Show Table of Contents
9.3. Regenerating and Replacing CA Certificates
There may be a situation when it is necessary to replace the existing CA certificate used for the subscription service. In that case, every system which uses Subscription Asset Manager as its subscription service must be updated to use that new certificate.
This is done by generating a new RPM containing the certificate file and then distributing that RPM to the client systems.
- On the Subscription Asset Manager server, generate a new certificate RPM to install on the clients.This should all be on a single line; each argument is broken out to show the required options.
[root@sam-server ~]# /usr/share/katello/certs/gen-rpm.sh --name "candlepin-cert-consumer-$(hostname)" --version 1.4 --release 2 --packager None --vendor None --group 'Applications/System' --summary "Subscription-manager consumer certificate for Katello instance $(hostname)" --description 'Consumer certificate and post installation script that configures rhsm.' --requires subscription-manager --post /root/ssl-build/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=/root/ssl-build/candlepin-cert.crt 2>>/var/log/katello/katello-configure/certificates.log && /sbin/restorecon ./*rpm
This script generates a new RPM containing the new Subscription Asset Manager certificate file and sets up the RPM to install that certificate and properly configuration the Red Hat Subscription Manager client on each system. The arguments for the bash script define the RPM settings:--name,--version, and--releaseset the name of the RPM, in the form name.version-release.rpm.--vendorand--packageare required for the RPM information, but the values do not matter.--groupspecifies the type of application or package which the RPM installs.--summaryand--descriptionjust set information about the RPM.--requiressets packages that must be available or installed before this RPM can be installed. Since this RPM configures the local Red Hat Subscription Manager client, thesubscription-managerpackage is required.--postruns a given command, script, or series of command once the RPM package is installed. In this case, it configures the local Red Hat Subscription Manager client to use the specified Subscription Asset Manager server as its subscription service and sets the required connection and certificate properties in the Red Hat Subscription Manager configuration file.
- Delete any existing certificate RPMs in the
/var/www/html/pubdirectory on the server machine. - Copy the newly-generated RPM to the
/var/www/html/pubdirectory so it can be downloaded via HTTP. - On each Subscription Asset Manager client system, download and install the new RPM. For example:
[root@server1 ~]# rpm -ivh http://SAM_server_hostname/pub/candlepin-cert-consumer-SAM_server_hostname.noarch.rpm
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.