Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK SATELLITE SERVER 3.6
11121314151617181920
Satellite Server and five Red Hat Proxy Servers will need to generate one CA SSL key pair and six
Web server SSL key sets. A CA SSL public certificate is distributed to all systems and used by all
clients to establish a connection to their respective upstream servers. Each server has its own SSL
key set that is specifically tied to that server's host name and generated using its own SSL private key
and the CA SSL private key in combination. This establishes a digitally verifiable association
between the Web server's SSL public certificate and the CA SSL key pair and server's private key. The
Web server's key set cannot be shared with other web servers.
Important
The most critical portion of this system is the CA SSL key pair. From that private key and public
certificate an administrator can regenerate any Web server's SSL key set. This CA SSL key pair
must be secured. It is highly recommended that once the entire Red Hat Satellite infrastructure
of servers is set up and running, archive the SSL build directory generated by this tool and/or
the installers onto separate media, write down the CA password, and secure the media and
password in a safe place.
3.2. T he Red Hat Sat ellit e SSL Maint enance T ool
Red Hat Satellite provides a command line tool to ease the management of the organization's secure
infrastructure: the R ed Hat Sat ellite SSL T o o l, commonly known by its command rhn-ssl -to o l .
This tool is available as part of the spacewal k-certs-to o l s package. This package can be
found within the software channels for the latest Red Hat Proxy Server and Red Hat Satellite Server
(as well as the Red Hat Satellite Server ISO). The Red Hat Sat ellit e SSL T o o l enables
organizations to generate their own Certificate Authority SSL key pair, as well as Web server SSL key
sets (sometimes called key pairs).
This tool is only a build tool. It generates all of the SSL keys and certificates that are required. It also
packages the files in RPM format for quick distribution and installation on all client machines. It does
not deploy them. That is left to the administrator, or in many cases, automated by the Red Hat
Satellite Server.
Note
The spacewal k-certs-to o l s, which contains rhn-ssl -to o l , can be installed and run
on any current Red Hat Enterprise Linux system with minimal requirements. This is offered as a
convenience for administrators who want to manage their SSL infrastructure from their
workstation or another system other than their Satellite or Proxy servers.
The Red Hat Sat ellite SSL T o o l is required in the following situations:
When updating the Certificate Authority (CA) public certificate.
When installing a Red Hat Proxy Server 3.6 or later that connects to the central Red Hat Satellite
Servers as its top-level service. The hosted service, for security reasons, cannot be a repository
for the CA SSL key and certificate, which is private to the organization.
When reconfiguring the Satellite or Proxy infrastructure to use SSL where it previously did not.
When adding multiple Red Hat Satellite Servers to the Red Hat Satellite infrastructure. Consult with
a Red Hat representative for instructions regarding this.
Red Hat Sat ellit e 5.7 Client Configurat ion G u ide
8