- Need to use a third party Certificate Authority (CA) to sign a Red Hat Network (RHN) Proxy or Red Hat Satellite server's Apache SSL certificates
- Red Hat Satellite 5.4 and later (not 6.x)
- Red Hat Satellite Proxy 5.4 and later (not 6.x)
Note: This procedure is for Satellite 5.x. Click here for Satellite 6.x.
- Before making any changes on the Satellite server that involve a new CA certificate, take the backup of the CA certificate on the client systems and satellite server both.
# cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT.bak
# cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.bak
- Back up the existing SSL configuration on the server. This should be done after installing a Satellite or Proxy server, but before registering any hosts or setting up any bootstrap scripts:
# tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
- Send the Certificate Signing Request (CSR) to the third-party CA to sign. This file is located in
- The CA will return a signed Certificate file. This certificate may be in Distinguished Encoding Rules (.DER) format. DER files normally have a file extension of .DER or .CER. If it is, it will need to be converted to .PEM format:
# openssl x509 -inform der -in <CERTIFICATE>.cer -out server.crt
- Rename the CRT and place it in
- Depending on the environment, there may be multiple Certificate Authority certificates for the various root and intermediate certificate authorities. If so, they need to be combined to a single file:
# cat root_ca.crt intermediate_ca.crt > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
- Verify that the server certificate is valid based upon the Certificate Authority file (If this command does not return 'server.crt: OK', see the Diagnostic Steps section below):
# openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt
- Create a package with SSL certificates (run as root):
# cd /root # rhn-ssl-tool --gen-server --rpm-only ...working... Generating web server's SSL key pair/set RPM: ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-2.src.rpm The most current RHN Proxy Server installation process against RHN hosted requires the upload of an SSL tar archive that contains the CA SSL public certificate and the web server's key set. Generating the web server's SSL key set and CA SSL public certificate archive: ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-archive-<SATELLITE-HOSTNAME>-1.0-2.tar Deploy the server's SSL key pair/set RPM: (NOTE: the RHN Satellite or Proxy installers may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably '<SATELLITE-HOSTNAME>'.
- Take note of the filename that the tool provides. It is incremented each time the tool is run, and takes the form of
- Install the package with new certificates on satellite:-
# rpm -Uvh ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm
- Store the new CA certificate in Satellite's database. This is crucial for provisioning to recognize the new certificate:
# rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
- Create the Jabber
# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
- Restart the Satellite / Proxy daemons:
# rhn-satellite restart # rhn-proxy restart < If using RHN-Proxy
- Recreate the
rhn-org-trusted-ssl-certrpm for installation on clients:
* Copy the CA's public cert to `/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT`. * Regenerate the RPM: # rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only ...working... Generating CA public certificate RPM: /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.src.rpm /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.noarch.rpm Make the public CA certificate publicly available: (NOTE: the RHN Satellite or Proxy installers may do this step for you.) The "noarch" RPM and raw CA certificate can be made publicly accessible by copying it to the /var/www/html/pub directory of your RHN Satellite or Proxy server.
Now push the new certificate on Clients:-
If using configuration channels, run the following on the client:
# rhncfg-client get /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
Otherwise, on the Satellite server:
# scp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT root@client:/usr/share/rhn/
- Check to ensure that the date and time on the Red Hat Satellite is correct.
- OpenSSL's error messages can be somewhat cryptic. Reference the error against the OpenSSL manual (man 1 verify)
- The certificates provided may have been generated on a non-UNIX platform and may have unwanted control characters in them. Verify by running:
# cat -vet <CERTIFICATE>.crt -----BEGIN CERTIFICATE-----^M$ MIIGXzCCBUegAwIBAgIKYYVHzwAAAAAAMjANBgkqhkiG9w0BAQUFADBzMQswCQYD^M$ VQQGEwJVUzEMMAoGA1UEChMDSk5KMSMwIQYDVQQLExpKTkogUHVibGljIEtleSBB^M$ .......SNIPPED......
- If there are Windows carriage returns at the end of each line (identified as the ^M) character above, the files will need to be converted to UNIX format:
# dos2unix <CERTIFICATE>.crt
- Alternatively, if the dos2unix command isn't installed, this can be done with the sed command:
# sed 's|\r||' -i <CERTIFICATE>.crt