4.2.3. Generating the Certificate Authority SSL Key Pair

Before creating the SSL key set required by the Web server, generate a Certificate Authority (CA) SSL key pair. A CA SSL public certificate is distributed to client systems of the Satellite or Proxy. The Red Hat Satellite SSL Maintenance Tool allows you to generate a CA SSL key pair if needed and reuse it for all subsequent Red Hat Satellite server deployments.
The build process automatically creates the key pair and public RPM for distribution to clients. All CA components are created in the build directory specified at the command line, typically /root/ssl-build (or /etc/sysconfig/rhn/ssl for older Satellite and Proxy servers). To generate a CA SSL key pair, run the following command.

Important

Replace the example values with those appropriate for your organization.
# rhn-ssl-tool --gen-ca \
  --password=MY_CA_PASSWORD \
  --dir="/root/ssl-build" \
  --set-state="North Carolina" \
  --set-city="Raleigh" \
  --set-org="Example Inc." \
  --set-org-unit="SSL CA Unit"
This command generates the following relevant files in the specified build directory:
  • RHN-ORG-PRIVATE-SSL-KEY: the CA SSL private key.
  • RHN-ORG-TRUSTED-SSL-CERT: the CA SSL public certificate.
  • rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm: the RPM prepared for distribution to client systems.
    This file contains the CA SSL public certificate (above) and installs it as /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
  • rhn-ca-openssl.cnf: the SSL CA configuration file.
  • latest.txt: lists the latest versions of the relevant files.
When this process is complete, distribute the RPM file to the client systems. See Section 4.3, “Deploying the CA SSL Public Certificate to Clients” for more information.