Updating SSL Keys and Certificates on an RHN Proxy Server v1.1.1 ------------------------------------------------------------------------------- This document explains how to update SSL keys and certs for legacy RHN Proxy 1.1.1 customers. Please be aware that there were a lot of changes that were not "automated". Hence this document. NOTE1: for detail instructions regarding the use of rhn-ssl-tool, please refer to the Client Configuration Guide. NOTE2: there should only be one SSL build tree, no matter how many RHN Proxies and Satellites you have deployed. It is usually maintained on the top-level server in the RHN tree. This document adopts these assumptions. ------------------------------------------------------------------------------- ------------ Assumptions: ------------ - All ssl information is in /etc/sysconfig/rhn/ (and not /etc/sysconfig/rhn/ssl or /root/ssl-build) - the rhn-ca-openssl.cnf file is actually called openssl.cnf - the CA password is known - root user's present working directory is /root ------------ Preparation: ------------ Install the latest rhns-certs-tools RPM on that server. This RPM can be acquired via the appropriate RHEL AS Tools Channel. It has few requirements. Create a working version of that directory: cd /root cp -a /etc/sysconfig/rhn ssl-build Expiration dates need to be checked: openssl x509 -dates -noout -in ssl-build/ca.crt openssl x509 -dates -noout -in ssl-build/server.crt Verify that you know your CA password (only useful if your password is 4 characters or longer): openssl rsa -in ssl-build/ca.key NOTE: if either one has expired or you have forgotten your CA password (treat as if your CA key pair as expired). You will have to regenerate everything. ----------------------------------------------------------------------------- If you only want to reorganize the build tree to something that RHN Proxy Server v3.6 (or better) expects: ----------------------------------------------------------------------------- # if you have not done this already... cd /root cp -a /etc/sysconfig/rhn ssl-build # you have just created a /root/ssl-build directory - the default location for # RHN Proxy Server v3.6 or better cd ssl-build mv ca.crt RHN-ORG-TRUSTED-SSL-CERT mv ca.key RHN-ORG-PRIVATE-SSL-KEY # repeat for all RHN Proxy/Satellite servers in your infrastructure: cp RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/ cd /var/www/html/pub ln -s RHN-ORG-TRUSTED-SSL-CERT RHNS-CORP-CA-CERT cd /root/ssl-build mkdir deprecated mv openssl.cnf deprecated mv rhns-ca-* deprecated # You need a new rhn-ca-openssl.cnf; this will create it for you. rhn-ssl-tool --gen-ca --dir ssl-build-temp # Enter bogus password; it's not important for this config generation step. # NOTE about : # refers to generally all the --set-* options. Please # reference the Client Configuration Guide, or "man rhn-ssl-tool" for more # information. You may wish to populate that new rhn-ca-openssl.cnf with # your own custom --set-* values. perl -npe 's/ssl-build-temp\///' -i ssl-build-temp/rhn-ca-openssl.cnf mv ssl-build-temp/rhn-ca-openssl.cnf . rm -rf ssl-build-temp # Rebuild each RHN Proxy's section in the build directory, do this for each RHN Proxy: 1. determine the "machine name" directory name for that RHN Proxy. This is the portion each RHN Proxy's hostname that does not include the domain. For example: "myproxy.redhat.com"'s machine name is "myproxy". It can also be determined as such: PYTHONPATH=/usr/share/rhn/certs python -c "import sslToolLib; \ print sslToolLib.getMachineName('myproxy.redhat.com')" just use your hostname instead in that string-field. 2. cd /root/ssl-build/ mkdir THAT_MACHINE_NAME cp rhn* server* THAT_MACHINE_NAME cd THAT_MACHINE_NAME cat server.crt server.key > server.pem cd ../.. # to write the data and tar file to /root/ssl-build/THAT_MACHINE_NAME/ rhn-ssl-tool --gen-server --set-hostname HOSTNAME --rpm-only # clean up the original tree cd /etc/sysconfig/rhn rm -f *.pem ca.* index.* openssl.cnf rhns-ca* rhns-ssl* serial* \ server.