Chapter 4. Managing Red Hat entitlement certificates

4.1. Red Hat Update Appliance certificates

The RHUA in RHUI uses the following certificates and keys:

  • Content certificate and private key
  • Entitlement certificate and private key
  • SSL certificate and private key
  • Cloud provider’s CA certificate

The RHUA is configured with the content certificate and the entitlement certificate. The RHUA uses the content certificate to connect to the Red Hat CDN. It also uses the Red Hat CA certificate to verify the connection to the Red Hat CDN. As the RHUA is the only component that connects to the Red Hat CDN, it is the only RHUI component that has this certificate deployed. It should be noted that multiple RHUI installations can use the same content certificate. For instance, the Amazon EC2 cloud runs multiple RHUI installations (one per region), but each RHUI installation uses the same content certificate.

Clients use the entitlement certificate to permit access to packages in RHUI. To perform an environment health check, the RHUA attempts a yum request against each CDS. To succeed, the yum request must specify a valid entitlement certificate.

4.2. Content delivery server certificates

Each CDS node in RHUI uses the following certificates and keys:

  • SSL certificate and private key
  • Cloud provider’s CA certificate

The only certificate necessary for the CDS is an SSL certificate, which permits HTTPS communications between the client and the CDS. The SSL certificates are scoped to a specific hostname, so a unique SSL certificate is required for each CDS node. If SSL errors occur when connecting to a CDS, verify that the certificate’s common name is set to the fully qualified domain name (FQDN) of the CDS on which it is installed.

The CA certificate is used to verify that the entitlement certificate sent by the client as part of a yum request was signed by the cloud provider. This prevents a rogue instance from generating its own entitlement certificate for unauthorized use within RHUI.

4.3. Client certificates

Each client in the RHUI uses an entitlement certificate and private key as well as the cloud provider’s CA certificate.

The entitlement certificate and its private key enable information encryption from the CDS back to the client. Each client uses the entitlement certificate when connecting to the CDS to prove it has permission to download its packages. All clients use a single entitlement certificate.

The cloud provider’s CA certificate is used to verify the CDS’s SSL certificate when connecting to it. This ensures that a rogue instance is not impersonating the CDS and introducing potentially malicious packages into the client.

The CA certificate verifies the SSL certificate, not the entitlement certificate. The reverse is true for the CDS node. The SSL certificate and private key are used to encrypt data from the client to the CDS. The CA certificate present on the CDS verifies that the CDS node should trust the entitlement certificate sent by the client.

4.3.1. Listing the entitled products for a certificate

The Entitlements Manager screen is used to list entitled products in the current Red Hat content certificates and to upload new certificates.

Procedure

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen: 

    [root@rhua ~]# rhui-manager
  2. Press n to select manage Red Hat entitlement certificates.

  3. From the Entitlements Manager screen, press l to list data about the current content certificate: 

    rhui (entitlements) => l

Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Debug RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

   Red Hat Enterprise Linux 8 for ARM 64 - AppStream (RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

   Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Source RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

   Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (Debug RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

   Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

   Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (Source RPMs) from RHUI
   Expiration: 02-27-2022     Certificate: c885597492374720bb5d398c3f65d1ed.pem

Verification

  1. You will see a list of the entitled products in the current Red Hat content certificates.

4.3.2. Listing custom repository entitlements

You can use the Entitlements Manager screen to list custom repository entitlements.

Procedure

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen: 

    [root@rhua ~]# rhui-manager
  2. Press n to select manage Red Hat entitlement certificates.

  3. From the Entitlements Manager screen, press c to list data about the custom repository entitlements: 

    rhui (entitlements) => c

Custom Repository Entitlements
For each entitlement URL listed, the corresponding repositories that are
configured with that entitlement are listed.

/protected/$basearch/os

 Name: Repo 1
URL: protected/i386/os

Name: Repo 2
URL: protected/x86_64/os