Difference between revisions of "SUSE Manager/Certificate"

From MicroFocusInternationalWiki
Jump to: navigation, search
Line 1: Line 1:
 
[[SUSE_Manager|SUSE Manager Main Page]]
 
[[SUSE_Manager|SUSE Manager Main Page]]
= About the server certificate =
 
  
 +
== Can SUSE Manager use a third-party SSL cert? ==
  
== Can SUSE Manager use a third-party SSL cert? ==                                                                                                                         
+
First of all, this is '''not supported'''.
 
+
First of all, this is not supported.
+
  
 
That is not trivial, as you have some places and subsystems (jabber etc.) that need to be adapted in configuration.
 
That is not trivial, as you have some places and subsystems (jabber etc.) that need to be adapted in configuration.
Line 12: Line 10:
  
 
An externally provided certificate would need to be injected into the setup workflow. This ability is not provided.
 
An externally provided certificate would need to be injected into the setup workflow. This ability is not provided.
 +
 +
== CA certificate password was lost. Can I reset the CA certificate? ==
 +
 +
This is not an easy procedure and it is '''not supported''' - so try to recover the password by other means, if possible, as a first step.
 +
 +
If you lost your CA password, you can recover by:
 +
* generating a new CA certificate on the server;
 +
* using the new CA certificate, generating a new SSL certificate on the server and each proxy;
 +
* installing this certificate on all clients (both server's and proxy's).
 +
 +
Server steps:
 +
 +
<pre>
 +
/usr/bin/rhn-ssl-tool --gen-ca --force --password=&lt;MY_CA_PASSWORD&gt; --dir=&quot;/root/ssl-build&quot; --set-state=&quot;North Carolina&quot; --set-city=&quot;Raleigh&quot; --set-org=&quot;Example Inc&quot; --set-org-unit=&quot;SSL CA Unit&quot;
 +
/usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build --target-dir /srv/www/htdocs/pub/
 +
/usr/bin/rhn-ssl-tool --gen-server --password=&lt;MY_CA_PASSWORD&gt; --dir=&quot;/root/ssl-build&quot; --set-state=&quot;North Carolina&quot; --set-city=&quot;Raleigh&quot; --set-org=&quot;Example Inc.&quot; --set-org-unit=&quot;IS/IT&quot; --set-email=&quot;admin@example.com&quot; --set-hostname=&quot;&lt;MY_FQDN&gt;&quot;
 +
/usr/bin/rhn-install-ssl-cert.pl --dir=/root/ssl-build/&lt;MY_SHORT_HOSTNAME&gt;
 +
/usr/bin/rhn-generate-pem.pl  --out-file=/etc/pki/spacewalk/jabberd/server.pem --dir=/root/ssl-build/&lt;MY_SHORT_HOSTNAME&gt;
 +
/usr/bin/rhn-ssl-dbstore --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
 +
</pre>
 +
 +
Client steps:
 +
<pre>
 +
scp root@<server>://root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/
 +
c_rehash
 +
</pre>
 +
 +
Proxy steps:
 +
<pre>
 +
mv /root/ssl-build /root/ssl-build.old
 +
scp -r root@<server>://root/ssl-build /root/
 +
c_rehash
 +
configure-proxy.sh
 +
</pre>
 +
 +
See &quot;[http://docserv.suse.de/documents/Manager/susemanager-proxy-quick/single-html/#sec.manager.proxy.inst.config Running configure-proxy.sh]&quot; in the Proxy Quick Start guide for further information.

Revision as of 12:46, 20 November 2013

SUSE Manager Main Page

Can SUSE Manager use a third-party SSL cert?

First of all, this is not supported.

That is not trivial, as you have some places and subsystems (jabber etc.) that need to be adapted in configuration. There is a tool called rhn-ssl-tool that helps a bit. But there is also the statement that it is the best to use a root-sub-ca and not individual common server certificates. And this makes sense if you think about server renaming in the whole lifecycle of a SUSE Manager. This means new common server certificate etc. Right now the setup is that the public part of the root-CA is put onto the clients, so that new certificates from this root-CA are accepted by the clients w/o touching them.

An externally provided certificate would need to be injected into the setup workflow. This ability is not provided.

CA certificate password was lost. Can I reset the CA certificate?

This is not an easy procedure and it is not supported - so try to recover the password by other means, if possible, as a first step.

If you lost your CA password, you can recover by:

  • generating a new CA certificate on the server;
  • using the new CA certificate, generating a new SSL certificate on the server and each proxy;
  • installing this certificate on all clients (both server's and proxy's).

Server steps:

/usr/bin/rhn-ssl-tool --gen-ca --force --password=<MY_CA_PASSWORD> --dir="/root/ssl-build" --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc" --set-org-unit="SSL CA Unit"
/usr/bin/rhn-deploy-ca-cert.pl --source-dir /root/ssl-build --target-dir /srv/www/htdocs/pub/
/usr/bin/rhn-ssl-tool --gen-server --password=<MY_CA_PASSWORD> --dir="/root/ssl-build" --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." --set-org-unit="IS/IT" --set-email="admin@example.com" --set-hostname="<MY_FQDN>"
/usr/bin/rhn-install-ssl-cert.pl --dir=/root/ssl-build/<MY_SHORT_HOSTNAME>
/usr/bin/rhn-generate-pem.pl  --out-file=/etc/pki/spacewalk/jabberd/server.pem --dir=/root/ssl-build/<MY_SHORT_HOSTNAME>
/usr/bin/rhn-ssl-dbstore --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT

Client steps:

scp root@<server>://root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/
c_rehash

Proxy steps:

mv /root/ssl-build /root/ssl-build.old
scp -r root@<server>://root/ssl-build /root/
c_rehash
configure-proxy.sh

See "Running configure-proxy.sh" in the Proxy Quick Start guide for further information.