Warning message

Log in to add comments or rate this document.

How to use a certificate from a third party Certificate Authority (CA) with Red Hat Satellite or Red Hat Satellite Proxy

Updated 2015-04-27T22:34:07+00:00

Issue

  • Need to use a third party Certificate Authority (CA) to sign a Red Hat Network (RHN) Proxy or Red Hat Satellite server's Apache SSL certificates

Environment

  • Red Hat Satellite 5.4 and later (not 6.x)
  • Red Hat Satellite Proxy 5.4 and later (not 6.x)

Resolution

Note: This procedure is for Satellite 5.x. Click here for Satellite 6.x.

  1. Before making any changes on the Satellite server that involve a new CA certificate, update the CA certificate bundle on the client systems. This can be done via a custom script to deploy the certificates, or from the Satellite by using Configuration Channels to deploy the new file to the clients.

    # cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT.bak
    # cat <new public CA certificate files> > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  2. If using configuration channels, run the following on the client:

        # rhncfg-client get /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
    

    Otherwise, on the Satellite server:

        # scp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT root@client:/usr/share/rhn/
    
  3. Back up the existing SSL configuration on the server. This should be done after installing a Satellite or Proxy server, but before registering any hosts or setting up any bootstrap scripts:

    # tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ 
    /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
    
  4. Send the Certificate Signing Request (CSR) to the third-party CA to sign. This file is located in /root/ssl-build/<SATELLITE-HOSTNAME>/server.csr .
  5. The CA will return a signed Certificate file. This certificate may be in Distinguished Encoding Rules (.DER) format. DER files normally have a file extension of .DER or .CER. If it is, it will need to be converted to .PEM format:

    # openssl x509 -inform der -in <CERTIFICATE>.cer -out server.crt
    
  6. Rename the CRT and place it in /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt .
  7. Depending on the environment, there may be multiple Certificate Authority certificates for the various root and intermediate certificate authorities. If so, they need to be combined to a single file:

    # cat root_ca.crt intermediate_ca.crt > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  8. Verify that the server certificate is valid based upon the Certificate Authority file (If this command does not return 'server.crt: OK', see the Diagnostic Steps section below):

    # openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/<SATELLITE-HOSTNAME>/server.crt
    
  9. Create a package with SSL certificates (run as root):

    # cd /root
    # rhn-ssl-tool --gen-server --rpm-only
    
    ...working...
    
    Generating web server's SSL key pair/set RPM:
        ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-2.src.rpm
    
    The most current RHN Proxy Server installation process against RHN hosted
    requires the upload of an SSL tar archive that contains the CA SSL public
    certificate and the web server's key set.
    
    Generating the web server's SSL key set and CA SSL public certificate archive:
         ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-archive-<SATELLITE-HOSTNAME>-1.0-2.tar
    
    Deploy the server's SSL key pair/set RPM:
          (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
          The "noarch" RPM needs to be deployed to the machine working as a
          web server, or RHN Satellite, or RHN Proxy.
          Presumably '<SATELLITE-HOSTNAME>'.
    
  10. Take note of the filename that the tool provides. It is incremented each time the tool is run, and takes the form of /root/ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm .
  11. Install the package with new certificates:

    # rpm -Uvh ./ssl-build/<SATELLITE-HOSTNAME>/rhn-org-httpd-ssl-key-pair-<SATELLITE-HOSTNAME>-1.0-<REVISION>.noarch.rpm
    
  12. Store the new CA certificate in Satellite's database. This is crucial for provisioning to recognize the new certificate:

    # rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  13. Create the Jabber server.pem:

    # cp /etc/httpd/conf/ssl.key/server.key /etc/jabberd/server.pem
    # cat /etc/httpd/conf/ssl.crt/server.crt >> /etc/jabberd/server.pem
    # cp /etc/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem
    
  14. Restart the Satellite / Proxy daemons:

    # rhn-satellite restart
    # rhn-proxy restart
    
  15. Recreate the rhn-org-trusted-ssl-cert rpm for installation on clients:

    • Copy the CA's public cert to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT.
    • Regenerate the RPM:

      # rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
      ...working...
      Generating CA public certificate RPM:
          /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.src.rpm
          /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-5.noarch.rpm
      
      Make the public CA certificate publicly available:
          (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
          The "noarch" RPM and raw CA certificate can be made publicly accessible
          by copying it to the /var/www/html/pub directory of your RHN Satellite or
          Proxy server.
      

Diagnostic Steps

  • Check to ensure that the date and time on the Red Hat Satellite is correct.
  • OpenSSL's error messages can be somewhat cryptic. Reference the error against the OpenSSL manual (man 1 verify)
  • The certificates provided may have been generated on a non-UNIX platform and may have unwanted control characters in them. Verify by running:
#cat -vet <CERTIFICATE>.crt 
-----BEGIN CERTIFICATE-----^M$
MIIGXzCCBUegAwIBAgIKYYVHzwAAAAAAMjANBgkqhkiG9w0BAQUFADBzMQswCQYD^M$
VQQGEwJVUzEMMAoGA1UEChMDSk5KMSMwIQYDVQQLExpKTkogUHVibGljIEtleSBB^M$

.......SNIPPED......
  • If there are Windows carriage returns at the end of each line (identified as the ^M) character above, the files will need to be converted to UNIX format:
# dos2unix <CERTIFICATE>.crt
  • Alternatively, if the dos2unix command isn't installed, this can be done with the sed command:
# sed  's|\r||' -i <CERTIFICATE>.crt