4.2.4. Generating Web Server SSL Key Sets

At this point, a CA SSL key pair should already be generated. However there is a likelihood of generating web server SSL key sets more frequently, especially if more than one Proxy or Satellite is deployed. A distinct set of SSL keys and certificates must be generated and installed for every distinct Satellite or Proxy server host name. The value for --set-hostname is therefore different for each server.
The server certificate build process works in a similar fashion to CA SSL key pair generation, with one exception: All server components are saved in subdirectories of the build directory. These subdirectories reflect the build system's machine name, such as /root/ssl-build/MACHINE_NAME. To generate a server certificate, run the following command.


Replace the example values with those appropriate for your organization.
The following is a single command. Ensure you enter it all on one line.
# rhn-ssl-tool --gen-server \
  --password=MY_CA_PASSWORD \
  --dir="/root/ssl-build" \
  --set-state="North Carolina" \
  --set-org="Example Inc." \
  --set-org-unit="IS/IT" \
  --set-email="admin@example.com" \
This command generates the following relevant files in a machine-specific subdirectory of the build directory:
  • server.key: the Web server's SSL private server key.
  • server.csr: the Web server's SSL certificate request.
  • server.crt: the web server's SSL public certificate.
  • rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm: the RPM prepared for distribution to Satellite and Proxy Servers. Its associated src.rpm file is also generated.
    This RPM file contains the server.key, server.csr, and server.crt files. These files are installed in the following directories:
    • /etc/httpd/conf/ssl.key/server.key
    • /etc/httpd/conf/ssl.csr/server.csr
    • /etc/httpd/conf/ssl.crt/server.crt
  • rhn-server-openssl.cnf: the Web server's SSL configuration file.
  • latest.txt: lists the latest versions of the relevant files.
When this process is complete, distribute and install the RPM file on its respective Satellite or Proxy Server, and then restart the httpd service.
# service httpd restart