SUSE Manager/Certificate

From MicroFocusInternationalWiki
Jump to: navigation, search

SUSE Manager Main Page

This page is deprecated. For importing a custem SSL certificates please refer to SUSE Manager/Import Custom Certificate

Can SUSE Manager use a third-party SSL cert?

First of all, this is not supported.

That is not trivial, as you have some places and subsystems (jabber etc.) that need to be adapted in configuration. There is a tool called rhn-ssl-tool that helps a bit. But there is also the statement that it is the best to use a root-sub-ca and not individual common server certificates. And this makes sense if you think about server renaming in the whole lifecycle of a SUSE Manager. This means new common server certificate etc. Right now the setup is that the public part of the root-CA is put onto the clients, so that new certificates from this root-CA are accepted by the clients w/o touching them.

An externally provided certificate would need to be injected into the setup workflow. This ability is not provided.

How can I check that a CA passphrase is correct?

Run the following command:

   openssl rsa -in  /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY

If output contains:

   unable to load Private Key

then your passphrase is not correct. Otherwise you will get the unencrypted key in the following form:

   writing RSA key
   -----BEGIN RSA PRIVATE KEY-----
   [...]
   -----END RSA PRIVATE KEY-----

CA certificate password was lost. Can I reset the CA certificate?

This is not an easy procedure and it is not supported - so try to recover the password by other means, if possible, as a first step.

If you lost your CA password, you can recover by:

  • generating a new CA certificate on the server;
  • using the new CA certificate, generating a new SSL certificate on the server and each proxy;
  • installing this certificate on all clients (both server's and proxy's).

Server steps: (before you do this you might want to make sure to move any old certificates like under /root/ssl-build/*,/etc/ssl/certs/own-suse-manager*,/srv/www/htdocs/pub/rhn-org* into backup folder)

/usr/bin/rhn-ssl-tool --gen-ca --force --password=<MY_CA_PASSWORD> --dir="/root/ssl-build" --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc" --set-org-unit="SSL CA Unit"
/usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build --target-dir /srv/www/htdocs/pub/
/usr/bin/rhn-ssl-tool --gen-server --password=<MY_CA_PASSWORD> --dir="/root/ssl-build" --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." --set-org-unit="IS/IT" --set-email="admin@example.com" --set-hostname="<MY_FQDN>"
/usr/bin/rhn-install-ssl-cert.pl --dir=/root/ssl-build/<MY_SHORT_HOSTNAME>
/usr/bin/rhn-generate-pem.pl  --out-file=/etc/pki/spacewalk/jabberd/server.pem --ssl-dir=/root/ssl-build/<MY_SHORT_HOSTNAME>
/usr/bin/rhn-ssl-dbstore --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
c_rehash
spacewalk-service restart

If you use bootstrap scripts, they need to be recreated, to include the new SSL cert RPM:

mgr-bootstrap --activation-keys=<ACTIVATION_KEY> --script=bootstrap-<ACTIVATION_KEY>.sh

Client steps:

scp root@<server>://root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/
c_rehash

Proxy steps:

mv /root/ssl-build /root/ssl-build.old
scp -r root@<server>://root/ssl-build /root/
c_rehash
configure-proxy.sh

See "Running configure-proxy.sh" in the Proxy Quick Start guide for further information.