v0.9.5 of the FOG client is about to be released. With it comes one very important change: FOG Project is now a certificate authority. When you install or update to v0.9.5, our public certificate will automatically be added to the machine and trusted.
The client needs to be signed in order to ensure security and allow for it to be imaged. Without being signed, Windows will produce multiple warnings for every machine it is imaged onto. Signing also allows you to ensure that the client is not tampered with and is produced by us. Signing certificates cost a significant amount of money each year. While there are the occasional ‘offers’ for open source projects reducing the price, they are known to go away without notice or change the terms of the ‘offer’.
In the long run, we cannot hope each year that a CA will give us a signing certificate. Instead, we have decided to become our own CA. This costs nothing for us and is much easier than applying for ‘offers’ every year.
What does this mean for me?
In order for a computer to trust the FOG Project CA, it has to have the public key added. This means the computer will trust any SSL certificates we produce, and any code that we sign. By having the new version of the client running, your computer will automatically have this certificate installed. On uninstallation of the client, our certificate is automatically removed. There are no security risks, besides the understanding that a computer will trust our self-signed certificates.