Section 2.6.2, Pre-distributing a Trusted Publisher Certificate for the Client Installation
Section 2.6.4, Effects of the Micro Focus Certificate Expiration
Section 2.6.5, Importing the Micro Focus Certificate as a Trusted Publisher on a Single Machine
Section 2.6.6, Requirement of SHA-2 Certificates for Client for Open Enterprise Server
Starting with the Client for Open Enterprise Server 2 SP4 (IR4) and later, on Windows 10 platforms the Client has been signed using a Microsoft certificate instead of a Micro Focus certificate. This Microsoft signature is only valid for Windows 10 platforms, which includes the Windows Server 2016 and Windows Server 2019 platforms.
For these Windows 10 platforms, there will not be any Micro Focus publisher verification prompt presented by Windows during installation of the Client driver software. This is because Windows already considers the Microsoft signature to be part of the Trusted Publishers on a Windows machine.
Therefore, it is neither possible nor necessary to import or pre-distribute the Micro Focus certificate as a Trusted Publishers certificate on Windows 10 platforms. Windows does not evaluate the Micro Focus certificate during driver installation, nor does Windows present the Always trust software from Micro Focus option during installation on these Windows 10 platforms.
For Windows 10 platforms, all discussion of importing or pre-installing the Micro Focus certificate as a Trusted Publishers certificate can be ignored. The Microsoft certificate needed to pre-approve installation as a Trusted Publisher is already part of the Windows installation.
For all Windows 8.1 and earlier platforms, including Windows Server 2012 R2 and earlier, the Client remains signed with a Micro Focus certificate. For these Windows 8.1 and earlier platforms, Windows will prompt for publisher verification, and will present the Always trust software from Micro Focus option during installation.
Therefore, the remaining sections in this documentation which describe how to import and pre-distribute the Micro Focus certificate only apply to these Windows 8.1 and earlier platforms.
The Client uses Microsoft Authenticode digital signatures to verify Micro Focus as the publisher of Client drivers, as is required by the latest versions of Windows. During the Client installation, Windows presents an approval dialog box which lets you confirm whether software from Publisher: Micro Focus should be installed.
An Always trust software from Micro Focus option is also available. If you select this option, Windows adds the Micro Focus certificate to the Windows Trusted Publishers certificate list for the current Windows machine. The next time this Windows machine encounters driver software signed with the same Micro Focus certificate, Windows proceeds with installation rather than prompting you again for confirmation.
If you want to prevent Windows from presenting this publisher approval prompt as part of the Client installation, you can pre-distribute the Micro Focus certificate used to sign the Client installation set. Pre-distributing and pre-importing this Micro Focus certificate into the Windows machines’ Trusted Publishers certificate list will prevent Windows from prompting for verification during installation of any driver software signed with this certificate.
NOTE:Pre-distributing the Micro Focus certificate as a Trusted Publishers certificate on the workstation only eliminates the Microsoft publisher verification prompt that Windows presents during Client for Open Enterprise Server installation. To eliminate other confirmation prompts presented by the Client installation program, see the INSTALL.INI settings in Section 2.3, Using the Install.ini File. Configuring the INSTALL.INI settings is required for an installation to be initiated without any prompts through Client Update Agent or another software distribution mechanism like Novell ZENworks Configuration Management.
The best way to obtain the correct certificate for use in the Trusted Publishers list is to install the Client on a Windows machine, then select the Always trust software from Micro Focus option when prompted. Then use the Microsoft Certificate Management Console (certmgr.msc) to export the Micro Focus certificate visible in this Windows machine's Trusted Publishers certificate list.
NOTE:The exact name on the Micro Focus certificate may be “Micro Focus International plc” or may be “Micro Focus (US), Inc”, depending upon which release of the Client software is being installed. Whichever one of these is correct for the version of the Client being installed, this is the certificate being referred to in documentation as “the Micro Focus certificate.”
The exported certificate can be used to pre-distribute Micro Focus certificate as a Trusted Publishers certificate on Windows machines using any of the methods Microsoft makes available for pre-loading certificates used by Authenticode-signed software. This includes Microsoft support for distributing certificates during unattended installations of Windows, or through the use of Group Policies.
For more information on the options provided by Microsoft Windows for distributing software publisher certificates, see the Deploying Authenticode Digital Certificates in an Enterprise
section of Using Authenticode to Digitally Sign Driver Packages for Windows Server 2003 (Authenticode.doc, http://www.microsoft.com/whdc/driver/install/authenticode.mspx), and the Microsoft Windows Group Policy documentation.
Certificates have a start date and an expiration date, and the certificate a software publisher uses to digitally sign their release will eventually change as the current certificate reaches expiration and a new certificate is obtained.
For example, the Micro Focus certificate used to sign the Client for Open Enterprise Server 2 SP4 (IR9) release was valid from March 2016 to August 2018, so pre-distributing this certificate will work for automatically approving any of the Client for Open Enterprise Server software releases that occurred in this time period.
The next Client for Open Enterprise Server releases after August 2018, such as the Client for Open Enterprise Server 2 SP5, were signed with a new Micro Focus certificate which is valid from July 2018 to July 2021. Because this is a different certificate than the releases prior to August 2018, the certificate installed as a Trusted Publishers certificate for the previous releases does not continue to work for suppressing the Windows publisher approval prompt when installing releases after August 2018.
