How to use a certificate from a third party Certificate Authority (CA) with Red Hat Satellite 5.x or Red Hat Satellite Proxy

Solution Verified - Updated -

Environment

  • Red Hat Satellite 5.4 and later (not Satellite 6.x)
  • Red Hat Satellite Proxy 5.4 and later (not Satellite 6.x)

Issue

  • Need to use a third party Certificate Authority (CA) to sign a Red Hat Network (RHN) Proxy or Red Hat Satellite server's Apache SSL certificates

Resolution

Note: This procedure is for Satellite 5.x. For Satellite 6.x check How to setup Red Hat Satellite 6 with custom SSL certificates ?.

  • Before making any changes on the Satellite server that involve a new CA certificate, take the backup of the CA certificate on the client systems and satellite server both.
On  Satellite:-
# cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT.bak

On Clients:-
# cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.bak
  • Backup the existing SSL configuration on the server.
    # tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ 
     /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
  • Send the Certificate Signing Request (CSR) to the third-party CA to sign. This file is located in /root/ssl-build/<SATELLITE-HOSTNAME>/server.csr .
  • The CA will return a signed Certificate file. This certificate may be in Distinguished Encoding Rules (.DER) format. DER files normally have a file extension of .DER or .CER. If it is, it will need to be converted to .PEM format:
    # openssl x509 -inform der -in <CERTIFICATE>.cer -out server.crt
  • Rename the CRT and place it in /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt .
  • Depending on the environment, there may be multiple Certificate Authority certificates for the various root and intermediate certificate authorities. If so, they need to be combined to a single file:
    # cat root_ca.crt intermediate_ca.crt > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Verify that the server certificate is valid based upon the Certificate Authority file (If this command does not return 'server.crt: OK', see the Diagnostic Steps section below):
    # openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt
  • Create a package with SSL certificates (run as root):
     # cd /root
     # rhn-ssl-tool --gen-server --rpm-only

        ...working...

        Generating web server's SSL key pair/set RPM:
            ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-2.src.rpm

        The most current RHN Proxy Server installation process against RHN hosted
        requires the upload of an SSL tar archive that contains the CA SSL public
        certificate and the web server's key set.

        Generating the web server's SSL key set and CA SSL public certificate archive:
             ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-archive-<SATELLITE-HOSTNAME>-1.0-2.tar

        Deploy the server's SSL key pair/set RPM:
              (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
              The "noarch" RPM needs to be deployed to the machine working as a
              web server, or RHN Satellite, or RHN Proxy.
              Presumably '<SATELLITE-HOSTNAME>'.
  • Take note of the filename that the tool provides. It is incremented each time the tool is run, and takes the form of /root/ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm .
  • Install the package with new certificates on satellite:-
    # rpm -Uvh ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm
  • Store the new CA certificate in Satellite's database. This is crucial for provisioning to recognize the new certificate:
    # rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Create the Jabber server.pem:
     # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem
     # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
     # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
  • Restart the Satellite / Proxy daemons:
    # rhn-satellite restart
    # rhn-proxy restart    < If using RHN-Proxy
  • Recreate the rhn-org-trusted-ssl-cert rpm for installation on clients:
    * Copy the CA's public cert to `/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT`.
    * Regenerate the RPM:

            # rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
            ...working...
            Generating CA public certificate RPM:
                /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.src.rpm
                /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.noarch.rpm

            Make the public CA certificate publicly available:
                (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
                The "noarch" RPM and raw CA certificate can be made publicly accessible
                by copying it to the /var/www/html/pub directory of your RHN Satellite or
                Proxy server.
  • Now push the new certificate on Clients:-

Run the following on the client system to pull the file (Make sure that any existing RHN-ORG-TRUSTED-SSL-CERT files are renamed before downloading the new certificate from the Satellite):

    # cd /usr/share/rhn/
    # wget http://satellite.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT

Otherwise, execute the below command on the Satellite server to push the file to the clients :

    # scp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT root@client:/usr/share/rhn/

Diagnostic Steps

  • Check to ensure that the date and time on the Red Hat Satellite is correct.
  • OpenSSL's error messages can be somewhat cryptic. Reference the error against the OpenSSL manual (man 1 verify)
  • The certificates provided may have been generated on a non-UNIX platform and may have unwanted control characters in them. Verify by running:
# cat -vet <CERTIFICATE>.crt 
-----BEGIN CERTIFICATE-----^M$
MIIGXzCCBUegAwIBAgIKYYVHzwAAAAAAMjANBgkqhkiG9w0BAQUFADBzMQswCQYD^M$
VQQGEwJVUzEMMAoGA1UEChMDSk5KMSMwIQYDVQQLExpKTkogUHVibGljIEtleSBB^M$

.......SNIPPED......
  • If there are Windows carriage returns at the end of each line (identified as the ^M) character above, the files will need to be converted to UNIX format:
# dos2unix <CERTIFICATE>.crt
  • Alternatively, if the dos2unix command isn't installed, this can be done with the sed command:
# sed  's|\r||' -i <CERTIFICATE>.crt

