8.5. Viewing Certificate Information with the rct Tool

The rct tool performs two tasks:
  • It displays the size and statistics of the certificate information (stat-cert).
  • It displays information (headers) contained within the certificate, such as product or content set information (cat-cert).
The precise details returned by either command depend on the type of certificate being checked.

8.5.1. Viewing Certificate Sizes and Statistics

Large accounts and organizations can have a large number of products and subscriptions, in multiple orders. This results in a very large number of products and content sets available to the organization, and all of the information is defined in the entitlement certificate.
The main reason to view certificate statistics is that certificate sizes, for a number of reasons, impact content delivery service performance. Older versions of entitlement certificates (version 1.0) used different, less efficient DER encoding, so that large amounts of information results in very large certificates. (This could cause timeouts or crashes when dealing with content services. Newer entitlement certificate versions (version 3.0) use more efficient encoding on large content sets, which improves overall subscription service performance.
A large number of content sets is anything over 185 total sets. Both the total number of content sets and the size of the DER encoding in the certificate could affect performance.
This information is displayed using the stat-cert command and specifying the PEM file of the certificate to check.
# rct stat-cert /path/to/PEM_FILE

Table 11. Information Returned by stat-cert

Parameter Description Possible Values Certificate Types It Applies To
Type Identifies the type of certificate being checked.
  • Entitlement
  • Identity
  • Product
  • Entitlement
  • Identity
  • Product
Version The version of the certificate formatting which indicates the type of DER encoding used.
  • 3.0 (new)
  • 1.0 (old)
  • Entitlement
  • Identity
  • Product
DER size The size of the certificate contents (not the size of the certificate file itself). Size in bytes
  • Entitlement
  • Product
  • Identity
Subject Key ID size The size of the hashed public key for the key associated with the certificate (not the size of the key file itself). Size in bytes
  • Entitlement
  • Identity
Content sets The total number of all available content sets for the system, for all supported versions for products for the system. Number
  • Entitlement
For example, for an entitlement certificate:
[root@server ~]# rct stat-cert /etc/pki/entitlement/2027912482659389239.pem
Type: Entitlement Certificate
Version: 1.0
DER size: 47555b
Subject Key ID size: 553b
Content sets: 100
While the size of the certificate is less of an issue for identity and product certificates (which are quite small), the stat-cert command can still be used to view the size and statistics of the certificates.
For example, for a product certificate:
[root@server ~]# rct stat-cert /etc/pki/product/69.pem
Type: Product Certificate
Version: 1.0
DER size: 1558b
For an identity certificate:
[root@server ~]# rct stat-cert /etc/pki/consumer/cert.pem
Type: Identity Certificate
Version: 1.0
DER size: 1488b
Subject Key ID size: 20b

8.5.2. Viewing Certificate Information

Each certificate contains a complete set of information that contains all of the details for whatever element is being identified — such as its serial number, associated products, order information, or content sets, depending on the type of certificate. That information can be displayed, in pretty-print form, using the cat-cert command.
# rct cat-cert /path/to/PEM_FILE [--no-product] [--no-content]

Note

Entitlement certificates contain additional information about available products and configured content repositories. Since this information can be huge, the --no-product and --no-content options can be used to cut out the long lists of products and repositories and only return certificate and order information.
Those options are not used when getting information about identity or product certificates.
The most basic information is the information about the certificate itself, such as its directory path, its serial umber and subject name, and its validity period (start and end dates). The information about the certificate itself is in the Certificate section. The subject DN of the certificate is in the Subject section.
For example, for the identity certificate:
[root@server ~]# rct cat-cert /etc/pki/consumer/cert.pem

+-------------------------------------------+
        Identity Certificate
+-------------------------------------------+

Certificate:
        Path: /etc/pki/consumer/cert.pem
        Version: 1.0
        Serial: 824613308750035399
        Start Date: 2012-11-09 16:20:22+00:00
        End Date: 2013-11-09 16:20:22+00:00
        Alt Name: DirName:/CN=server.example.com

Subject:
CN: e94bc90e-44a1-4f8c-b6fc-0a3e9d6fac2b
A product certificate contains additional information in a Product section, which defines the information for the specific installed product, such as its name, product version, and any yum tags used for that product. For example:
[root@server ~]# rct cat-cert /etc/pki/product/69.pem

+-------------------------------------------+
       Product Certificate
+-------------------------------------------+

Certificate:
       Path: /etc/pki/product/69.pem
       Version: 1.0
       Serial: 12750047592154746449
       Start Date: 2012-10-04 18:45:02+00:00
       End Date: 2032-09-29 18:45:02+00:00

Subject:
       CN: Red Hat Product ID [b4f7ac9e-b7ed-45fa-9dcc-323beb20e916]

Product:
       ID: 69
       Name: Red Hat Enterprise Linux Server
       Version: 6.4
       Arch: x86_64
        Tags: rhel-6,rhel-6-server
The most information is contained in the entitlement certficate. Along with the Certificate and Subject sections, it also has a Product section that defines the product group that is covered by the subscription.
Then, it contains an Order section that details everything related to the purchase of the subscription (such as the contract number, service level, total quantity, quantities assigned to the system, and other details on the subscription).
A subscription for a product covers the version purchased and every previous version of the product. For example, when a subscription is purchased Red Hat Enterprise Linux 6, the subscription provides full access to all RHEL 6 repositories, plus acces to all RHEL 5 repositories and then other included product content repositories, like Subscription Asset Manager. Every available content repository is lised in a Content section that contains the repository name, associated tags, its URL, and a notice on whether the yum repository is enabled by default.
For example:
[root@server ~]# rct cat-cert /etc/pki/entitlement/2027912482659389239.pem
+-------------------------------------------+
       Entitlement Certificate
+-------------------------------------------+

Certificate:
       Path: /etc/pki/entitlement/2027912482659389239.pem
       Version: 1.0
       Serial: 2027912482659389239
       Start Date: 2011-12-31 05:00:00+00:00
       End Date: 2012-12-31 04:59:59+00:00

Subject:
       CN: 8a99f9843adc8b8f013ae5f9de022b73

Product:
      ID: 69
      Name: Red Hat Enterprise Linux Server
      Version:
      Arch: x86_64,ia64,x86
      Tags:

Order:
      Name: Red Hat Enterprise Linux Server, Premium (8 sockets) (Up to 4 guests)
      Number: 2673502
      SKU: RH0103708
      Contract: 10011052
      Account: 5206751
      Service Level: Premium
      Service Type: L1-L3
      Quantity: 100
      Quantity Used: 1
      Socket Limit: 8
      Virt Limit:
      Virt Only: False
      Subscription:
      Stacking ID:
      Warning Period: 0
      Provides Management: 0

Content:
      Type: yum
      Name: Red Hat Enterprise Linux 6 Server (RPMs)
      Label: rhel-6-server-rpms
      Vendor: Red Hat
      URL: /content/dist/rhel/server/6/$releasever/$basearch/os
      GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      Enabled: True
      Expires: 86400
      Required Tags: rhel-6-server
There can be dozens or even hundreds of products and content repositories contained within a single entitlement certificate. In that case, the cat-cert command results can be truncated by using the --no-product or --no-content options to remove the Product and Content sections (respectively).