Customers who want to pre-distribute the Micro Focus certificate necessary to install Client releases that occurred during the time period of August 2018 to July 2021 must obtain the updated certificate from one of the post August 2018 releases, and then distribute this updated Micro Focus certificate as a Trusted Publisher on the workstations. Each time the certificate expires and is replaced with a new certificate in future releases, the certificate pre-installed on the workstations must be updated.
Expiration of the Micro Focus certificate does not mean that the Client for Open Enterprise Server will cease functioning, nor does it mean that installation of the Client for Open Enterprise Server will fail. When the existing Micro Focus certificate expires, workstations where this Micro Focus certificate was pre-distributed as a Trusted Publishers certificate will no longer be able to automatically approve the publisher verification prompt Windows presents during installation of future Client software.
However, Client software that was signed using a Micro Focus certificate which expired in August 2018 can continue being successfully installed and used even after August 2018. This is an intentional aspect of the Microsoft Authenticode signing behavior, which permits a signed file to also be given an independent time stamp signature. The time stamp signature allows Windows to validate that the signing certificate was valid at the time the files were signed, even if the signing certificate has subsequently expired.
Expiration of the Micro Focus certificate does not mean that the Client for Open Enterprise Server will cease functioning, nor does it mean that installation of the Client for Open Enterprise Server will fail after the expiration date. It also does not mean that the expired Micro Focus certificate should necessarily be removed from the Trusted Publishers store on the workstation.
Expiration of the existing Micro Focus certificate simply means that no future releases of the Client software will be signed with this same certificate. The next Client release after the expiration date will be signed with a different Micro Focus certificate, with a new start date and a new expiration date.
Windows continues to consider the expired Micro Focus certificate as valid. That is, Windows will continue being able to successfully verify software that had been signed with this certificate during the time period when the certificate was not yet expired.
For example, the Client for Open Enterprise Server 2 SP4 (IR9) release which was signed with the Micro Focus certificate valid from March 2016 to August 2018, Windows will continue verifying and allowing this software to install and run even after August 2018.
This also means that if you have the Micro Focus certificate valid from March 2016 to August 2018 installed as a Trusted Publishers certificate on the workstation, this certificate need to remain in the Trusted Publishers certificate store even after August 2018, to permit Windows to continue pre-approving the trusted publisher prompt that will occur when installing Client for Open Enterprise Server 2 SP4 (IR9) or any previous releases that were signed with this certificate; even though this certificate is now expired.
Having only the latest Micro Focus certificate installed in the Trusted Publishers certificate store does not guarantee pre-approval of the publisher verification prompt that Windows presents during Client for Open Enterprise Server installation. More specifically, you must install the certificate that was used to sign the particular release of the Client being installed.
This might be the latest Micro Focus certificate, or it might be a previous Micro Focus certificate which is now expired, depending upon when the particular Client release was made. Windows supports importing or maintaining multiple versions of the Micro Focus certificate (both expired and non-expired) concurrently, as needed to have the certificate necessary for the version(s) of Client being installed.
As described earlier, the easiest method for installing the Micro Focus certificate used to sign a particular Client release as a Trusted Publishers certificate for Windows is to use the Always trust software from Micro Focus option presented on the Windows publisher verification dialog during driver installation.
Should you want to import the Micro Focus certificate onto a single machine using the Microsoft Certificate Management Console (certmgr.msc), an important aspect will be to import the Micro Focus certificate into the Trusted Publishers certificate list that will be available to the Windows machine during driver installation, as opposed to the per-user Trusted Publishers certificate list that is specific to the current logged-on user.
For example, on Windows 7 the following steps can be used to import the certificate as a Trusted Publishers certificate available to the Windows driver installation process, such that a publisher verification dialog would not be presented when installing the Client:
Run CERTMGR.MSC (normally; do not have to force elevation via "Run as Administrator").
From the View menu, select Options and enable "Physical certificate stores".
Expand "Trusted Publishers" and select/highlight the "Local Computer" store.
Right-click on the "Local Computer" store, and from "All Tasks" choose "Import".
Browse to the Micro Focus certificate which had been exported from a different Windows machine, and on the "Certificate Store" page of the import wizard, ensure "Trusted Publishers\Local Computer" is selected.
Complete the Import wizard, and ensure the Micro Focus certificate shows under "Trusted Publishers\Local Computer" in the CERTMGR.MSC console.The selection of the Local Computer certificate store during the certificate import process is what ensures the Micro Focus certificate is being imported in a way that will be available as a Trusted Publisher to the Windows driver installation process. This is exactly what happens automatically when using the Always trust software from Micro Focus option during an interactive Client installation.
For additional information on the Trusted Publishers certificate store and the Local Computer certificate store, see Trusted Publishers Certificate Store and Local Computer and Current User Certificate Stores.
Client for Open Enterprise Sever 2 SP4 (IR3) and later is signed using a new Micro Focus SHA-2 certificate, due to Windows’ deprecation of SHA-1 certificates.
For successful installation of Client on Windows 7 and Windows Server 2008 R2, ensure to install the Microsoft Security Update KB3033929 to add support for SHA-2 certification.