Ssl Generation Explained - Red Hat NETWORK SATELLITE 5.3.0 - CLIENT Configuration Manual

• During installation of an RHN Satellite Server - all SSL settings are configured during the installation
process. The SSL keys and certificate are built and deployed automatically.
• During installation of an RHN Proxy Server version 3.6 or later if connected to an RHN Satellite
Server version 3.6 or later as its top-level service - the RHN Satellite Server contains all of the
SSL information needed to configure, build and deploy the RHN Proxy Server's SSL keys and
certificates.
The installation procedures of both the RHN Satellite Server and the RHN Proxy Server ensure the
CA SSL public certificate is deployed to the /pub directory of each server. This public certificate is
used by the client systems to connect to the RHN Server. Refer to
Public Certificate to Clients"
In short, if your organization's RHN infrastructure deploys the latest version of RHN Satellite Server as
its top-level service, you will likely have little need to use the tool. Otherwise, become familiar with its
usage.

3.2.1. SSL Generation Explained

The primary benefits of using the RHN SSL Maintenance Tool are security, flexibility, and portability.
Security is achieved through the creation of distinct Web server SSL keys and certificates for each
RHN server, all signed by a single Certificate Authority SSL key pair created by your organization.
Flexibility is supplied by the tool's ability to work on any machine that has the rhns-certs-tools
package installed. Portability exists in a build structure that can be stored anywhere for safe keeping
and then installed wherever the need arises.
Again, if your infrastructure's top-level RHN Server is the most current RHN Satellite Server, the most
you may have to do is restore your ssl-build tree from an archive to the /root directory and utilize
the configuration tools provided within the RHN Satellite Server's website.
To make the best use of the RHN SSL Maintenance Tool, complete the following high-level tasks in
roughly this order. Refer to the remaining sections for the required details:
1. Install the rhns-certs-tools package on a system within your organization, perhaps but not
necessarily the RHN Satellite Server or RHN Proxy Server.
2. Create a single Certificate Authority SSL key pair for your organization and install the resulting
RPM or public certificate on all client systems.
3. Create a Web server SSL key set for each of the Proxies and Satellites to be deployed and install
the resulting RPMs on the RHN Servers, restarting the httpd service afterwards:
/sbin/service httpd restart
4. Archive the SSL build tree - consisting of the primary build directory and all subdirectories and files
- to removable media, such as a floppy disk. (Disk space requirements are insignificant.)
5. Verify and then store that archive in a safe location, such as the one described for backups in the
Additional Requirements sections of either the Proxy or Satellite installation guide.
6. Record and secure the CA password for future use.
for more information.
SSL Generation Explained
Section 3.3, "Deploying the CA SSL
11