8.3. The Structure of Subscription Certificates

A subscription is analogous to an assigned software license. Subscription certificates contain a list of available products for a system — software that the system has been granted rights to download and update. When a system is attached to a subscription pool, the system pulls down the subscription certificate from the subscription service, which contains all of the information about available products.
A subscription certificate contains a list of every potential product from every potential content source. The structure of the subscription certificate, then, allows multiple namespaces for products, content servers, roles, orders, and systems. A subscription certificate also contains complete information about the attached pool, even for products which may not be compatible with the specific system. In a subscription certificate, the architecture and version definitions contain all of the allowed architectures and versions.


The local Subscription Manager polls the subscription service routinely (every four hours by default) to check for changes in the subscriptions. When a subscription is changed in some way, then the original subscription certificate is revoked and is replaced with a new subscription certificate.
The subscription certificate is a *.pem file stored in the subscription certificates directory, /etc/pki/entitlement. The name of the *.pem file is a numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
The heading of the certificate contains the name of the subscription service which issued it, the validity period of the certificate (which is tied to the installation date of the product), and then the serial number of the installation of the product.
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=candlepin.example.com, C=US, L=City
            Not Before: Oct  8 17:55:28 2010 GMT
            Not After : Oct  2 23:59:59 2011 GMT
        Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...
The key definition of the product is given in custom certificate extensions that are appended to the certificate. Each namespace defines certain information about a product, including its name, content servers which can deliver it, the format of delivery, and a GPG key to identify the release. Every individual entry is identified by a numeric object identifier (OID) with the same basic format:
The 2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.


Every subscriptions-related extension begins with the OID base The subsequent numbers identify different subscription areas:
  • .2. is the product-specific information
  • .1. is the subscription information
  • .4. contains the contract information, like its ID number and start and end dates
  • .5. contains the system information, like the system ID which installed a product
A product definition contains a series of entries which configure all of the information required to identify and install the product. Each type of information has its own ID, the config_# in the OID, that is used consistently for all products. An example product is listed in Example 15, “Annotated Red Hat Enterprise Linux High Availability Product Extensions in a Subscription Certificate”.

Example 15. Annotated Red Hat Enterprise Linux High Availability Product Extensions in a Subscription Certificate

            content repository type  
                .HRed Hat Enterprise Linux High Availability (for RHEL Subscription) (RPMs)
            channel name  
                ..Red Hat
            download URL  
            key download URL  
            flex quantity  
            repo enabled setting