Chapter 15. Manage Certificates and Keys

15.1. Red Hat Update Appliance Certificates

The Red Hat Update Appliance (RHUA) in Red Hat Update Infrastructure (RHUI) uses the following certificates and keys:

  • Content certificate and private key
  • Entitlement certificate and private key
  • SSL certificate and private key
  • Cloud provider’s Certificate Authority (CA) certificate

The RHUA is configured with the content certificate and the entitlement certificate. The RHUA uses the content certificate to connect to the Red Hat Content Delivery Network (CDN). It also uses the Red Hat CA certificate to verify the connection to the Red Hat CDN. As the RHUA is the only component that connects to the Red Hat CDN, it will be the only RHUI component that has this certificate deployed. It should be noted that multiple RHUI installations can use the same content certificate. For instance, the Amazon EC2 cloud runs four RHUI installations (one per region), but each RHUI installation uses the same content certificate.

Clients use the entitlement certificate only to permit access to packages in RHUI. To perform an environment health check, RHUA attempts a yum request against each CDS. To succeed, the yum request must specify a valid entitlement certificate.

15.2. Content Delivery Server Certificates

Each CDS node in RHUI uses the following certificates and keys:

  • SSL certificate and private key
  • Cloud provider’s CA certificate

The only certificate necessary for the CDS is an SSL certificate, which permits HTTPS communications between the client and the CDS. The SSL certificates are scoped to a specific host name, so a unique SSL certificate is required for each CDS node. If SSL errors occur when connecting to a CDS, the certificate should be double-checked to make sure its common name is set to the fully qualified domain name of the CDS on which it is installed.

The CA certificate is used to verify that the entitlement certificate sent by the client as part of a yum request was signed by the cloud provider. This prevents a rogue instance from generating its own entitlement certificate for unauthorized use within RHUI.

15.3. Client Certificates

Each client in the RHUI uses the following certificates and keys:

  • Entitlement certificate and private key
  • Cloud provider’s CA certificate

The entitlement certificate and its private key enable information encyrption from the CDS back to the client. Each client uses the entitlement certificate when connecting to the CDS to prove it has permission to download its packages. All clients use a single entitlement certificate.

The cloud provider’s CA certificate is used to verify the CDS’s SSL certificate when connecting to it. This ensures that a rogue instance is not impersonating the CDS and introducing potentially malicious packages into the client.

The CA certificate is used to verify the CDS’s SSL certificate, not the entitlement certificate itself. The reverse is true for the CDS node. The CDS’s SSL certificate and private key are used for encrypting data from the client to the CDS. The CA certificate present on the CDS is used to verify that the CDS node should trust the entitlement certificate sent by the client.

15.4. Display and Manage Certificates

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you need to decide how to subdivide your clients and create a separate certificate for each one. You can then use each certificate to create individual RPMs for installation on the appropriate guest images.

15.4.1. List the Entitled Products for a Certificate

The Entitlements Manager screen is used to list entitled products in the current Red Hat content certificates and to upload new certificates.

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
  2. Press n at the prompt to access the Entitlements Manager screen.
  3. From the Entitlements Manager screen, press l at the prompt to list data about the current content certificate. The Red Hat Update Infrastructure Management Tool displays the following information about the certificate.

    rhui (entitlements) => l
    
    Red Hat Entitlements
    
    Valid
    RHEL RHUI Atomic 7 Ostree Repo
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras Debug
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras OS
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 7server Extras Source Srpms
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 Containers
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 Debug
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    
    RHEL RHUI Server 7 OS
    Expiration: 08-04-2025 	Certificate: content_cert.pem
    ---------------------------------------------------------------

15.4.2. List Custom Repository Entitlements

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
  2. Press n at the prompt to access the Entitlements Manager screen.
  3. From the Entitlements Manager screen, press c at the prompt to list data about the custom repository entitlements.

    rhui (entitlements) => c
    
    Custom Repository Entitlements
    For each entitlement URL listed, the corresponding repositories that are
    configured with that entitlement are listed.
    
    /protected/$basearch/os
    
     Name: Repo 1
    URL: protected/i386/os
    
    Name: Repo 2
    URL: protected/x86_64/os

15.4.3. Upload a Content Certificate

Red Hat might need to issue a new content certificate if your current certificate is about to expire, which typically occurs every two years. Red Hat also may need to change the certificate’s entitlements, which may occur more frequently than certificates expire. If two or more content certificates provide the same entitlements, the certificate with an expiration date furthest in the future is used.

If Red Hat issues a new content certificate, it must be uploaded to RHUI. When a new content certificate is uploaded, it is updated in the RHUA and is used for synchronizing Red Hat repositories.

You can ensure that your certificates are automatically renewed without your having to download new certificates and upload them to RHUI. To do so, follow these instructions:

Important

Do not upload a new content certificate before it becomes valid. Doing so will cause your synchronizations to fail until the valid date is reached.

Important

Before you attempt to install a new certificate, be sure that all of your CDS nodes are running. If that is not the case, the content certificate update process (initiated by the rhui-manager cert upload command) will fail.

Use either of the following methods to discover if all CDS nodes are running.

  • Log into each CDS node in your system to see if its web server is up:

    • Run the command systemctl status httpd.
    • If you cannot login or the status returned is inactive, that particular CDS is not running.
  • Log into the HAProxy node to view the statistics HAProxy periodically collects about managed CDS nodes.

    • Run the command echo show stat | nc -U /var/lib/haproxy/stats.
    • If the command returns DOWN for a hostname, that CDS is not running.

Procedure

  1. The Red Hat Update Infrastructure Management Tool expects that the content certificate and its private key are contained in the same file. If you have existing content certificates with separate keys, you can create the single file using the cat command at a shell prompt.

    # cat file1 file2 > file3
  2. From the Entitlements Manager screen, press u at the prompt to upload a new or updated Red Hat content certificate.

    rhui (entitlements) => u
    Important

    Content certificates are stored on the same system the Red Hat Update Infrastructure Management Tool is installed on at /etc/pki/rhui. For security reasons, this directory requires root permissions. If you do not have the correct permissions, the Red Hat Update Infrastructure Management Tool will not allow you to proceed.

  3. Enter the full path to the new content certificate; the details of the new certificate to be uploaded display.
  4. Press y at the prompt to confirm the information and upload the packages. The Red Hat Update Infrastructure Management Tool lists the current certificates.

Report a bug