Generating Web Server Ssl Key Sets; Deploying The Ca Ssl Public Certificate To Clients - Red Hat NETWORK SATELLITE 5.2 - CLIENT Configuration Manual

Chapter 3. SSL Infrastructure

3.2.4. Generating Web Server SSL Key Sets

Although you must have a CA SSL key pair already generated, you will likely generate web server
SSL key sets more frequently, especially if more than one Proxy or Satellite is deployed. Note that the
value for --set-hostname is different for each server. In other words, a distinct set of SSL keys and
certificates must be generated and installed for every distinct RHN server hostname.
The server certificate build process works much like CA SSL key pair generation with one exception:
All server components end up in subdirectories of the build directory that reflect the build system's
machine name, such as /root/ssl-build/MACHINE_NAME. To generate server certificates, issue a
command like this:
rhn-ssl-tool --gen-server --password=MY_CA_PASSWORD --dir="/root/
ssl-build" \ --set-state="North Carolina" --set-city="Raleigh"
--set-org="Example Inc." \ --set-org-unit="IS/IT" --set-
email="admin@example.com" \ --set-hostname="rhnbox1.example.com
Replace the example values with those appropriate for your organization. This will result in the
following relevant files in a machine-specific subdirectory of the build directory:
• server.key — the Web server's SSL private server key
• server.csr — the Web server's SSL certificate request
• server.crt — the web server's SSL public certificate
• rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm — the RPM
prepared for distribution to RHN Servers. Its associated src.rpm file is also generated. This RPM
contains the above three files. It will install them in these locations:
• /etc/httpd/conf/ssl.key/server.key
• /etc/httpd/conf/ssl.csr/server.csr
• /etc/httpd/conf/ssl.crt/server.crt
• rhn-server-openssl.cnf — the Web server's SSL configuration file
• latest.txt — always lists the latest versions of the relevant files.
Once finished, you're ready to distribute and install the RPM on its respective RHN Server. Note that
the httpd service must be restarted after installation:
/sbin/service httpd restart

3.3. Deploying the CA SSL Public Certificate to Clients

Both the RHN Proxy Server and RHN Satellite Server installation processes make client deployment
relatively easy by generating a CA SSL public certificate and RPM. These installation processes make
those publicly available by placing a copy of one or both into the /var/www/html/pub/ directory of
the RHN Server.
This public directory can be inspected easily by simply browsing to it via any web browser: http://
proxy-or-sat.example.com/pub/.
18