The Rhn Ssl Maintenance Tool - Red Hat NETWORK 4.1.0 - CLIENT Configuration Manual

14
Certificate Authority (CA) SSL private key and public certificate — only one set per
•
organization generally generated. The public certificate is digitally signed by its private
key. The public certificate is distributed to every system.
Web server SSL private key and public certificate — one set per application server. The
•
public certificate is digitally signed by both its private key and the CA SSL private key.
We often refer to a Web server's key set; this is because there is an intermediary SSL
certificate request that is generated. The details of what this is used for are not important
to this discussion. All three are deployed to an RHN Server.
Here's a scenario: If you have one RHN Satellite Server and five RHN Proxy Servers, you
will generate one CA SSL key pair and six Web server SSL key sets. The CA SSL public
certificate is distributed to all systems and used by all clients to establish a connection to
their respective upstream servers. Each server has its own SSL key set that is specifically
tied to that server's hostname and generated using its own SSL private key and the CA SSL
private key in combination. This establishes a digitally verifiable association between the
Web server's SSL public certificate and the CA SSL key pair and server's private key. The
Web server's key set cannot be shared with other web servers.
Important
The most critical portion of this system is the CA SSL key pair. From that private key and
public certificate an administrator can regenerate any Web server's SSL key set. This CA
SSL key pair must be secured. It is highly recommended that once the entire RHN infras-
tructure of servers is set up and running, you archive the SSL build directory generated
by this tool and/or the installers onto separate media, write down the CA password, and
secure the media and password in a safe place.

3.2. The RHN SSL Maintenance Tool

Red Hat Network provides a command line tool to ease management of your secure
infrastructure: the RHN SSL Maintenance Tool, commonly known by its command
. This tool is available as part of the
rhn-ssl-tool
This package can be found within the software channels for the the latest RHN Proxy
Server and RHN Satellite Server (as well as the RHN Satellite Server ISO). RHN SSL
Maintenance Tool enables you to generate your own Certificate Authority SSL key pair,
as well as Web server SSL key sets (sometimes called key pairs).
This tool is only a build tool. It generates all of the SSL keys and certificates that are
required. It also packages the files in RPM format for quick distribution and installation on
all client machines. It does not deploy them, however. That is left to the administrator, or
in many cases, automated by the RHN Satellite Server.
Chapter 3. SSL Infrastructure
rhns-certs-tools
package.