Chapter 6. Using Identity Certificates

The Identity Certificate Management screen is used to create new entitlement certificates and configuration RPMs.
An identity certificate is used by Red Hat Update Infrastructure to authenticate the CDS to the Red Hat Update Appliance and secure the communication between them. Entitlement certificates grant a client access to a specific set of entitled repositories, but the Red Hat Update Appliance monitoring functionality and the load balancer require access to all repositories in the system. The identity certificate can be used to identify each component as part of Red Hat Update Infrastructure , so that the entitlement-checking procedure will not deny it access.
An identity certificate is generated for you the first time you use Red Hat Update Infrastructure Manager. When the identity certificate generated by that process expires, you will need to regenerate the certificate in order to continue using Red Hat Update Infrastructure.
Only one identity certificate is needed for the entire infrastructure.
To access the Identity Certificate Management screen, go to the Home screen and type i at the prompt: 
------------------------------------------------------------------------------
             -= Red Hat Update Infrastructure Management Tool =-


-= Identity Certificate Management =-

   g   generate a new identity certificate

                                                  Connected: rhua.example.com
------------------------------------------------------------------------------
rhui (client) =>

Procedure 6.1. Generate a New Identity Certificate

  1. From the Identity Certificate Management screen, type g at the prompt to generate a new identity certificate: 
    rhui (client) => g
  2. Confirm that the new identity certificate will over-write the existing certificate by typing y at the prompt: 
    Generating a new RHUI identity certificate will replace 
the one currently stored at /etc/pki/rhui/identity.crt.  Proceed? [y/n]: y
  3. Enter the number of days that the identity certificate should be valid for. If left blank, this field will default to 3650 (ten years): 
    Enter the number of days the RHUI identity certificate will be valid.  
If the identity certificate ever expires, it will need to be 
regenerated using rhui-manager [Default: 3650]:
  4. The new identity certificate will be created. You should restart the service to pick up the changes: 
    ...............+++
.........+++
Successfully regenerated RHUI Identity certificate

6.1. Updating the Entitlement-Signing CA Certificate

This section deals with the entitlement-signing CA certificate which is configured at the first launch of rhui-manager.
Before re-generating the entitlement-signing CA certificate, note that any client instances that have client configuration rpm's installed containing certificates signed by your existing entitlement-signing CA certificates will cease to work. These clients will need to be updated by installing new client configuration rpm's manually, or perhaps from an unprotected custom repository hosted in your Red Hat Update Infrastructure.

Procedure 6.2. Follow these steps to update the entitlement-signing CA certificate and its private key

  1. Remove the following files from the /etc/pki/rhui directory. As a precaution, backup the files before deleting them. 
    entitlement-ca.crt
entitlement-ca-key.pem
entitlement-ca.srl
identity.crt
identity.key

    Note

    The Identity certificate and its private key (identity.crt and identity.key) are removed because they are signed by the entitlement-signing CA certificate and thus must be regenerated.
  2. The next time you start rhui-manager you will prompted for the new path to the entitlement-signing CA certificate and key, and a new identity certificate and key will also be generated.
This is further detailed in Procedure 12.1, “Updating Red Hat Update Infrastructure”.
Report a bug