enhance: Remove trusted root authority certificate pre-requisite (vmw…

…are-samples#223) Removes the default requirement for a trusted root authority certificate to be imported and trusted by each machine image build. This will allow project users to get started more quickly without a pre-requisite. vmware-samples#222 Signed-off-by: Ryan Johnson <[email protected]>
robertzakrocki · Jul 17, 2022 · 56bca20 · 56bca20
1 parent 1ac878e
commit 56bca20
Show file tree

Hide file tree

Showing 13 changed files with 24 additions and 139 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,13 @@
 > Release Date: Unreleased
 
 💫 **Enhancement**:
+
 * Adds Red Hat Enterprise Linux 9.
 * Adds CentOS 9 Stream.
 * Adds Rocky Linux 9.
 * Adds AlmaLinux OS 9.
 * Adds options for setting the number of video displays and the size for the video memory for both Windows 11 and 10, which is useful for virtual desktop use cases (_e.g._, Horizon). The ability to set the number of displays was added in `v1.0.6` of `packer-plugin-vsphere`.
+* Removes the default requirement for a trusted root authority certificate to be imported and trusted by each machine image build. This will allow project users to get started more quickly without a pre-requisite.
 
 🧹 **Chore**:
 

diff --git a/README.md b/README.md
@@ -349,8 +349,6 @@ The directory structure of the repository.
 │ │ └── <role>
 │ │ ├── defaults
 │ │ │ └── main.yml
-│ │ ├── files
-│ │ │ └── root-ca.cer.example
 │ │ ├── handlers
 │ │ │ └── main.yml
 │ │ ├── meta
@@ -383,8 +381,6 @@ The directory structure of the repository.
 │ ├── *.auto.pkrvars.hcl
 │ └── data
 │ └── autounattend.pkrtpl.hcl
-├── certificates
-│ └── root-ca.cer.example
 ├── manifests
 ├── scripts
 │ └── windows
@@ -399,7 +395,6 @@ The files are distributed in the following directories.
 * **`ansible`** - contains the Ansible roles to prepare a Linux machine image build.
 * **`builds`** - contains the templates, variables, and configuration files for the machine image build.
 * **`scripts`** - contains the scripts to initialize and prepare a Windows machine image build.
-* **`certificates`** - contains the Trusted Root Authority certificates for a Windows machine image build.
 * **`manifests`** - manifests created after the completion of the machine image build.
 * **`terraform`** - contains example Terraform plans to test machine image builds.
 
@@ -849,24 +844,13 @@ Need help customizing the configuration files?
 
  ```console
  sudo apt-get install system-config-kickstart
- ssh -X rainpole@ubuntu-desktop
+ ssh -X rainpole@ubuntu
  sudo system-config-kickstart
  ```
 
 * **Red Hat Enterprise Linux** (_as well as CentOS Linux/Stream, AlmaLinux OS, and Rocky Linux_) - Use the [Red Hat Kickstart Generator][redhat-kickstart].
 * **Microsoft Windows** - Use the Microsoft Windows [Answer File Generator][microsoft-windows-afg] if you need to customize the provided examples further.
 
-### Step 6 - Add Certificates
-
-Save a copy of your PEM encoded Root Certificate Authority certificate to the following in `.cer` format.
-
-* `/ansible/roles/base/files` for Linux machine images.
-* `/certificates` for Windows machine images.
-
-These files are copied to the guest operating systems and added the certificate to the Trusted Certificate Authority of the guest operating system.
-
-Linux distributions uses the Ansible provisioner, but Windows still uses the shell provisioner at this time.
-
 ## Build
 
 ### Build with Variables Files

diff --git a/ansible/roles/base/files/root-ca.cer.example b/ansible/roles/base/files/root-ca.cer.example
diff --git a/ansible/roles/base/handlers/main.yml b/ansible/roles/base/handlers/main.yml
diff --git a/ansible/roles/base/tasks/photon.yml b/ansible/roles/base/tasks/photon.yml
@@ -19,11 +19,3 @@
  jq \
  parted \
  openssl-c_rehash
-- name: "Importing certificate authortiy certificates."
- copy:
- dest: /etc/ssl/certs/root-ca.pem
- group: root
- mode: 420
- owner: root
- src: root-ca.cer
- notify: "VMware Photon OS - Updating the certificate authority trust."
diff --git a/ansible/roles/base/tasks/redhat.yml b/ansible/roles/base/tasks/redhat.yml
@@ -38,11 +38,3 @@
  - unzip
  - ca-certificates
  state: latest # noqa package-latest
-- name: "Importing certificate authority certificates."
- copy:
- dest: /etc/pki/ca-trust/source/anchors/root-ca.cer
- group: root
- mode: 420
- owner: root
- src: root-ca.cer
- notify: "RedHat - Updating the certificate authority trust."
diff --git a/ansible/roles/base/tasks/ubuntu.yml b/ansible/roles/base/tasks/ubuntu.yml
@@ -16,11 +16,3 @@
  - unzip
  - ca-certificates
  state: latest # noqa package-latest
-- name: "Importing certificate authority certificates."
- copy:
- dest: /usr/local/share/ca-certificates/
- group: root
- mode: 420
- owner: root
- src: root-ca.cer
- notify: "Ubuntu - Updating the certificate authority trust."
diff --git a/builds/windows/desktop/10/windows.pkr.hcl b/builds/windows/desktop/10/windows.pkr.hcl
@@ -80,8 +80,7 @@ source "vsphere-iso" "windows-desktop" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -136,11 +135,6 @@ build {
  "source.vsphere-iso.windows-desktop",
  ]
 
- provisioner "file" {
- source = "${path.cwd}/certificates/root-ca.cer"
- destination = "C:\\windows\\temp\\root-ca.cer"
- }
-
  provisioner "powershell" {
  environment_vars = [
  "BUILD_USERNAME=${var.build_username}"

diff --git a/builds/windows/desktop/11/windows.pkr.hcl b/builds/windows/desktop/11/windows.pkr.hcl
@@ -81,8 +81,7 @@ source "vsphere-iso" "windows-desktop" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -138,11 +137,6 @@ build {
  "source.vsphere-iso.windows-desktop",
  ]
 
- provisioner "file" {
- source = "${path.cwd}/certificates/root-ca.cer"
- destination = "C:\\windows\\temp\\root-ca.cer"
- }
-
  provisioner "powershell" {
  environment_vars = [
  "BUILD_USERNAME=${var.build_username}"

diff --git a/builds/windows/server/2019/windows-server.pkr.hcl b/builds/windows/server/2019/windows-server.pkr.hcl
@@ -78,8 +78,7 @@ source "vsphere-iso" "windows-server-standard-core" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -169,8 +168,7 @@ source "vsphere-iso" "windows-server-standard-dexp" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -260,8 +258,7 @@ source "vsphere-iso" "windows-server-datacenter-core" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -353,8 +350,7 @@ source "vsphere-iso" "windows-server-datacenter-dexp" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -412,11 +408,6 @@ build {
  "source.vsphere-iso.windows-server-datacenter-dexp"
  ]
 
- provisioner "file" {
- source = "${path.cwd}/certificates/root-ca.cer"
- destination = "C:\\windows\\temp\\root-ca.cer"
- }
-
  provisioner "powershell" {
  environment_vars = [
  "BUILD_USERNAME=${var.build_username}"

diff --git a/builds/windows/server/2022/windows-server.pkr.hcl b/builds/windows/server/2022/windows-server.pkr.hcl
@@ -78,8 +78,7 @@ source "vsphere-iso" "windows-server-standard-core" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -169,8 +168,7 @@ source "vsphere-iso" "windows-server-standard-dexp" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -260,8 +258,7 @@ source "vsphere-iso" "windows-server-datacenter-core" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -353,8 +350,7 @@ source "vsphere-iso" "windows-server-datacenter-dexp" {
  iso_paths = ["[${var.common_iso_datastore}] ${var.iso_path}/${var.iso_file}", "[] /vmimages/tools-isoimages/${var.vm_guest_os_family}.iso"]
  iso_checksum = "${var.iso_checksum_type}:${var.iso_checksum_value}"
  cd_files = [
- "${path.cwd}/scripts/${var.vm_guest_os_family}/",
- "${path.cwd}/certificates/"
+ "${path.cwd}/scripts/${var.vm_guest_os_family}/"
  ]
  cd_content = {
  "autounattend.xml" = templatefile("${abspath(path.root)}/data/autounattend.pkrtpl.hcl", {
@@ -412,11 +408,6 @@ build {
  "source.vsphere-iso.windows-server-datacenter-dexp"
  ]
 
- provisioner "file" {
- source = "${path.cwd}/certificates/root-ca.cer"
- destination = "C:\\windows\\temp\\root-ca.cer"
- }
-
  provisioner "powershell" {
  environment_vars = [
  "BUILD_USERNAME=${var.build_username}"

diff --git a/certificates/root-ca.cer.example b/certificates/root-ca.cer.example
diff --git a/scripts/windows/windows-prepare.ps1 b/scripts/windows/windows-prepare.ps1
@@ -14,15 +14,17 @@ param(
 
 $ErrorActionPreference = "Stop"
 
-# Import the Root CA certificate to the Trusted Root Certification Authorities.
-Write-Output "Importing the Root CA certificate to the Trusted Root Certification Authorities..."
-Import-Certificate -FilePath C:\windows\temp\root-ca.cer -CertStoreLocation 'Cert:\LocalMachine\Root' | Out-Null
-Remove-Item C:\windows\temp\root-ca.cer -Confirm:$false
+# Optional: Import the Root CA certificate to the Trusted Root Certification Authorities.
+# This option will require the use of a file provisioner to copy the certificate to the guest.
+# Write-Output "Importing the Root CA certificate to the Trusted Root Certification Authorities..."
+# Import-Certificate -FilePath C:\windows\temp\root-ca.cer -CertStoreLocation 'Cert:\LocalMachine\Root' | Out-Null
+# Remove-Item C:\windows\temp\root-ca.cer -Confirm:$false
 
-# Import the Issuing CA certificate to the Trusted Root Certification Authoriries.
-### Write-Output "Importing the Issuing CA certificate to the Trusted Root Certification Authoriries..."
-### Import-Certificate -FilePath C:\windows\temp\issuing-ca.cer -CertStoreLocation 'Cert:\LocalMachine\CA' | Out-Null
-### Remove-Item C:\windows\temp\issuing-ca.cer -Confirm:$false
+# Optional: Import the Issuing CA certificate to the Trusted Root Certification Authoriries.
+# This option will require the use of a file provisioner to copy the certificate to the guest.
+# Write-Output "Importing the Issuing CA certificate to the Trusted Root Certification Authoriries..."
+# Import-Certificate -FilePath C:\windows\temp\issuing-ca.cer -CertStoreLocation 'Cert:\LocalMachine\CA' | Out-Null
+# Remove-Item C:\windows\temp\issuing-ca.cer -Confirm:$false
 
 # Set the Windows Explorer options.
 Write-Output "Setting the Windows Explorer options..."
@@ -65,4 +67,4 @@ Set-LocalUser $BUILD_USERNAME -PasswordNeverExpires $true
 Write-Output "Enabling Remote Desktop..."
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0 | Out-Null
 Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
-Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
+Enable-NetFirewallRule -DisplayGroup "Remote Desktop"