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

14 Comments

Thanks for this guide. I have a couple of comments and additions:

First there is a small typo in step 1. above: /etc/http should be /etc/httpd

Secondly, the server.pem file generated in step 4. also needs to be copied to
/etc/pki/spacewalk/jabberd/server.pem (at least on satellite 5.4)

Lastly I also created new rpms with the new CA cert and server cert:

1. Copy the CA's public cert to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
2. Copy the new server.crt and server.pem to /root/ssl-build/HOSTNAME
3. Create and copy/install new rhn-org-trusted-ssl-cert and rhn-org-httpd-ssl-key-pair-HOSTNAME rpms:
   rhn-ssl-tool --gen-ca --dir /root/ssl-build --rpm-only
   rhn-ssl-tool --gen-server --dir /root/ssl-build --rpm-only
   cp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm /var/www/html/pub/
   rpm -Uvh /root/ssl-build/HOSTNAME/rhn-org-httpd-ssl-key-pair-HOSTNAME-1.0-2.noarch.rpm

where HOSTNAME is your satellite's hostname

Hope this is helpful

/Lars

And what is the procedure if there are already systems deployed with the satellite server?

Then the new CA certificate will need to be installed on the client systems - please refer to guidelines on Documentation page here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Network_Satellite/5.5/html-single/Client_Configuration_Guide/index.html#sect-Client_Configuration_Guide-SSL_Infrastructure-Deploying_the_CA_SSL_Public_Certificate_to_Clients

Is this an all or nothing configuration? Could I run two Certificates in parallel to allow me to migrate clients in an orderly fashion?

It took me hours to fix this....

PLEASE NOTE: For SATELLITE 5.5, the destination path for these steps is not right.

"Create the Jabber server.pem

cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem

cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem"

SHOULD BE (For RHN Satellite 5.5):
cp /etc/httpd/conf/ssl.key/server.key /etc/pki/spacewalk/jabberd/server.pem
cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/pki/spacewalk/jabberd/server.pem

Good luck! Red Hat needs better documentation on 3rd party certificate use.

Hi,

If you have specific feedback on issues with the documentation, we would love to hear it! Consider sharing it in the Satellite discussion group, here: https://access.redhat.com/groups/red-hat-network-satellite

I agree with TSC Sysadmin. This document leaves little to be desired. It has no continuity, consistency, and very little accuracy.

Thanks for the feedback, Steve - I think you mean it leaves much to be desired! I've flagged it for a review, so stay tuned.

Here's what I did:

rm -rf /root/ssl-build
rhn-ssl-tool --gen-ca --rpm-only # This builds the directory /root/ssl-build for you. It'll error but that's OK
cp <> /root/ssl-build//server.crt
cp <> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
cp <> /root/ssl-build//server.key
cp <> /root/ssl-build//server.csr

rhn-ssl-tool --gen-server --rpm-only # this builds files in /root/ssl-build/
rhn-ssl-tool --gen-ca --rpm-only # this builds files /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
# and rhn-org-trusted-ssl-cert-1.0-1.src.rpm

You can then install the rhn-org-trusted-ssl-cert-1.0-1.src.rpm and 'rpmrebuild' the package for the appropriate version you want to distribute.

This solution is not accurate. Further, am I the only one that finds this methodology for managing private keys a bit strange - not necessarily following best practices?

Is there a place where I can go to find an accurate procedure?
What is the process for Satellite Proxies, do I need to generate a certificate for them also?

Do I really need to use these CSRs? I could just use my own, right? The built-in CSR does not follow the standard for state/province names, which should be spelled-out: Georgia is correct, not GA.

Altogether not big issues, but PKI is confusing enough as it is - it should done right so that it isn't confused further. Good thing you guys recommended backing up the files first!

Maybe I'm missing a step but what do I need to do if I need to generate a new csr?

I. Some missing info in the steps:

Where it says "This file is located in /root/ssl-build//server.csr ." This is wrong, it should say "/root/ssl-build/SATELLITE-HOSTNAME/server.csr"

II. Some incomplete steps:

a. Where it says: "Copy the CA's public cert to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT" The command to do this should say:

# cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT

b. Where it says: "Make the public CA certficate publically available:
(NOTE: the RHN Satellite or Proxy installers may do this step for you.)
The "noarch" RPM and raw CA certificate can be made publically accessible
by copying it to the /var/www/html/pub directory of your RHN Satellite or
Proxy server.:

Satellite doesn't do this for you (at least 5.6 doesn't). The command to do this should say:

# cp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm /var/www/html/pub/

Hope this helps someone else.

Hi, I'm new to Satellite 5, but something seems to be missing here (or assumed.) I'm familiar with PKI, CA, CSRs, etc... so please hear me out...

Step 4 mentions sending the CSR to be signed. When was the CSR created? When were the public/private keys created? Is there an "rhn-ssl-tool" command to do this? Or should I be using raw "openssl" commands?

Thanks,
John

Is this verified/valid for Satellite 5.8?