-
Title
Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix -
Description
Vascert does not have a functional backend on Linux and Unix since there isn’t a central cert store to store certificates as on macOS. Issues similar to the following will happen when running ‘vascert pulse’:
$ vascert pulsevascert: One Identity Certificate Autoenrollment version 1.1.0.750Copyright 2017 Quest Software Inc. ALL RIGHTS RESERVED.Processing enrollment policy: dc1.domain.comProcess exited with an error (Exit value: 1), command was: [/var/opt/quest/vascert/script/certstore.sh, export-machine-certs, /tmp/vascert6353628018779558796pk12, mdzDFXBD7znDYDO8B] -
Cause
By default, the backend certstore-DEV.sh script returns 1 for nearly all function calls. Whenever vascert makes a call to certstore.sh, certstore.sh then calls into certstore-DEV.sh, receives a return code of 1 and exits with an error message. This article is intended to help the user understand the functionality of certstore-DEV.sh and how to tailor it to their needs. -
Resolution
RESOLUTION:
certstore-DEV.sh, located at /var/opt/quest/vascert/script, needs to be modified. vascert was intentionally designed to require further scripting in order to work properly. For vascert to function properly, the following functions require modification: exportMachineCerts and importMachineIdentity.
exportMachineCerts
Purpose
Determine if certificate autoenrollment needs to proceed
Description
Before calling this function, vascert creates a 0 byte file for certstore-DEV.sh to export certs into. If the file remains 0 bytes when vascert proceeds, then it proceeds to enroll for a new certificate. If, however, the file contains a valid certificate then that template will be skipped by vascert and move on to either enroll for a different template or end without error.
Parameters
$1 – The file passed in by vascert that vascert will check to determine if certificate autoenrollment needs to proceed.
$2 – Onetime passphrase used by vascert to decrypt the pkcs12 file. When exporting the machine certs, this function will need to use that passphrase to encrypt the file so vascert can read the contents
Returns
0 – Success. Even if there are no certs to export, return 0 for vascert to continue with autoenrollment
Other than 0 – Failure. Any other return code causes vascert to fail and end here.
importMachineIdentity
Purpose
Now that vascert has a new certificate, pass the location to the certstore-DEV.sh so it can be stored where it needs to be.
Description
Now that vascert has acquired a new certificate, store it where it needs to be. The location to store it depends on the requirements for the software that will use it. Please see their documentation for that location.
Parameters
$1 – Location of the certificate
Returns
0 – Success.
Other than 0 – Failure. Vascert will end with an error message.