Imported SSL Certificates
By default, SUSE Manager uses a self-signed certificate. For additional security, you can import a custom certificate, signed by a third party certificate authority (CA).
This section covers how to use an imported SSL certificate with a new SUSE Manager installation, and how to replace existing self-signed certificates with imported certificates.
Before you begin, ensure you have:
A certificate authority (CA) SSL public certificate
An SSL server key
An SSL server certificate
Your key and certificate files must be in PEM format.
The host name of the SSL keys and certificates must match the fully qualified host name of the machine you deploy them on.
You can set the host names in the
X509v3 Subject Alternative Name section of the certificate.
You can also list multiple host names if your environment requires it.
By default, SUSE Manager uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.
Install the SUSE Manager Server according to the instructions in installation:install-intro.adoc.
Complete the initial setup according to installation:server-setup.adoc.
At the command prompt, point the SSL environment variables to the imported certificate file locations:
export CA_CERT=<path_to_CA_certificate_file> export SERVER_KEY=<path_to_web_server_key> export SERVER_CERT=<path_to_web_server_certificate>
Complete SUSE Manager setup:
When you are prompted for certificate details during setup, fill in random values. The values will be overridden by the values you specified at the command prompt.
By default, SUSE Manager Proxy uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.
Install the SUSE Manager Proxy according to the instructions in installation:install-intro.adoc.
Complete the initial setup according to installation:proxy-setup.adoc.
At the command prompt, run:
Do you want to import existing certificates?prompt, type y.
Follow the prompts to complete setup.
Use the same certificate authority to sign all server certificates for servers and proxies. Certificates signed with different CAs will not match.
You can replace active certificates on your SUSE Manager installation with a new third party certificate. To replace the certificates, you can replace the installed CA certificate RPM with a new RPM containing the third party certificate, and then update the database.
This procedure is similar to the one described in "Create and Replace CA and Server Certificates" with the difference, that we import the certificates generated by an external PKI.
On the SUSE Manager Server, at the command prompt, move the old certificate directory to a backup location:
mv /root/ssl-build /root/old-ssl-build
Generate a CA certificate RPM from the new certificate:
rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build" --from-ca-cert=<Path_to_CA_Certificate>
Generate a new server certificate RPM:
rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build" --from-server-key=<Server_Key_File> --from-server-cert=<Server_Cert_File>
When you create the new server certificate RPM, you might get a warning that server certificate request file could not be found.
This file is not required, and the procedure will complete correctly without it.
However, if you want to avoid the error, you can copy the file into the server directory, and name it
cp <Certificate_Request_File>.csr /root/ssl-build/<Server_Name>/server.csr
When you have created the new
ssl-build directory, you can create combined certificate RPMs and deploy them on the clients.
For the procedures to do this, see administration:ssl-certs-selfsigned.adoc.
If you are using a proxy, you will need to generate a server certificate RPM for each proxy, using their host names and cnames.