Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK PROXY SERVER 3.6 -
11121314151617181920
Chapter 4. SSL Infrastructure
For Red Hat Satellite customers, security concerns are of the utmost importance. One of the strengths of
Red Hat Satellite is its ability to process every single request over Secure Sockets Layer, or SSL. To
maintain this level of security, customers installing Red Hat Satellite within their infrastructures must
generate custom SSL keys and certificates.
Manual creation and deployment of SSL keys and certificates can be quite involved. Both the Red Hat
Proxy Server and the Red Hat Satellite Server allows users to build their own SSL keys and certificates
based on their own private Certificate Authority (CA) during installation. In addition, a separate command
line utility, the Red Hat Satellite SSL Maintenance Tool, exists for this purpose. Regardless, these
keys and certificates must then be deployed to all systems within the managed infrastructure. In many
cases, deployment of these SSL keys and certificates is automated. This chapter describes efficient
methods for conducting all of these tasks.
Note
This chapter does not explain SSL in depth. T he Red Hat Satellite SSL Maintenance Tool was
designed to hide much of the complexity involved in setting up and maintaining the public-key
infrastructure (PKI). For more information, see the relevant sections of the Red Hat Enterprise
Linux Deployment Guide.
4.1. A Brief Introduction to SSL
Secure Sockets Layer (SSL) is a protocol that enables client-server applications to pass information
securely. SSL uses a system of public and private key pairs to encrypt communication passed between
clients and servers. Public certificates can be left accessible, while private keys must be secured. It's the
mathematical relationship (a digital signature) between a private key and its paired public certificate that
makes this system work. T hrough this relationship, a connection of trust is established.
Note
SSL private keys and public certificates will be discussed throughout this document. Both can be
referred to as keys, one public and one private. However, when discussing SSL, it is the
convention to refer to the public half of an SSL key pair (or key set) as the SSL public certificate.
An organization's SSL infrastructure is generally made up of the following SSL keys and certificates:
Certificate Authority (CA) SSL private key and public certificate: only one set per organization
generally generated. T he public certificate is digitally signed by its private key. T he public certificate
is distributed to every system.
Web server SSL private key and public certificate: one set per application server. T he public
certificate is digitally signed by both its private key and the CA SSL private key. It is often referred to
as a Web server's key set; this is because there is an intermediary SSL certificate request that is
generated. T he details of what this is used for are not important to this discussion. All three are
deployed to a Red Hat Satellite Server.
The following is a scenario to help visualize the concept: An organization with one Red Hat
Satellite Server and five Red Hat Proxy Servers will need to generate one CA SSL key pair and six Web
server SSL key sets. A CA SSL public certificate is distributed to all systems and used by all clients to
Chapter 4. SSL Infrastructure
15