Chapter 3. Red Hat Update Infrastructure Installer

Procedure 3.1. Configuring Red Hat Update Appliance SSL Certificates

1. Acquire your company's root certificate and private key. Alternatively you can purchase one from a certificate authority (CA), or generate your own using tools such as openssl or genkey.
   The CA key and certificate enables you to create SSL keys and certificates for the Red Hat Update Appliance and the CDS, as well as sign the entitlement certificates for the clients to access the CDS instances.

   Note

   In this section, ca.key and ca.crt are the example names for the CA key and certificate.
2. Create a file with the same name and in the same location as the CA certificate you have but using a .srl extension. The file should contain the text 10 only. This can be performed using the following command:

   # echo 10 > /home/example/certs/ca.srl

3. Generate the Red Hat Update Appliance Server SSL key, using the following command:

   # openssl genrsa -out ssl_RHUA.key 2048
   

4. Generate a certificate request using the openssl command:

   # openssl req -new -key ssl_RHUA.key -out ssl_RHUA.csr

   The tool will prompt you for further information, and then create an output file called ssl_RHUA.csr.
5. Use the CSR file to create a SSL certificate for the Red Hat Update Appliance instance with the following command:

   # openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_RHUA.csr -out ssl_RHUA.crt

   In this example, ssl_RHUA.csr is the file created in the previous step, ca.crt is the certificate generated by the CA, ca.key is the CA certificate private key, and ssl_RHUA.crt is the name of the certificate file that will result from running this command.

Procedure 3.2. Configuring Content Delivery Server (CDS) SSL Certificates

1. Generate the CDS SSL key, using the following command:

   # openssl genrsa -out ssl_cds01.key 2048
   

2. Generate a certificate request using the openssl command:

   # openssl req -new -key ssl_cds01.key -out ssl_cds01.csr

   The tool will prompt you for further information, and then create an output file called ssl_cds01.csr.

   Important

   When entering the hostname for .csr file, the hostname needs to be the same hostname clients will use to access the CDS. This is also the client hostname used in Procedure 3.3 Add a CDS Instance of the Administration guide.
3. Use the CSR file to create SSL certificates for each CDS instance with the following command:

   # openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_cds01.csr -out ssl_cds01.crt

   Note

   It is recommended that you name the output files correspondent with the hostname of the CDS instance for which the request was created. For example, if the hostname for the CDS is cds01.example.com, the output files could be named ssl-cds01.key, ssl_cds01.csr, and ssl_cds01.crt. This will help avoiding confusion when creating multiple CDS instances.

Procedure 3.3. Configuring SSL Certificates Using the Automated Script

1. Generate the SSL certificates required for the Red Hat Update Infrastructure installation using the following command:

   # /usr/share/rh-rhua/rhui_certs/create_rhui_ssl_certs.sh RHUA_HOSTNAME CDS1_HOSTNAME

   Note

   If you do not wish to encrypt the keys use the --noencrypt option.

   Additional hostnames can be added to the end of the command if SSL certificates are required for more than one CDS.
2. You will be prompted for three separate passwords. These are for the root CA, the server CA and the client CA. Enter and confirm the passwords when prompted.

   Important

   Use different passwords for each CA and record the passwords in a secure location.