Red Hat operates its own public key infrastructure (PKI), called the entitlement PKI. It is used to secure HTTPS services related to software updates and customer support. This PKI is completely separate from the regular browser PKI. As a result, visiting URLs such as
https://cdn.redhat.com/ in web browsers will show a security warning that the site is “untrusted”. The exact warning message will vary among browsers and browser versions, but the implication that the site is somehow insecure is incorrect, as explained below.
Why a separate certificate authority?
The browser PKI is very large. Most certificate authorities (CAs) in the browser PKI can issue certificates for any domain, without further checks.
As one data point, Mozilla publishes the raw data and background information related to included certificate authorities. As of March 2015, this list contains 176 root certificate authorities recognized by the Firefox web browser and related Mozilla software. Many of these certificate authorities have sub-CAs, or trust external registration authorities (RAs) to which they have delegated verification of subscriber identity (if applicable) and domain name validation. This means that several hundred organizations around the globe are able to issue their own certificates which are accepted by Mozilla browsers (and most other web browsers).
cdn.redhat.com used the browser PKI, hundreds of organizations would in effect be able to pose as the Red Hat software distribution infrastructure. Although there is no documented case that this capability has been abused to target Red Hat, not using the browser PKI completely eliminates that risk.
In addition, the browser PKI was designed to secure credit card transactions and support electronic commerce. Browser PKI policies do not always fit what Red Hat and its customers need for software distribution and support.
In short, using the separate entitlement PKI increases security.
Are other domains affected?
Yes, other subdomains under
redhat.com also use certificates in the entitlement PKI. Red Hat does not publish a complete list because the list can change with future software updates.
What about client certificates?
Red Hat Subscription Management automatically issues and re-issues client certificates under the entitlement PKI, called entitlement certificates. These are used internally by
subscription-manager and customer support tools to authenticate the system to Red Hat services.
What is the impact of the separate PKI?
During regular operation, the separate PKI is completely transparent. System administrators will likely not be aware that tools like
yum use HTTPS connections authenticated by a non-browser PKI.
However, on networks which intercept TLS, decrypt TLS traffic, and re-encrypt it, for policy compliance or other reasons,
yum and other tools may not be able to connect to Red Hat services, and software updates cannot be applied. This is because the HTTPS encryption is designed to catch such interception attempts.
yum treats them as man-in-the-middle attacks and will not transfer any data.
Red Hat recommends to exclude
redhat.com servers from TLS interception if they use the entitlement PKI. These services have only been tested with Red-Hat-provided clients. TLS interception causes the interception device to act as a TLS client (due to the decryption and re-encryption of network traffic). This configuration is untested by Red Hat and not supported.