Hello,
may a local certificate store be used to avoid the certificate prompt?
I exported remote desktop certificate from Microsoft Windows Server 2008:
mmc -> file -> add snap-in -> certificates -> add -> computer account ->
finish -> certificates -> remote desktop -> certificates -> SERVER -> open
-> details -> copy to file -> CA.cer
I converted the certificate to pem and created hash file for it:
openssl x509 -inform DER -in CA.cer -out CA.pem
ln -s CA.pem $(openssl x509 -hash -noout -in CA.pem).0
~/.config/freerdp/certs
Then I tried to connect and still see the certificate prompt:
$ xfreerdp /u:USER /p:PASS /v:SERVER
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Certificate
details:
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Subject: CN
= SERVER
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Issuer: CN
= SERVER
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Thumbprint:
c9:1b:cf:6c:af:23:67:51:15:0d:27:ab:6b:62:9f:fe:ea:0d:5a:ee
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - The above X.509
certificate could not be verified, possibly because you do not have the CA
certificate in your certificate store, or the certificate has expired.
Please look at the documentation on how to create local certificate store
for a private CA.
[12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Do you trust
the above certificate? (Y/N)
But the certificate is seen by OpenSSL correctly as per strace:
[pid 5220] stat("/etc/pki/tls/certs/31605bb4.0", 0x7f5b546370b0) = -1
ENOENT (No such file or directory)
[pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.0",
{st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
[pid 5220] open("/home/oholy/.config/freerdp/certs/31605bb4.0", O_RDONLY)
= 14
[pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.1",
0x7f5b546370b0) = -1 ENOENT (No such file or directory)
Subject == Issuer so I thought that following should work, but it isn't:
$ openssl verify -CAfile CA.pem CA.pem
CA.pem: CN = SERVER
error 20 at 0 depth lookup:unable to get local issuer certificate
So I suppose this is not a bug in FreeRDP, but I have to generate the cert
another way, or import the root cert into the system somehow probably... am
I right? Can you help me with it? Is there any documentation regarding the
local certificate store?
Thanks in advance!
--
Regards
Ondrej
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
