Chapter 3. Creating an entitlement certificate and a client configuration RPM

RHUI uses entitlement certificates to ensure that the client making requests on the repositories is authorized by the cloud provider to access those repositories. The entitlement certificate must be signed by the cloud provider’s Certificate Authority (CA) Certificate. The CA Certificate is installed on the CDS as part of its configuration.

3.1. Creating a client entitlement certificate with the Red Hat Update Infrastructure Management Tool

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you decide how to subdivide your clients and create a separate certificate for each one. Each certificate can then be used to create individual RPMs.

Prerequisites

  • The entitlement certificate must be signed by the cloud provider’s CA Certificate.

Procedure

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen: 

    [root@rhua ~]# rhui-manager
  2. Press e to select create entitlement certificates and client configuration RPMs.
  3. Press e to select generate an entitlement certificate.

  4. Select which repositories to include in the entitlement certificate by typing the number of the repository at the prompt. Typing the number of a repository places an x next to the name of that repository. Continue until all repositories you want to add have been checked.

    Important

    Include only repositories for a single RHEL version in a single entitlement. Adding repositories for multiple RHEL versions leads to an unusable yum configuration file.

  5. Press c at the prompt to confirm.

  6. Enter a name for the certificate. This name helps identify the certificate within the Red Hat Update Infrastructure Management Tool and generate the name of the certificate and key files. 

    Name of the certificate. This will be used as the name of the certificate file
(name.crt) and its associated private key (name.key). Choose something that will
help identify the products contained with it.
  7. Enter a path to save the certificate. Leave the field blank to save it to the current working directory.

  8. Enter the number of days the certificate should be valid for. Leave the field blank for 365 days. The details of the repositories to be included in the certificate display. 

    Repositories to be included in the entitlement certificate:

  Red Hat Repositories
    Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Debug RPMs) from RHUI
    Red Hat Enterprise Linux 8 for ARM 64 - AppStream (RPMs) from RHUI
    Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Source RPMs) from RHUI

    Proceed? (y/n)
  9. Press y at the prompt to confirm the information and create the entitlement certificate.

Verification

  1. You will see a similar message if the entitlement certificate was created: 

    ..........................+++++
....+++++
Entitlement certificate created at ./rhel8-for-rhui4.crt

------------------------------------------------------------------------------

3.2. Creating a client entitlement certificate with the CLI

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you decide how to subdivide your clients and create a separate certificate for each one. Each certificate can then be used to create individual RPMs.

Prerequisites

  • The entitlement certificate must be signed by the cloud provider’s CA Certificate.

Procedure

  1. Use the following command to create an entitlement certificate from the RHUI CLI: 

    # rhui-manager client cert --repo_label rhel-8-for-x86_64-appstream-eus-rhui-source-rpms --name rhuiclientexample --days 365 --dir /root/clientcert
.............................................+++++
...............................................................................+++++
Entitlement certificate created at /root/clientcert/rhuiclientexample.crt
    Note

    Use Red Hat repository labels, not IDs. To get a list of all labels, run the rhui-manager client labels command. If you include a protected custom repository in the certificate, use the repository’s ID instead.

Verification

  1. A similar message displays if you successfully created and entitlement certificate: 

    Entitlement certificate created at /root/clientcert/rhuiclientexample.crt

3.3. Verifying whether the client entitlement certificate is compliant with the FUTURE cryptographic policy

You can verify which cryptographic policies your instance of RHUI is compliant with by checking the client entitlement certificate:

  • Certificates that are generated by RHUI versions 3.1 to 4.0 are compliant with FIPS and DEFAULT cryptographic policies.
  • Certificates that are generated by RHUI versions 4.1 and later are compliant with FIPS, DEFAULT and FUTURE cryptographic policy.

Prerequisites

  • Ensure that you know the location of the client entitlement certificate.

    The default location is /etc/pki/rhui/product/content.crt.

Procedure

  1. In your client RPM, or on the machine where the RPM is installed, run the following command specifying the path where the client entitlement certificate is stored: 

    # openssl x509 -noout -text -in /etc/pki/rhui/product/content.crt | grep bit

  2. Check the RSA key length:

    • If the length is 2048 bits, then the client entitlement certificate is not compliant with the FUTURE policy.
    • If the length is 4096 bits, then the client entitlement certificate is compliant with the FUTURE policy.

Additional resources

3.4. Changing the repository ID prefix in a client configuration RPM using the CLI

When creating RPMs, you can either set a custom repository ID prefix or remove it entirely. By default, the prefix is rhui-.

Procedure

  • On the RHUA node, use the RHUI installer command to set or remove the prefix:

    • Set a custom prefix: 

      rhui-installer --rerun --client-repo-prefix CUSTOM_PREFIX

    • Remove the prefix entirely by using two quotation marks instead of the prefix. 

      rhui-installer --rerun --client-repo-prefix ""

3.5. Creating a client configuration RPM with the Red Hat Update Infrastructure Management Tool

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you need to decide how to subdivide your clients and create a separate certificate for each one. You can then use each certificate to create individual RPMs for installation on the appropriate guest images.

Use this procedure to create RPMs with the RHUI Management Tool.

Procedure

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen: 

    [root@rhua ~]# rhui-manager
  2. Press e to select create entitlement certificates and client configuration RPMs.
  3. From the Client Entitlement Management screen, press c to select create a client configuration RPM from an entitlement certificate.

  4. Enter the full path of a local directory to save the configuration files to: 

    Full path to local directory in which the client configuration files generated by this tool
should be stored (if this directory does not exist, it will be created):
  5. Enter the name of the RPM.
  6. Enter the version of the configuration RPM. The default version is 2.0.
  7. Enter the release of the configuration RPM. The default version is 1.
  8. Enter the full path to the entitlement certificate authorizing the client to access specific channels.
  9. Enter the full path to the private key for the entitlement certificate.
  10. Select any unprotected custom repositories to be included in the client configuration.
  11. Press c to confirm selections or ? for more commands.

Verification

  1. A similar message displays if the RPM was successfully created: 

    Successfully created client configuration RPM.
Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm

3.6. Creating a client configuration RPM with the CLI

When Red Hat issues the original entitlement certificate, it grants access to the repositories you requested. When you create client entitlement certificates, you need to decide how to subdivide your clients and create a separate certificate for each one. You can then use each certificate to create individual RPMs for installation on the appropriate guest images.

Use this procedure to create RPMs with the CLI.

Procedure

  1. Use the following command to create an RPM with the RHUI CLI: 

    # rhui-manager client rpm --entitlement_cert /root/clientcert/rhuiclientexample.crt --private_key /root/clientcert/rhuiclientexample.key --rpm_name clientrpmtest --dir /tmp --unprotected_repos unprotected_repo1
Successfully created client configuration RPM.
Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm
    Note

    When using the CLI, you can also specify the URL of the proxy server to use with RHUI repositories, or you can use _none_ (including the underscores) to override any global yum settings on a client machine. To specify a proxy, use the --proxy parameter.

Verification

  1. A similar message displays if you successfully created a client configuration RPM: 

    Successfully created client configuration RPM.
Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm