Installing Red Hat CA certificates

SA Red Hat importer validates the server certificates for Red Hat Network Classic (RHN), Red Hat Subscription Management (RHSM) and Red Hat Satellite. By default SA comes bundled with CA certificates only for RHN. Out of the three content providers only Red Hat Network Classic is signed by a certificate authority trusted by both SA and Red Hat.

RHSM and Red Hat Satellite servers have self signed certificates so by default there is no CA certificate bundled for these two content providers with SA rhn_import component. To enable access to Red Hat Subscription Management and/or Red Hat Satellite you need to install the self signed server certificate in the openssl trust store.

Depending on your use cases you only need to install the RHSM server certificate if you are using the new Red Hat Subscription Management content provider, or the satellite server certificate in case you have a Red Hat Satellite and want to import from it. Otherwise, if you only use RHN as a provider you can safely skip this section.

The process of installing a certificate in the trust store is split in three steps:

  1. Download the self signed certificate from RHSM/Red Hat Satellite
  2. Install the self signed certificate in SA trust store
  3. Verify that openssl is validating the server certificate

The first step is different on RHSM and Red Hat Satellite server while the last two steps are the same for both content providers.

Downloading the self-signed certificate

Download RHSM self-signed certificate

The RSHM server certificate is not signed by a public certificate authority. You have to use the openssl tool to download the certificate chain for cdn.redhat.com. After download, extract the last certificate issued by Entitlement Master CA and copy it into a .pem file:

A command example to download the certificate chain for RHSM:

/opt/opsware/bin/openssl s_client -connect cdn.redhat.com:443 -prexit -showcerts

Note The latest released version of openssl (i.e openssl-1.0.2h) does not work with HTTP proxies. The easiest option is to use a web browser to download the certificate.

Download Red Hat Satellite self-signed certificate

The self signed certificate is made public by Red Hat Satellite server at /pub/RHN-ORG-TRUSTED-SSL-CERT. Run the following command to download the certificate file:

wget -O /tmp/RHN-ORG-TRUSTED-SSL-CERT http://redhat.satellite.hostname/pub/RHN-ORG-TRUSTED-SSL-CERT

If you need proxy access to the Red Hat Satellite server, you can export the http_proxy environment variable and wget will use the value exported.

Installing the self-signed certificate in HPE SA trust store

At the end of the downloaded certificate, a block similar to the following appears:

-----BEGIN CERTIFICATE----- MIIE4TCCA8mgAwIBAgIJANwa5OFPkBHHMA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD haXhmbq+5pEkpxGAactW+tORsJmpgTdAXeq2rreYtgZ2/vCwdM0iwSVakGNFAvni T9lnSVrADcO/S8V/DzcH30RzSpIS44beE23zag82019fCrsZg9VkYJER4Fn0tRq4 6U9I4OgBSPSU34MXclGld0BAN+mANWHQYacZ7hHQJtMRP+mc8ZgHIvsKNnKRoHOd Rhla7cP7GYrXn/piQAxRW66fOYJOeVIsAWJvgUb+A8ecwb+s6k56cQdLKkm0wKD0 2zUFMAg= -----END CERTIFICATE-----

Append the block to the end of /opt/opsware/openssl/cert.pem. At this point, the certificate is installed in the HPE SA trust store. Ensure that openssl tool can verify the RHSM and/or Red Hat Satellite server certificate.

Verifying that openssl is validating the server certificate

After the CA certificate is installed in HPE SA trust store, you must verify if the SA-bundled openssl validates the installed certificates before running the importer. To do so, run the following command:

/opt/opsware/bin/openssl s_client -connect rhsm.or.satellite.hostname:443 -verify 3

If the verification succeeds at the end of the output, the following message appears:

Verify return code: 0 (ok)

In case of an error, a return code different than 0 appears, for example:

Verify return code: 21 (unable to verify the first certificate)

Note Since openssl cannot work behind a proxy, the above command might not work if there is an HTTP proxy in your local network.