3.2. The RHN SSL Maintenance Tool
rhn-ssl-tool. This tool is available as part of the
rhns-certs-toolspackage. This package can be found within the software channels for the latest RHN Proxy Server and RHN Satellite Server (as well as the RHN Satellite Server ISO). RHN SSL Maintenance Tool enables you to generate your own Certificate Authority SSL key pair, as well as Web server SSL key sets (sometimes called key pairs).
rhns-certs-tools, which contains
rhn-ssl-tool, can be installed and run on any current Red Hat Enterprise Linux system with minimal requirements. This is offered as a convenience for administrators who wish to manage their SSL infrastructure from their workstation or another system other than their RHN Server(s).
- When updating your CA public certificate - this is rare.
- When installing an RHN Proxy Server version 3.6 or later that connects to the central RHN Servers as its top-level service - the hosted service, for security reasons, cannot be a repository for your CA SSL key and certificate, which is private to your organization.
- When reconfiguring your RHN infrastructure to use SSL where it previously did not.
- When adding RHN Proxy Servers of versions prior to 3.6 into your RHN infrastructure.
- When adding multiple RHN Satellite Servers to your RHN infrastructure - consult with a Red Hat representative for instructions regarding this.
- During installation of an RHN Satellite Server - all SSL settings are configured during the installation process. The SSL keys and certificate are built and deployed automatically.
- During installation of an RHN Proxy Server version 3.6 or later if connected to an RHN Satellite Server version 3.6 or later as its top-level service - the RHN Satellite Server contains all of the SSL information needed to configure, build and deploy the RHN Proxy Server's SSL keys and certificates.
/pubdirectory of each server. This public certificate is used by the client systems to connect to the RHN Server. Refer to Section 3.3, “Deploying the CA SSL Public Certificate to Clients” for more information.
3.2.1. SSL Generation Explained
rhns-certs-toolspackage installed. Portability exists in a build structure that can be stored anywhere for safe keeping and then installed wherever the need arises.
ssl-buildtree from an archive to the
/rootdirectory and utilize the configuration tools provided within the RHN Satellite Server's website.
- Install the
rhns-certs-toolspackage on a system within your organization, perhaps but not necessarily the RHN Satellite Server or RHN Proxy Server.
- Create a single Certificate Authority SSL key pair for your organization and install the resulting RPM or public certificate on all client systems.
- Create a Web server SSL key set for each of the Proxies and Satellites to be deployed and install the resulting RPMs on the RHN Servers, restarting the
/sbin/service httpd restart
- Archive the SSL build tree - consisting of the primary build directory and all subdirectories and files - to removable media, such as a floppy disk. (Disk space requirements are insignificant.)
- Verify and then store that archive in a safe location, such as the one described for backups in the Additional Requirements sections of either the Proxy or Satellite installation guide.
- Record and secure the CA password for future use.
- Delete the build tree from the build system for security purposes, but only once the entire RHN infrastructure is in place and configured.
- When additional Web server SSL key sets are needed, restore the build tree on a system running the RHN SSL Maintenance Tool and repeat steps 3 through 7.