How to use a certificate from a third party Certificate Authority (CA) with Red Hat Satellite or Red Hat Satellite Proxy

Solution Verified - Updated -


  • Red Hat Satellite 5.4 and later (not 6.x)
  • Red Hat Satellite Proxy 5.4 and later (not 6.x)


  • Need to use a third party Certificate Authority (CA) to sign a Red Hat Network (RHN) Proxy or Red Hat Satellite server's Apache SSL certificates


Note: This procedure is for Satellite 5.x. Click here for Satellite 6.x.

  • Before making any changes on the Satellite server that involve a new CA certificate, take the backup of the CA certificate on the client systems and satellite server both.

On Satellite:-

     # cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT.bak

On Clients:-

  # cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.bak
  • Back up the existing SSL configuration on the server. This should be done after installing a Satellite or Proxy server, but before registering any hosts or setting up any bootstrap scripts:
    # tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ 
     /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
  • Send the Certificate Signing Request (CSR) to the third-party CA to sign. This file is located in /root/ssl-build/<SATELLITE-HOSTNAME>/server.csr .
  • The CA will return a signed Certificate file. This certificate may be in Distinguished Encoding Rules (.DER) format. DER files normally have a file extension of .DER or .CER. If it is, it will need to be converted to .PEM format:
    # openssl x509 -inform der -in <CERTIFICATE>.cer -out server.crt
  • Rename the CRT and place it in /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt .
  • Depending on the environment, there may be multiple Certificate Authority certificates for the various root and intermediate certificate authorities. If so, they need to be combined to a single file:
    # cat root_ca.crt intermediate_ca.crt > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Verify that the server certificate is valid based upon the Certificate Authority file (If this command does not return 'server.crt: OK', see the Diagnostic Steps section below):
    # openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt
  • Create a package with SSL certificates (run as root):
     # cd /root
     # rhn-ssl-tool --gen-server --rpm-only


        Generating web server's SSL key pair/set RPM:

        The most current RHN Proxy Server installation process against RHN hosted
        requires the upload of an SSL tar archive that contains the CA SSL public
        certificate and the web server's key set.

        Generating the web server's SSL key set and CA SSL public certificate archive:

        Deploy the server's SSL key pair/set RPM:
              (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
              The "noarch" RPM needs to be deployed to the machine working as a
              web server, or RHN Satellite, or RHN Proxy.
              Presumably '<SATELLITE-HOSTNAME>'.
  • Take note of the filename that the tool provides. It is incremented each time the tool is run, and takes the form of /root/ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm .
  • Install the package with new certificates on satellite:-
    # rpm -Uvh ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm
  • Store the new CA certificate in Satellite's database. This is crucial for provisioning to recognize the new certificate:
    # rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  • Create the Jabber server.pem:
     # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem
     # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
     # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
  • Restart the Satellite / Proxy daemons:
    # rhn-satellite restart
    # rhn-proxy restart    < If using RHN-Proxy
  • Recreate the rhn-org-trusted-ssl-cert rpm for installation on clients:
    * Copy the CA's public cert to `/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT`.
    * Regenerate the RPM:

            # rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
            Generating CA public certificate RPM:

            Make the public CA certificate publicly available:
                (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
                The "noarch" RPM and raw CA certificate can be made publicly accessible
                by copying it to the /var/www/html/pub directory of your RHN Satellite or
                Proxy server.
  • Now push the new certificate on Clients:-

    If using configuration channels, run the following on the client:

    # rhncfg-client get /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

Otherwise, on the Satellite server:

    # scp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT root@client:/usr/share/rhn/

Diagnostic Steps

  • Check to ensure that the date and time on the Red Hat Satellite is correct.
  • OpenSSL's error messages can be somewhat cryptic. Reference the error against the OpenSSL manual (man 1 verify)
  • The certificates provided may have been generated on a non-UNIX platform and may have unwanted control characters in them. Verify by running:
# cat -vet <CERTIFICATE>.crt 

  • If there are Windows carriage returns at the end of each line (identified as the ^M) character above, the files will need to be converted to UNIX format:
# dos2unix <CERTIFICATE>.crt
  • Alternatively, if the dos2unix command isn't installed, this can be done with the sed command:
# sed  's|\r||' -i <CERTIFICATE>.crt

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.