Installation guide

Chapter 3. SSL Infrastructure

For Red Hat Satellite customers, security concerns are of the utmost importance. One of the strengths

of Red Hat Satellite is its ability to process every single request using the Secure Sockets Layer (SSL)

protocol. To maintain this level of security, customers installing Red Hat Satellite within their

infrastructures must generate custom SSL keys and certificates.

Manual creation and deployment of SSL keys and certificates can be quite involved. Both the

Red Hat Proxy Server and the Red Hat Satellite Server allow users to build their own SSL keys and

certificates based on their own private Certificate Authority (CA) during installation. In addition, a

separate command line utility, the Red Hat Satellit e SSL Main t en an ce To o l, exists for this

purpose. Even so, these keys and certificates must then be deployed to all systems within the

managed infrastructure. In many cases, deployment of these SSL keys and certificates is automated.

This chapter describes efficient methods for conducting all of these tasks.

Note

This chapter does not explain SSL in depth. The Red Hat Satellite SSL Main t en an ce To o l

was designed to hide much of the complexity involved in setting up and maintaining the

public-key infrastructure (PKI). For more information, see the relevant sections of the Red Hat

Enterprise Linux Deployment Guide.

3.1. A Brief Int roduct ion t o SSL

Secure Sockets Layer (SSL) is a protocol that enables client-server applications to pass information

securely. SSL uses a system of public and private key pairs to encrypt communication passed

between clients and servers. Public certificates can be left accessible, while private keys must be

secured. It is the mathematical relationship (a digital signature) between a private key and its paired

public certificate that makes this system work. Through this relationship, a connection of trust is

established.

Note

SSL private keys and public certificates are discussed throughout this document. Both can be

referred to as keys, one public and one private. However, when discussing SSL, it is the

convention to refer to the public half of an SSL key pair (or key set) as the SSL public

certificate.

An organization's SSL infrastructure is generally made up of the following SSL keys and certificates:

Certificate Authority (CA) SSL private key and public certificate: only one set per organization

generally generated. The public certificate is digitally signed by its private key. The public

certificate is distributed to every system.

Web server SSL private key and public certificate: one set per application server. The public

certificate is digitally signed by both its private key and the CA SSL private key. It is often referred

to as a Web server's key set; this is because there is an intermediary SSL certificate request that is

generated. The details of what this is used for are not important to this discussion. All three are

deployed to a Red Hat Satellite Server.

The following is a scenario to help visualize the concept: An organization with one Red Hat

⁠Chapt er 3. SSL Infrast ruct ure