

  1. Export the code signing certificate.

    At the command prompt on the Surveyor server computer, type certmgr.exe, and then click OK.

  2. Click the Personal tab.
  3. Locate and select the code-signing certificate previously created.
  4. Click Export.
    NOTE: Some versions of the Certificate Manager do not display an Export button. If this is the case, right-click on the certificate and choose All Tasks > Export.
  5. Choose the option to not export the private key.
  6. Select DER encoded binary X.509 (.CER), or ensure that it is already selected.
  7. Enter the name of the file for the exported certificate.
  8. Click Finish in the wizard to export the certificate.
  9. Copy the code signing certificate file to the client machine, and install it by running the following command:
    certmgr.exe /add {certificate export file name} /s /r localMachine trustedPublisher