SUSE Manager/Replace CA Certificate

From MicroFocusInternationalWiki
Jump to: navigation, search
For updated instructions, see https://opensource.suse.com/doc-susemanager/suse-manager/administration/custom-ssl.html


Replace the CA Certificate in SUSE Manager 3

New SUSE Manager installations with SUSE Manager 1.2 or 1.7 generate SSL Certificates using SHA1 as hashing algorithm. SHA1 is not secure anymore and some Web Browser may want to reject SSL certificates in future which uses this weak algorithm. Migrating these installations to 2.1 and 3.0 copy the old SSL certificates. This means that also SUSE Manager 3 installations are affected if the initial installation was made with version 1.2 or 1.7.

For these installations it is required to generate new CAs and server certificates and deploy them in the whole infrastructure.

New installations of SUSE Manager 2.1 or 3 are not affected. They use already SHA256 as hashing algorithm.

It is also possible to swap the certificates with existing ones, in case the customer generated them by themselves.

Procedure to replace the whole certificate infrastructure

The procedure assume the following conditions:

  • The SSL build directory is in /root/ssl-build
  • The current RPM version-release of rhn-org-trusted-ssl-cert is 1.0-1
  • The hostname of the SUSE Manager Server is susemanager

It requires that the packages spacewalk-certs-tools-2.5.1.3 and susemanager-sls-0.1.14 or higher are installed on the SUSE Manager Server.

When not creating, but replacing CA Certificate, following things are needed:

  • CA cert file
  • (optionally) CA intermediate cert file
  • Server cert file + Server key file (trusted by the CA)

SUSE Manager 2.1

The proceedure described below regarding the traditional clients should work also on SUSE Manager 2.1.

It requires that the package spacewalk-certs-tools-2.1.6.12 or higher is installed on the SUSE Manager Server

Create a new CA and Server Certificates from scratch

  • move old ssl-build dir away
   $> mv /root/ssl-build /root/old-ssl-build
  • generate new CA Certificate
   $> rhn-ssl-tool --gen-ca --dir="/root/ssl-build" --set-country="DE" \
      --set-state="Bavaria" --set-city="Nuremberg" --set-org="My Organization" \
      --set-org-unit="Development" --set-common-name="SUSE Manager CA Certificate" \
      --set-email="root@mycompany.com"
  • generate a new server certificate
   $> rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="DE" \
      --set-state="Bavaria" --set-city="Nuremberg" --set-org="My Organization" \
      --set-org-unit="Development" --set-email="root@mycompany.com" \
      --set-hostname="susemanager.domain.top" [--set-cname="...."]
  • create server certificates for all proxies
   Use the command above with different hostnames and cnames.

(Alternative) Import existing CA and Server Certificates

  • move old ssl-build dir away
   $> mv /root/ssl-build /root/old-ssl-build
  • prepare the merged CA cert file (Optional: only if intermediate certs are present)
    • Merge the CA cert and CA intermediate cert into a single file.
    • The CA intermediate cert must be the first in the merged file.
  • generate CA Certificate RPM
$> rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build" \
      --from-ca-cert=<THEIR_CA_MERGED_CERTIFICATE_FILE>
  • generate a new server certificate RPM
$> rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build" \
      --from-server-key=<THEIR_SERVER_KEY_FILE> \
      --from-server-cert=<THEIR_SERVER_CERT_FILE>
  • create server certificates for all proxies
   Use the command above with different hostnames and cnames.

Create a CA file with both included

  • create combined Root CA (old and new in one file)
 $> mkdir /root/combined-ssl-build
 $> cp /root/old-ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/combined-ssl-build/
 $> cat /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT >> /root/combined-ssl-build/RHN-ORG-TRUSTED-SSL-CERT
 $> cp /root/old-ssl-build/*.rpm /root/combined-ssl-build/
 $> rhn-ssl-tool --gen-ca --rpm-only --dir="/root/combined-ssl-build"

Deploy the new CA file on all clients and proxies

  • deploy the CA local on the server
 $> /usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/combined-ssl-build \
    --target-dir /srv/www/htdocs/pub/ --trust-dir=/etc/pki/trust/anchors/

Procedure for traditional managed Clients

  • Create a custom channel and push the generated RPM into it.
 If clients have different base channels, create one and clone
 them below other parent channels
 
 Channels => Manager Software Channels => Create Channel
 
 Name: SSL-CA-Channel
 Label: ssl-ca-channel
 Parent Channel: <choose the parent channel of a clients>
 Summary: SSL-CA-Channel
 
 Click on "Create Channel"
  • upload the RPM into the channel
 $> rhnpush -c ssl-ca-channel --nosig \
    --ca-chain=/srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT \
    /root/combined-ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm
  • subscribe all clients to the channel with the root CA certificate rpm.
  • Install the RPM on all clients.

Salt managed Clients

  • Deploy on all Minions via salt cmd
 salt '*' state.apply certs
  • OR deploy on all Minions via Web UI
 Salt => Remote Commands
   "salt-call state.apply certs" @ "*"

Replace the Server Certificate on the Server and the Proxies

  • Install the generated RPM and restart the services
 $> rpm -Uhv ssl-build/susemanager/rhn-org-httpd-ssl-key-pair-susemanager-1.0-2.noarch.rpm
 $> spacewalk-service restart


 $> rpm -Uhv ssl-build/susemanager-proxy/rhn-org-httpd-ssl-key-pair-susemanager-proxy-1.0-2.noarch.rpm
 $> spacewalk-proxy restart

Deployed the CA file which has only the new Root CA on all clients

  • generate a RPM with new release number
 $> cp /root/combined-ssl-build/*.rpm /root/ssl-build/
 $> rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build"
  • install the new CA local on the SUSE Manager Server
 $> /usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build \
    --target-dir /srv/www/htdocs/pub/ --trust-dir=/etc/pki/trust/anchors/
 $> spacewalk-service restart
  • upload the RPM into the channel
 $> rhnpush -c ssl-ca-channel --nosig \
    --ca-chain=/srv/www/htdocs/pub/RHN-ORG-TRUSTED-SSL-CERT \
    /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-3.noarch.rpm
  • Install the RPM on all traditional registered clients.
  • Deploy on all Minions via salt cmd
 salt '*' state.apply certs
  • OR deploy on all Minions via Web UI
 Salt => Remote Commands
   "salt-call state.apply certs" @ "*"

Final steps

  • update the CA Certificate in the Database
 $> /usr/bin/rhn-ssl-dbstore --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
  • update old bootstrap scripts with new name for the root ca rpm