diff --git a/README.md b/README.md index 6666bcb..3ea8c66 100644 --- a/README.md +++ b/README.md @@ -162,12 +162,14 @@ sudo ./install_certs_macos.sh \ **Exit code:** 0 if all checks pass, 1 if any check fails. +Use a substring from your CA subject as `` (find it with `openssl x509 -in -noout -subject`). + ```bash # After install: validate current user’s config and cert path(s) -./validate_install_macos.sh --expected-subject Zscaler +./validate_install_macos.sh --expected-subject "" # Validate every user’s config (run as root) -sudo ./validate_install_macos.sh --expected-subject Zscaler --all-users +sudo ./validate_install_macos.sh --expected-subject "" --all-users ``` --- @@ -372,7 +374,7 @@ Re-runs **merge** certs: if the target file already exists, the script saves its Run from a directory that contains the script (or use full path): ```powershell -powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -CertName Zscaler -ExtractPath certs\npm +powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -CertName "Your Org Root CA" -ExtractPath certs\npm # Or use an existing PEM: powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -UseCert C:\path\to\ca.pem ``` @@ -391,7 +393,7 @@ powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all **Extract from store and configure all users (run as admin):** ```powershell -.\install_certs_windows.ps1 -Package all -CertName Zscaler -ExtractPath certs\npm +.\install_certs_windows.ps1 -Package all -CertName "Your Org Root CA" -ExtractPath certs\npm ``` **Use an existing PEM (Machine-level env; User-level cert vars are deleted):** @@ -430,12 +432,14 @@ Users must start a **new terminal** for env changes to take effect. **Exit code:** 0 if all checks passed, 1 if any check failed. +Use a substring from your CA subject as `` (find it with `openssl x509 -in -noout -subject`). + ```powershell # After install: validate current user's env and cert path(s) -.\validate_install_windows.ps1 -ExpectedSubject Zscaler +.\validate_install_windows.ps1 -ExpectedSubject "" # Validate every user's config (run as Administrator) -.\validate_install_windows.ps1 -ExpectedSubject Zscaler -AllUsers +.\validate_install_windows.ps1 -ExpectedSubject "" -AllUsers ``` --- diff --git a/install_certs_debian_ubuntu.sh b/install_certs_debian_ubuntu.sh index ab040e4..03c65d5 100644 --- a/install_certs_debian_ubuntu.sh +++ b/install_certs_debian_ubuntu.sh @@ -7,11 +7,11 @@ # sudo bash install_certs_debian_ubuntu.sh --use-cert /path/to/cert.pem [--package npm|python|huggingface|all] # # Examples: -# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/ZscalerRoot0.pem -# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/ZscalerRoot0.pem --package npm -# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/ZscalerRoot0.pem --package python -# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/ZscalerRoot0.pem --package huggingface -# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/ZscalerRoot0.pem --cert-name zscaler-root +# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/company-ca.pem +# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/company-ca.pem --package npm +# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/company-ca.pem --package python +# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/company-ca.pem --package huggingface +# sudo bash install_certs_debian_ubuntu.sh --use-cert /tmp/company-ca.pem --cert-name my-org-ca # # What it does: # 1. Validates the provided PEM/CRT certificate @@ -51,11 +51,11 @@ Options: -h, --help Show this help Examples: - sudo $0 --use-cert /tmp/ZscalerRoot0.pem - sudo $0 --use-cert /tmp/ZscalerRoot0.pem --package npm - sudo $0 --use-cert /tmp/ZscalerRoot0.pem --package python - sudo $0 --use-cert /tmp/ZscalerRoot0.pem --package huggingface - sudo $0 --use-cert /tmp/ZscalerRoot0.pem --cert-name zscaler-root + sudo $0 --use-cert /tmp/company-ca.pem + sudo $0 --use-cert /tmp/company-ca.pem --package npm + sudo $0 --use-cert /tmp/company-ca.pem --package python + sudo $0 --use-cert /tmp/company-ca.pem --package huggingface + sudo $0 --use-cert /tmp/company-ca.pem --cert-name my-org-ca EOF } diff --git a/install_certs_macos.sh b/install_certs_macos.sh index 4449e3e..6f1de3f 100755 --- a/install_certs_macos.sh +++ b/install_certs_macos.sh @@ -12,7 +12,7 @@ # (writes ~//package-route.pem). The PEM is a single # export of BOTH macOS Keychains (SystemRootCertificates + # System) — includes Apple's system roots AND enterprise -# CAs like Zscaler. Cannot be combined with --use-cert. +# enterprise SSL inspection CAs. Cannot be combined with --use-cert. # --use-cert Path to an already-existing PEM cert file. Sets env vars # to point at this file; does not touch the Keychain. # Cannot be combined with --extract-path. @@ -270,13 +270,13 @@ for homedir in /Users/*; do if [ -z "$USE_CERT" ]; then # Export ALL trusted root CAs from BOTH macOS Keychains into a single PEM file. - # This includes Apple's system roots AND enterprise CAs (including Zscaler). + # This includes Apple's system roots AND enterprise CAs. # # Why the Keychains (NOT /etc/ssl/cert.pem): # - /etc/ssl/cert.pem is STATIC (only updated with macOS version upgrades) # - SystemRootCertificates.keychain is DYNAMICALLY updated by Apple trust # store updates, independent of macOS upgrades (~20-30 more CAs) - # - System.keychain includes enterprise CAs deployed via MDM (e.g., Zscaler) + # - System.keychain includes enterprise CAs deployed via MDM security find-certificate -a -p \ /System/Library/Keychains/SystemRootCertificates.keychain \ /Library/Keychains/System.keychain \ diff --git a/install_certs_windows.ps1 b/install_certs_windows.ps1 index 000433d..12a7ec9 100644 --- a/install_certs_windows.ps1 +++ b/install_certs_windows.ps1 @@ -1,6 +1,6 @@ # (c) JFrog Ltd. (2026) # Auto-Extract certificate from Windows store (or use existing PEM) and configure Node/npm and/or Python for Windows -# Run: powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -CertName Zscaler -ExtractPath Zscaler\npm +# Run: powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -CertName "Your Org Root CA" -ExtractPath certs\npm # Or: powershell -ExecutionPolicy Bypass -File install_certs_windows.ps1 -Package all -UseCert C:\path\to\ca.pem # # Parameters: diff --git a/testing/test_install_certs_windows.ps1 b/testing/test_install_certs_windows.ps1 index 4d77c70..56aeb01 100644 --- a/testing/test_install_certs_windows.ps1 +++ b/testing/test_install_certs_windows.ps1 @@ -357,7 +357,7 @@ jXKK5iDphL7LcKir6SLHxmyU339SrjNtTpiSBTU= # Subject mismatch $Run++ - $r3 = Invoke-ValidateWithEnvPath -Path $CertPath -ExpectedSubject "Zscaler" + $r3 = Invoke-ValidateWithEnvPath -Path $CertPath -ExpectedSubject "wrong-subject" if ($r3.ExitCode -eq 1) { Write-Host " OK ($Run): exit 1"; $script:Pass++ } else { Write-Host " FAIL ($Run): expected exit 1, got $($r3.ExitCode)"; $script:Fail++ } $Run++ if (($r3.Stdout + " " + $r3.Stderr) -match "no cert|matching|FAIL|subject|Result:.*failed") { Write-Host " OK ($Run): output matches"; $script:Pass++ } else { Write-Host " FAIL ($Run): output did not match"; $script:Fail++ } diff --git a/validate_certs_debian_ubuntu.sh b/validate_certs_debian_ubuntu.sh index 1d46679..b7ca8b7 100644 --- a/validate_certs_debian_ubuntu.sh +++ b/validate_certs_debian_ubuntu.sh @@ -5,8 +5,8 @@ # Also checks /etc/profile.d/package-route-certs.sh when present. # # Run: -# bash validate_certs_debian_ubuntu.sh --expected-subject "O=Zscaler" -# sudo bash validate_certs_debian_ubuntu.sh --all-users --expected-subject "O=Zscaler" +# bash validate_certs_debian_ubuntu.sh --expected-subject "O=Example" +# sudo bash validate_certs_debian_ubuntu.sh --all-users --expected-subject "O=Example" # # Exit 0 = all checks passed.