Warning message

log in to add comments or rate this document

How to use a certificate from a third party Certificate Authority (CA) with Red Hat Satellite or Red Hat Network (RHN) Proxy?

Updated 2015-02-08T02:36:10+00:00

Issue

  • Need to use a third party Certificate Authority (CA) to sign a Red Hat Network (RHN) Proxy or Red Hat Satellite server's Apache SSL certificates

Environment

  • Red Hat Satellite version 5.4 or later
  • Red Hat Network (RHN) Proxy version 5.4 or later

Resolution

  • Before making any changes on the Satellite server that involve a new CA certificate, update the CA certificate bundle on the client systems. This can be done via a custom script to deploy the certificates, or from the Satellite by using Configuration Channels to deploy the new file to the clients.
# cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT.bak
# cat <new public CA certificate files> > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT

-- if using configuration channels, run the following on the client:
# rhncfg-client get /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

-- otherwise, on the Satellite server:
# scp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT root@client:/usr/share/rhn/
  • After installing a Satellite or Proxy server, but before registering any hosts or setting up any bootstrap scripts, perform the following steps:
  • Back up the existing SSL configuration on the server:
# tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ 
/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
  • Send the Certificate Signing Request (CSR) to the third-party CA to sign. This file is located in /root/ssl-build/<SATELLITE-HOSTNAME>/server.csr .
  • The CA will return a signed Certificate file. This certificate may be in Distinguished Encoding Rules (.DER) format. DER files normally have a file extension of .DER or .CER. If it is, it will need to be converted to .PEM format:
# openssl x509 -inform der -in <CERTIFICATE>.cer -out server.crt
  • Rename the CRT and place it in /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt .
  • Depending on the environment, there may be multiple Certificate Authority certificates for the various root and intermediate certificate authorities. If so, they need to be combined to a single file:
# cat root_ca.crt intermediate_ca.crt > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Verify that the server certificate is valid based upon the Certificate Authority file:
# openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt
  • If the above command does not return 'server.crt: OK', see the Diagnostic Steps section below
  • Create a package with SSL certificates. Run as root:
# cd /root
# rhn-ssl-tool --gen-server --rpm-only

...working...

Generating web server's SSL key pair/set RPM:
    ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-2.src.rpm

The most current RHN Proxy Server installation process against RHN hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.

Generating the web server's SSL key set and CA SSL public certificate archive:
     ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-archive-<SATELLITE-HOSTNAME>-1.0-2.tar

Deploy the server's SSL key pair/set RPM:
      (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
      The "noarch" RPM needs to be deployed to the machine working as a
      web server, or RHN Satellite, or RHN Proxy.
      Presumably '<SATELLITE-HOSTNAME>'.

  • Take note of the filename that the tool provides. It is incremented each time the tool is run, and takes the form of /root/ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm .
  • Install the package with new certificates:
# rpm -Uvh ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm
  • Store the new CA certificate in Satellite's database. This is crucial for provisioning to recognize the new certificate:
# rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Create the Jabber server.pem :
# cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem
# cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
# cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
  • Restart the Satellite / Proxy daemons:
# rhn-satellite restart
# rhn-proxy restart
  • Recreate the rhn-org-trusted-ssl-cert rpm for installation on clients:
  • Copy the CA's public cert to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
  • Regenerate the RPM:
# rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
...working...
Generating CA public certificate RPM:
    /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.src.rpm
    /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.noarch.rpm

Make the public CA certficate publically available:
    (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
    The "noarch" RPM and raw CA certificate can be made publically accessible
    by copying it to the /var/www/html/pub directory of your RHN Satellite or
    Proxy server.

Diagnostic Steps

  • Check to ensure that the date and time on the RH Satellite is correct.
  • OpenSSL's error messages can be somewhat cryptic. Reference the error against the OpenSSL manual (man 1 verify)
  • The certificates provided may have been generated on a non-UNIX platform and may have unwanted control characters in them. Verify by running:
#cat -vet <CERTIFICATE>.crt 
-----BEGIN CERTIFICATE-----^M$
MIIGXzCCBUegAwIBAgIKYYVHzwAAAAAAMjANBgkqhkiG9w0BAQUFADBzMQswCQYD^M$
VQQGEwJVUzEMMAoGA1UEChMDSk5KMSMwIQYDVQQLExpKTkogUHVibGljIEtleSBB^M$

.......SNIPPED......
  • If there are Windows carriage returns at the end of each line (identified as the ^M) character above, the files will need to be converted to UNIX format:
# dos2unix <CERTIFICATE>.crt
  • Alternatively, if the dos2unix command isn't installed, this can be done with the sed command:
# sed  's|\r||' -i <CERTIFICATE>.crt