Chapter 4. Using certificates with Subscription Manager

Red Hat uses certificates to verify the identity of the system and authenticate that it is compliant with the subscriptions as outlined in your contract. Any time there is a change in the subscription at the organization level, Red Hat revokes the certificate and issues a new one. The organization administrator must then download the new certificate to the system.
A certificate uses the .pem file type and contains both keys and certificates. There are five types of certificates:
  • Identity certificate: identifies the system to the subscription service.
  • Subscription certificate: Defines the products a user can install on their system based on the subscriptions that have been attached to that system.
  • Product certificate: Contains the information about a product after it has been installed
  • CA certificate: The certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSL to connect to the subscription service.
  • Satellite certificate: An XML-formatted certificate which contains a product list. This is used by on-premise Satellite 5.x systems, not the newer subscription service.

4.1. Importing subscription certificates

In certain situations, new product subscriptions can be added by installing the subscription certificate directly rather than polling the subscription service. For example, systems which are offline must have subscriptions manually added because they cannot connect to the subscription service directly. Alternatively, an administrator may want to attach a subscription for a product which is not yet installed.
Before you begin, you need to retrieve the offline system’s certificate from the Customer Portal:
  • From the Customer Portal, open the Systems page.
  • Click the offline system. If necessary, attach the subscriptions to the system.
  • Click the My Subscriptions tab.
  • Click the Download All Certificates button. This exports all of the subscription certificates, for each product, to a single .zip file. Save the file to a portable media device, like a flash drive. Alternatively, click the Download link on the row for the subscription to download an individual certificate.
Once you have the certificate(s) downloaded, copy them to the offline system. If all certificates were downloaded in an archive file, then there are multiple archives in the downloaded certificates.zip file. Unzip the directories until you see the .PEM files for the subscription certificates are available.
Import the certificates:
  • Launch Subscription Manager. For example:
    [root@server ~]# subscription-manager-gui
  • Open the System menu, and select the Import Certificate item.
  • Click the file folder icon at the right of the field to navigate to the .pem file of the product certificate.
  • Click the Import Certificate button.
All of the uploaded subscriptions are attached to the system.
Alternatively, you can import the certificates using the command line:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem
          --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem

          Successfully imported certificate 596576341785244687.pem
          Successfully imported certificate 3195996649750311162.pem