Chapter 15. Manage Certificates and Keys

15.1. Red Hat Update Appliance Certificates

The Red Hat Update Appliance (RHUA) in Red Hat Update Infrastructure (RHUI) uses the following certificates and keys:

  • Content certificate and private key
  • Entitlement certificate and private key
  • SSL certificate and private key
  • Cloud provider’s Certificate Authority (CA) certificate

The RHUA is configured with the content certificate and the entitlement certificate. The RHUA uses the content certificate to connect to the Red Hat Content Delivery Network (CDN). It also uses the Red Hat CA certificate to verify the connection to the Red Hat CDN. As the RHUA is the only component that connects to the Red Hat CDN, it will be the only RHUI component that has this certificate deployed. It should be noted that multiple RHUI installations can use the same content certificate. For instance, the Amazon EC2 cloud runs four RHUI installations (one per region), but each RHUI installation uses the same content certificate.

Clients use the entitlement certificate only to permit access to packages in RHUI. To perform an environment health check, RHUA attempts a yum request against each CDS. To succeed, the yum request must specify a valid entitlement certificate.

15.2. Content Delivery Server Certificates

Each CDS node in RHUI uses the following certificates and keys:

  • SSL certificate and private key
  • Cloud provider’s CA certificate

The only certificate necessary for the CDS is an SSL certificate, which permits HTTPS communications between the client and the CDS. The SSL certificates are scoped to a specific host name, so a unique SSL certificate is required for each CDS node. If SSL errors occur when connecting to a CDS, the certificate should be double-checked to make sure its common name is set to the fully qualified domain name of the CDS on which it is installed.

The CA certificate is used to verify that the entitlement certificate sent by the client as part of a yum request was signed by the cloud provider. This prevents a rogue instance from generating its own entitlement certificate for unauthorized use within RHUI.

15.3. Client Certificates

Each client in the RHUI uses the following certificates and keys:

  • Entitlement certificate and private key
  • Cloud provider’s CA certificate

The entitlement certificate and its private key enable information encyrption from the CDS back to the client. Each client uses the entitlement certificate when connecting to the CDS to prove it has permission to download its packages. All clients use a single entitlement certificate.

The cloud provider’s CA certificate is used to verify the CDS’s SSL certificate when connecting to it. This ensures that a rogue instance is not impersonating the CDS and introducing potentially malicious packages into the client.

The CA certificate is used to verify the CDS’s SSL certificate, not the entitlement certificate itself. The reverse is true for the CDS node. The CDS’s SSL certificate and private key are used for encrypting data from the client to the CDS. The CA certificate present on the CDS is used to verify that the CDS node should trust the entitlement certificate sent by the client.

15.4. Display and Manage Certificates

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you need to decide how to subdivide your clients and create a separate certificate for each one. You can then use each certificate to create individual RPMs for installation on the appropriate guest images.

15.4.1. List the Entitled Products for a Certificate

The Entitlements Manager screen is used to list entitled products in the current Red Hat content certificates and to upload new certificates.

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
  2. Press n at the prompt to access the Entitlements Manager screen.
  3. From the Entitlements Manager screen, press l at the prompt to list data about the current content certificate. The Red Hat Update Infrastructure Management Tool displays the following information about the certificate.

    rhui (entitlements) => l
    
    Red Hat Entitlements
    
    Valid
    RHEL RHUI Atomic 7 Ostree Repo
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras Debug
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras OS
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras Source Srpms
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 Containers
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 Debug
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 OS
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    ---------------------------------------------------------------

15.4.2. List Custom Repository Entitlements

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
  2. Press n at the prompt to access the Entitlements Manager screen.
  3. From the Entitlements Manager screen, press c at the prompt to list data about the custom repository entitlements.

    rhui (entitlements) => c
    
    Custom Repository Entitlements
    For each entitlement URL listed, the corresponding repositories that are configured with that entitlement are listed.
    
    /protected/$basearch/os
    
     Name: Repo 1
    URL: protected/i386/os
    
    Name: Repo 2
    URL: protected/x86_64/os
    
    ------------------------------------------------------------------------------

15.4.3. Upload a Content Certificate

Red Hat might need to issue a new content certificate if your content certificate is about to expire, or they may need to change the certificate’s entitlements. If Red Hat issues a new content certificate, it will need to be uploaded to RHUI.

When you upload a new content certificate, it will be updated in the RHUA and will be used for synchronizing Red Hat repositories. Do not upload a new content certificate before it becomes valid; it will cause your synchronizations to fail until the valid date is reached.

If two or more content certificates provide the same entitlements, the certificate with an expiration date furthest in the future will be used.

  1. The Red Hat Update Infrastructure Management Tool expects that the content certificate and its private key are contained in the same file. If you have existing content certificates with separate keys, you can create the single file using the cat command at a shell prompt.

    # cat file1 file2 > file3
  2. From the Entitlements Manager screen, press u at the prompt to upload a new or updated Red Hat content certificate.

    rhui (entitlements) => u
    Important

    Content certificates are stored on the same system the Red Hat Update Infrastructure Management Tool is installed on at /etc/pki/rhui. For security reasons, this directory requires root permissions. If you do not have the correct permissions, the Red Hat Update Infrastructure Management Tool will not allow you to proceed.

  3. Enter the full path to the new content certificate; the details of the new certificate to be uploaded display.
  4. Press y at the prompt to confirm the information and upload the packages. The Red Hat Update Infrastructure Management Tool lists the current certificates.

Report a bug