How to register and subscribe a system offline to the Red Hat Customer Portal?

Solution Verified - Updated -


  • Red Hat Enterprise Linux
  • Red Hat Subscription Management (RHSM)
  • Red Hat Customer Portal


  • Why does the Offline system need to be registered with the Red Hat Customer portal?
  • How to register a new Offline Red Hat Enterprise Linux system to the Customer Portal?
  • How to register a system that is not connected to the internet?
  • How to register a disconnected system?
  • How to manually register a system to the Customer Portal?
  • How to create a system profile in Red Hat Subscription Management?
  • Subscription-manager list commands shows status as "Unknown" after registering systems offline
  • Subscription-manager status displays error message "Unknown" even after importing the correct certificates


  • Offline Registration of an "air-gapped" system is entirely optional. The only requirement is that the end-user maintain the appropriate number of product subscriptions to cover their deployment, and be able to provide data to support this on request. Red Hat products are provided on a per-instance or per-installation subscription basis, which gives customers access to all subscription benefits during the subscription term. This means that while customers have an active subscription for a Red Hat product, they must maintain subscriptions for each and every instance or installation of Red Hat software being used in their environment.
  • To register an "offline" or "air-gapped" system, you need to manually create a system profile using Red Hat Subscription Management (RHSM) in the Customer Portal. This profile serves as a placeholder and will not be connected to your actual system.

    1. Create a system profile: From the Systems page in RHSM, click the New button. Provide the required information to finish creating the new system profile.

    2. Attach subscriptions: In your newly created system profile, click the Subscriptions tab, and attach any subscriptions you want to use with the system.

    3. Download and import the entitlement certificate(s): From the "Subscriptions" tab on your system profile, click Download Certificates to download the entitlement certificate(s) for attached subscriptions. The downloaded archive will be in zip format and will be named similar to ''.

    # unzip -l 
    signed Candlepin export for d01bcb4f-8d59-433f-xxxx-0612dd2266db
    Length      Date    Time    Name
    ---------  ---------- -----   ----
      18091  05-07-2018 14:35
        512  05-07-2018 14:35   signature
    ---------                     -------
      18603                     2 files
    # unzip
  • This archive will contain another archive named ''. Extract the content and in the ./export/entitlement_certificates/ folder you will find your certificate(s) in PEM format.

    # unzip -l 
    Candlepin export for d01bcb4f-8d59-433f-xxxx-0612dd2266db
    Length      Date    Time    Name
    ---------  ---------- -----   ----
      23619  05-07-2018 14:35   export/entitlement_certificates/xxxx.pem
        137  05-07-2018 14:35   export/meta.json
    ---------                     -------
      23756                     2 files
    # unzip
  • Move these to the client system's /tmp directory.

    # subscription-manager import --certificate=/tmp/Name_Of_Downloaded_Entitlement_Cert.pem e.g. : # subscription-manager import --certificate=/tmp/xxxx.pem
  • This completes the registration of the offline system.

  • You can verify that entitlement certificates were successfully imported by reviewing: # subscription-manager list --consumed


When you register an online system via # subscription-manager register, it automatically creates a connected profile on the Customer Portal, whereas in offline registration, you are manually creating a disconnected profile on the Portal.

After following this procedure, your system profile in the Customer Portal will show a subscription status "Unknown" and the command # subscription-manager status will output "Unknown." This is the expected behavior. For more information, please refer Subscription status "Unknown" on system registered offline

If you want to update your air-gapped system, you can create a Local Repository and update your offline system by Referring to: Creating a Local Repository and Sharing With Disconnected/Offline/Air-gapped Systems [Primary Article]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


Could you please add a method to import a spreadsheet of air-gapped systems, with socket, platform, processor, and subscription to associate with? Manually doing each system is tedious.

i have subscribed this certificate but after download receive file in PEM not zip. kindly advise.

Followed these instructions, said it created the files in the export folder, but there is no export solder to be found.

This documentation outdated.

While trying to move the extracted file to client system getting an error after the below command e.g # subscription-manager import --certificate=/tmp/936605213211386925.pem

Error:936605213211386925.pem: file not found Kindly let me knowwhat can be the issue

Does this same procedure work for RHEL8.1?

Hi Scott,

Yes, it is the same for RHEL 8.1.

Seems not to work for developer subscriptions. The "Create" button simply does not activate. Or am I missing something?

I believe that this should work no differently, you may want to check the permissions for your user on the account via:

Thanks a bunch Craig, Thank you for your reply. It turns out that the portal page now works and enables the creation of offline systems without need to add an user. I have a developer subscription I wanted to test the procedure with and finally managed to download and deploy the certificate today. Yesterday the "create" button refused to activate.

Is there a way to automate this tasks? For example with Ansible?

Hi Mario,
Have you found a solution by any chance, yet?

Looking for a solution, too.

Best regards,

hello, I followed the instructions to apply the cert to an air-gapped system. When I try the manual import, I receive an error "xxxxxx.pem is not a valid certificate file. Please use a valid certificate."

When I look at the pem file I can see the cert and key in it.

I had old certs in the /etc/pki/entitlement and /etc/pki/consumer directories that I removed.

Still have errors

I was using the ID cert instead of the subscription cert. The subscription cert is working

Hi All,

When I hit subscription-manager import --certificate=/tmp/xxxx.pem command, It says "cannot parse argument"

Have anyone faced this issue ?

I am using RHEL 8 on VMBOX as guest. My host is Windows. I have a Developer subscription. And I downloaded the necessary files. But I don't know where to put this file on my computer to make it readable by RHEL as a guest OS. If RHEL is guest on Windows, do you know where the tmp file of RHEL is?

Hi Hazal,

If you did not configure file sharing option of VBox of Oracle on the host between the guest and the host, you need to upload the files to the guest using sftp or scp, e.g using the winscp program (you have to download and install).


Jan Gerrit

Hi Jan, Thank you very much. I will try and update the comment.

Hi Jan,

Is there any way to configure file sharing option or USB connection of RHEL guest, way before the subscription? I feel like in a endless loop. If there is no way, I connect my computer to the internet someway but first I would like to be sure there is no other option.

Thank you,


Hi Hazal,

To get help setup file sharing between VBOX host (Windows) and RHEL guest please post your question on the Discussion Forum post.

You can follow the discussion.

Here we confuse people.


Jan Gerrit

You are right, thank you again.

Hello, i´ve done this on RHEL 8.4, but it still says "system not registered".

subscription-manager lists the consumed pem without any error. Anyone knows what to do next please?

Hi Stefan, did you ever find a solution to this issue?

Importing the certificate actualy does not activate any subscription and we still get problems\errors on trying to update from local repos or even from normal repos.

Are these instructions out of date? I downloaded a certificate today and only got a PEM file, not a ZIP archive. I tried to import the certificate and subscriptionmanager claimed it was not a valid certificate.

I was able to output a consumed list via #subscription-manager list --consumed. However when I try #subscription-manager attach --auto, output: 'This system is not yet registered. Try 'subscription-manager register --help' for more information.

For further clarity, will above steps help me register my rhel server to be able to complet yum/dnf update? This is on an offline(no network) system and already created a profile for this offline server but can't move forward with any *.rpm package installs. Any help would be greatly appreciated.

For the most part the above solution entitles your offline (no network) RHEL host. It does not set up any mechanism to use to patch the host nor allow the host to retrieve patches.

You have to go set up local RHEL repositories on your host so you can update it.

The above article mentions to read another article to do that:
Also read: