Account Links: Cart | Your Account | Logout

Skip to content

Red Hat Knowledgebase

Red Hat Knowledgebase Search:

Updated Within the Last:

New Solutions within the last day New Solutions within the last week New Solutions within the last month

Browse by topics:


Click to View a Topic
Red Hat Network > RHN Proxy Server > Issue <<  10 of 38 >>

Solution Tools:


Email a Solution Postcard Printer version Submit a comment on this answer Update notifications Request an answer Back

Article Reference

Article ID: 5410
Last update: 07-10-06
Issue:
How do I update SSL Keys and Certificates on an RHN Satellite or Proxy Server v3.6 to meet v3.7 specifications?
Resolution:

This document explains how to update the build tree structure of SSL keys and certs for legacy RHN Satellite or Proxy v3.6 customers to v3.7 specifications. Be aware that there were a lot of changes that were not automated, hence this document.

Notes:

  • For detail instructions regarding the use of rhn-ssl-tool, refer to the Client Configuration Guide at https://rhn.redhat.com/help/client-config/s1-certificate-rhnsmt.html.
  • There should only be one SSL build tree, no matter how many RHN Proxies and Satellites you have deployed. It is usually maintained on the top-level server in the RHN tree. This document adopts these assumptions.

Assumptions:

  • root user's present working directory is /root
  • All SSL information is in /root/ssl-build
  • CA password is known

Preparation

Install the latest rhns-certs-tools RPM on the server. This RPM can be acquired via the appropriate Red Hat Enterprise Linux AS Tools Channel.

Verify that you know your CA password (only useful if your password is 4 characters or longer):

# openssl rsa -in ssl-build/RHN-ORG-PRIVATE-SSL-KEY
Enter pass phrase for ssl-build/RHN-ORG-PRIVATE-SSL-KEY:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
cut
-----END RSA PRIVATE KEY-----

If you only want to reorganize the build tree to something that RHN Satellite and Proxy Servers version 3.7 expect:

cd /root

# repeat for all RHN Proxy/Satellite server in your infrastructure:
# cd MACHINE_NAME
# cat server.crt server.key > server.pem
cd ..

# switch back to the /root directory
cd ..

# repeat for each RHN Proxy/Satellite server in your infrastructure:
rhn-ssl-tool --gen-server --rpm-only

...working...
Generating web server's SSL key pair/set RPM:
    ./ssl-build/doggie.rdu/rhn-org-httpd-ssl-key-pair-doggie.rdu-1.0-3.src.rpm
    ./ssl-build/doggie.rdu/rhn-org-httpd-ssl-key-pair-doggie.rdu-1.0-3.noarch.rpm
 
The most current RHN Proxy Server installation process against RHN hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.
 
Generating the web server's SSL key set and CA SSL public certificate archive:
    ./ssl-build/doggie.rdu/rhn-org-httpd-ssl-archive-doggie.rdu-1.0-3.tar
 
Deploy the server's SSL key pair/set RPM:
    (NOTE: the RHN Satellite or Proxy installers may do this step for you.)
    The "noarch" RPM needs to be deployed to the machine working as a
    web server, or RHN Satellite, or RHN Proxy.
    Presumably 'doggie.rdu.redhat.com'.

You are finished. You now have updated server-side RPMs and tar archives for each of your RHN Satellite's and Proxies within your organization. A file, server.pem, was added to those RPMs and tar archive. The other files were not changed. If you wish, you may deploy the new RPMs on each server for completion, but it is not necessary.

Archive and store that build directory in a safe place on removable media.


How well did this entry answer your question?


good wrong incomplete out of date
Red Hat Network > RHN Proxy Server > Issue <<   10  of  38  >>