{key,csr,crt} cd /root # archive and store that ssl-build directory in a safe place on removeable # media -------------------------------------------------- If ca.crt has expired you need to redo everything: -------------------------------------------------- rm -rf ssl-build # what you have is useless now # # create CA SSL key pair and deploy/prep new CA SSL public certificate # rhn-ssl-tool --gen-ca --help rhn-ssl-tool --gen-ca OPTIONS # only really need to set some of the # --set-* options. # deprecate the old stuff mkdir /var/www/html/pub/deprecated mv /var/www/html/pub/rhns-ca-cert* /var/www/html/pub/deprecated/ # repeat for all RHN Proxy/Satellite servers in your infrastucture: # put new CA SSL public certificate and RPM in /pub for client access cp ssl-build/RHN-ORG-TRUSTED-SSL-CERT \ ssl-build/rhn-org-trusted-ssl-cert-1.0-.noarch.rpm \ /var/www/html/pub/ # # create each web servers' SSL key set # # for every hostname of every RHN Proxy or Satellite... # Refer to the Client Configuration Guide for further details. rhn-ssl-tool --gen-server --set-hostname HOSTNAME \ --set-* # # deploy each web servers' RPMs # On each RHN Proxy and RHN Satellite: - rpm -e rhns-ssl-cert # if installed - Install the appropriate rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm on the appropriate RHN Proxy or RHN Satellite. - bounce the Apache service on that server: /sbin/service httpd stop /sbin/service httpd start # # deploy CA SSL public certificate to all clients... # On every client (including RHN Proxies connected to an RHN Satellite or another RHN Proxy): - rpm -Uvh \ http://SERVER_HOSTNAME/pub/rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm - edit /etc/sysconfig/rhn/rhn_register (if RHEL 2.1) and /etc/sysconfig/rhn/up2date and change this key-value pair to read: sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT - test a client - it should work - RHN Proxies that met that criteria: - edit /etc/rhn/rhn.conf and make sure the CA SSL public certificate value refers to RHN-ORG-TRUSTED-SSL-CERT - bounce the Apache service on that server: /sbin/service httpd stop /sbin/service httpd start # # You are done # # clean up the original tree cd /etc/sysconfig/rhn rm -f *.pem ca.* index.* openssl.cnf rhns-ca* rhns-ssl* serial* \ server.{key,csr,crt} cd /root # archive and store that build directory in a safe place on removeable # media # If not upgrading, or if you have not already upgraded to an RHN Proxy # Server 3.6 or better, do this: mv ssl-build /etc/sysconfig/rhn/ssl ------------------------------------------------------------------- If server.crt has expired but your ca.crt has a bunch of time left: ------------------------------------------------------------------- # # reorg the tree a bit... # rhn-ssl-tool --gen-ca ^C # NOTE: ^C means, don't enter a password, just type CONTROL-C cd ssl-build mv ca.crt RHN-ORG-TRUSTED-SSL-CERT mv ca.key RHN-ORG-PRIVATE-SSL-KEY mv openssl.cnf openssl.cnf--deprecated mkdir deprecated mv rhns-ca-* deprecated # repeat for all RHN Proxy/Satellite servers in your infrastucture: # populate /var/www/html/pub: cp RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/ cd /var/www/html/pub ln -s RHN-ORG-TRUSTED-SSL-CERT RHNS-CORP-CA-CERT cd /root/ssl-build # need a new rhn-ca-openssl.cnf rhn-ssl-tool --gen-ca --dir ssl-build-temp # Enter bogus password; it's not important for this config generation step. perl -npe 's/ssl-build-temp\///' -i ssl-build-temp/rhn-ca-openssl.cnf mv ssl-build-temp/rhn-ca-openssl.cnf . rm -rf ssl-build-temp cd .. # # create each web servers' SSL key set # # for every hostname of every RHN Proxy or Satellite... rhn-ssl-tool --gen-server --set-hostname HOSTNAME \ --set-* # # deploy each web servers' RPMs # On each RHN Proxy and RHN Satellite: - rpm -e rhns-ssl-cert # if installed - Install the appropriate rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm on the appropriate RHN Proxy or RHN Satellite. - bounce the Apache service on that server: /sbin/service httpd stop /sbin/service httpd start # # You are done # # clean up the original tree cd /etc/sysconfig/rhn rm -f *.pem ca.* index.* openssl.cnf rhns-ca* rhns-ssl* serial* \ server.{key,csr,crt} cd /root # archive and store that build directory in a safe place on removeable # media # If not upgrading, or if you have not already upgraded to an RHN Proxy # Server 3.6 or better, do this: mv ssl-build /etc/sysconfig/rhn/ssl