Table of Contents
Advertisement
Chapter 3. SSL Infrastructure
Satellite or Proxy. The RHN SSL Maintenance Tool allows you to generate a CA SSL key pair if
needed and re-use it for all subsequent RHN server deployments.
The build process automatically creates the key pair and public RPM for distribution to clients. All CA
components end up in the build directory specified at the command line, typically
(or
/etc/sysconfig/rhn/ssl
issue a command like this:
rhn-ssl-tool --gen-ca --password=MY_CA_PASSWORD --dir="/root/ssl-build" \
--set-state="North
--set-org-unit="SSL CA Unit"
Replace the example values with those appropriate for your organization. This will result in the fol-
lowing relevant files in the specified build directory:
•
RHN-ORG-PRIVATE-SSL-KEY
•
RHN-ORG-TRUSTED-SSL-CERT
•
rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm
client systems. It contains the CA SSL public certificate (above) and installs it in this location:
/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
•
rhn-ca-openssl.cnf
— always lists the latest versions of the relevant files.
•
latest.txt
Once finished, you're ready to distribute the RPM to client systems. Refer to Section 3.3 Deploying
the CA SSL Public Certificate to Clients.
3.2.4. Generating Web Server SSL Key Sets
Although you must have a CA SSL key pair already generated, you will likely generate web server
SSL key sets more frequently, especially if more than one Proxy or Satellite is deployed. Note that the
value for
--set-hostname
certificates needs to be generated and installed for every distinct RHN server hostname.
The server certificate build process works much like CA SSL key pair generation with one exception:
All server components end up in subdirectories of the build directory that reflect the build system's
machine name, such as
command like this:
rhn-ssl-tool --gen-server --password=MY_CA_PASSWORD --dir="/root/ssl-build" \
--set-state="North
--set-org-unit="IS/IT" --email="admin@example.com" \
--set-hostname="rhnbox1.example.com
Replace the example values with those appropriate for your organization. This will result in the fol-
lowing relevant files in a machine-specific subdirectory of the build directory:
— the Web server's SSL private server key
•
server.key
— the Web server's SSL certificate request
•
server.csr
— the web server's SSL public certificate
•
server.crt
•
rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm
prepared for distribution to RHN Servers. Its associated src.rpm file is also generated. This RPM
contains the above three files. It will install them in these locations:
/etc/httpd/conf/ssl.key/server.key
•
for older Satellites and Proxies). To generate a CA SSL key pair,
Carolina" --set-city="Raleigh" --set-org="Example Inc." \
— the CA SSL private key
— the CA SSL public certificate
— the SSL CA configuration file
is different for each server. In other words, a distinct set of SSL keys and
/root/ssl-build/MACHINE_NAME
Carolina" --set-city="Raleigh" --set-org="Example
/root/ssl-build
— the RPM prepared for distribution to
. To generate server certificates, issue a
15
Inc." \
—
the
RPM
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK 3.7 - CLIENT and is the answer not in the manual?
Questions and answers