[Bug 17296] VMware Infrastructure Client 2.5 could not validate server's SSL certificate

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Nov 6 10:47:25 CST 2009 

http://bugs.winehq.org/show_bug.cgi?id=17296





--- Comment #51 from Juan Lang <juan_lang at yahoo.com>  2009-11-06 10:47:24 ---
(In reply to comment #50)
> What I DID do:
>   - VMware stores the certificate and key in C:\Documents and Settings\All
> Users\Application Data\VMware\VMWare Server\SSL\rui.[crt|key] on the server.
>   - I moved both of those files to my Linux client.
>   - run the following 2 commands:
>     cat rui.crt > VMware-SelfSigned.pem
>     cat rui.key >> VMware-SelfSigned.pem
>   - As root, copy VMware-SelfSigned.pem to system local key store (on openSUSE,
> it is /etc/ssl/certs, can't speak for any others)

You shouldn't need the key on the client.  Also, by copying it to the
/etc/ssl/certs directory, you don't need to apply the patch to use the Trust
store:  the Root store is mapped to /etc/ssl/certs, and the chain verification
code already trusts those.

> After this, when starting the vpxClient.exe, I am presented with the same
> certificate warning I received in Windows - untrusted SSL certificate - (I
> danced a jig at this point).  At this point, I can view the certificate and
> install it or choose to ignore the warning and continue.  When I continue, I am
> getting a communications error. 

What's the console output at this point?  I don't need any particular debug
flags yet, I'm curious what output, if any, there is.  If there isn't anything
"interesting", perhaps another +crypt,+chain log would be in order.

> On a side note, I read on several forums that VMware uses pkcs12 rather than
> rsa for their keys.  Perhaps there is a more reliable way to generate the .pem
> than my method? (i.e. my concatenation might just be the cause of my second
> problem).

That statement doesn't make sense to me.  pkcs12 is a data format (which Wine
doesn't implement, see bug 11070), RSA is a cipher.  In any case, the .crt file
is most likely either in DER format or it's base64 encoded DER.  At least,
that's what the extension implies.  If it's the former, it'll be binary, and if
it's the latter, it'll be legible.  A quick glance at it with your favorite
editor will tell you.  Either way, pkcs12 vs. rsa is a red herring, I believe.

If you omit concatenating the key, and the .crt works as before, and the .crt
file is base64 encoded, it's already in .pem format, or near enough to it.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list