http://bugs.winehq.org/show_bug.cgi?id=17296
--- Comment #51 from Juan Lang juan_lang@yahoo.com 2009-11-06 10:47:24 --- (In reply to comment #50)
What I DID do:
- VMware stores the certificate and key in C:\Documents and Settings\All
Users\Application Data\VMware\VMWare Server\SSL\rui.[crt|key] on the server.
- I moved both of those files to my Linux client.
- run the following 2 commands: cat rui.crt > VMware-SelfSigned.pem cat rui.key >> VMware-SelfSigned.pem
- As root, copy VMware-SelfSigned.pem to system local key store (on openSUSE,
it is /etc/ssl/certs, can't speak for any others)
You shouldn't need the key on the client. Also, by copying it to the /etc/ssl/certs directory, you don't need to apply the patch to use the Trust store: the Root store is mapped to /etc/ssl/certs, and the chain verification code already trusts those.
After this, when starting the vpxClient.exe, I am presented with the same certificate warning I received in Windows - untrusted SSL certificate - (I danced a jig at this point). At this point, I can view the certificate and install it or choose to ignore the warning and continue. When I continue, I am getting a communications error.
What's the console output at this point? I don't need any particular debug flags yet, I'm curious what output, if any, there is. If there isn't anything "interesting", perhaps another +crypt,+chain log would be in order.
On a side note, I read on several forums that VMware uses pkcs12 rather than rsa for their keys. Perhaps there is a more reliable way to generate the .pem than my method? (i.e. my concatenation might just be the cause of my second problem).
That statement doesn't make sense to me. pkcs12 is a data format (which Wine doesn't implement, see bug 11070), RSA is a cipher. In any case, the .crt file is most likely either in DER format or it's base64 encoded DER. At least, that's what the extension implies. If it's the former, it'll be binary, and if it's the latter, it'll be legible. A quick glance at it with your favorite editor will tell you. Either way, pkcs12 vs. rsa is a red herring, I believe.
If you omit concatenating the key, and the .crt works as before, and the .crt file is base64 encoded, it's already in .pem format, or near enough to it.