How to regenerate SSL keys and CA certificates on Red Hat Satellite 5.x or Red Hat Proxy 5.x

Solution Verified - Updated -

Environment

  • Red Hat Satellite or Proxy 5

Issue

  • How do I regenerate the CA certificate and the SSL keys on a Red Hat Satellite server or Red Hat Satellite Proxy server?
  • How do I update the SSL keys on a Red Hat Satellite server or Red Hat Satellite Proxy server?
  • How do I generate new CA certificate?

Resolution

Prerequisites

  • Install the latest spacewalk-certs-tools package (or rhns-certs-tools for Satellite or Proxy versions prior to 5.3) on the server. This package is available from the Red Hat Network Tools child channel
  • If the /root/ssl-build directory does not already exist, then create it and back up the existing SSL configuration on the server:

    # cd /root
    # mkdir ssl-build
    # tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
    
  • There should only be one unique SSL build directory, no matter how many Proxy and Satellite servers have been deployed in your environment.
  • Check the expiration dates on the CA certificate and the server certificate, if they already exist. Replace HOSTNAME below with the fully-qualified domain name of the server in question, minus the domain. For example, a fully-qualified domain name of "satellite.lab.example.com" corresponds to a HOSTNAME of "satellite.lab".

    # openssl x509 -dates -noout -in /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    # openssl x509 -dates -noout -in /root/ssl-build/HOSTNAME/server.crt
    
  • Verify the CA password works:

    # openssl rsa -in /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
    Enter pass phrase for ssl-build/RHN-ORG-PRIVATE-SSL-KEY: [ENTER PASSWORD]
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    [snip]
    -----END RSA PRIVATE KEY-----
    
  • If the CA certificate has expired, or the CA password has been lost, then both the CA and the server keys will need to be regenerated. Otherwise, only the server keys need to be regenerated.

Step 1: Regenerate the CA

  1. Remove the old SSL build:

    # cd /root
    # mkdir ssl-build-bak
    # mv ssl-build/* ssl-build-bak/
    
  2. Create the new CA (see "man rhn-ssl-tool" or "rhn-ssl-tool --gen-ca --help" for additional options to set the country, city, etc., fields of the CA):

    # rhn-ssl-tool --gen-ca
    
  3. Copy the new public CA certificate and its associated rpm to /var/www/html/pub:

    # rm -f /var/www/html/pub/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm}
    # cp ssl-build/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm} /var/www/html/pub/
    
  4. If the server is a Satellite, store the new public CA certificate in the database:

    # rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  5. Archive and store the ssl-build directory and the CA password in a secure location.

Step 2: Regenerate the server key pair

  1. For each Proxy or Satellite server:

    • Create the new server keys (FQDN must match the fully-qualified domain name of the server, which the client systems will use when connecting to it):

      # rhn-ssl-tool --gen-server --set-hostname=<FQDN> --set-country=<2 LETTER COUNTRY CODE> --set-state=<STATE OR PROVINCE> \
      --set-city=<CITY> --set-org=<ORGANIZATION OR COMPANY NAME> --set-org-unit=<ORGANIZATIONAL UNIT> --set-email=<EMAIL ADDRESS>
      
  2. Deploy each web server's set of SSL keys. On each Proxy and Satellite server:

    • Uninstall the previous keys:

      # rpm -e rhn-org-httpd-ssl-key-pair-<HOSTNAME>
      
    • Install the appropriate rpm on the server:

      # rpm -Uvh /root/ssl-build/HOSTNAME/rhn-org-httpd-ssl-key-pair-HOSTNAME-VERSION-RELEASE.noarch.rpm
      
    • Restart the Satellite or Proxy services:

      # rhn-satellite restart
      

      [or]

      # rhn-proxy restart
      
  3. If a new CA was created, deploy the new public CA certificate to all clients. On each client system (including Proxies connected to a Satellite or to another Proxy):

    • Install the CA certificate rpm:

      # rpm -Uvh http://FQDN/pub/rhn-org-trusted-ssl-cert-VERSION-RELEASE.noarch.rpm
      
    • Edit /etc/sysconfig/rhn/up2date, and make sure that the sslCACert setting is correct:

      sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      
    • [For Proxy server only] Edit /etc/rhn/rhn.conf and verify the CA certificate setting:

      proxy.ca_chain = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      
    • [For Proxy server only] Restart Proxy services:

      # rhn-proxy restart
      

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

If it is a self pointing satellite we need to replace the then /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT needs to be replaced as well with newly generated cert.

What about Satelliete 6.x?

Use katello-installer. Running it alone, since it uses puppet behind, it will re-deploy all certificates if someone changed them.

To forcefully regenerate certificates, use option --certs-regenerate. To forcefully regenerate CA certs, use option --certs-regenerate-ca.

To update/replace certs with some own / 3rd party, use options --certs-server-ca-cert, --certs-server-cert, --certs-server-cert-req and --certs-server-key.

For more options, run katello-installer --help and see section "= Module certs:"