Import SSL Certificates

This section covers how to configure SSL certificate for new SUSE Manager installation, and how to replace existing certificates.

Before you begin, ensure you have:

  • A certificate authority (CA) SSL public certificate. If you are using a CA chain, all intermediate CAs must also be available.

  • An SSL server private key

  • An SSL server certificate

All files must be in PEM format.

The hostname of the SSL server certificate must match the fully qualified hostname of the machine you deploy them on. You can set the hostnames in the X509v3 Subject Alternative Name section of the certificate. You can also list multiple hostnames if your environment requires it. Supported Key types are RSA and EC (Elliptic Curve).

Third-party authorities commonly use intermediate CAs to sign requested server certificates. In this case, all CAs in the chain are required to be available. If there is no extra parameter or option available to specify intermediate CAs, take care that all CAs (Root CA and intermediate CAs) are stored in one file.

1. Import Certificates for New Installations

By default, SUSE Manager uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Server

  1. Deploy the SUSE Manager Server according to the instructions in SUSE Manager 5.0 Server Deployment. Make sure to pass the correct files as parameters to mgradm install podman. The parameters are:

    3rd Party SSL Certificate Flags:
      --ssl-ca-intermediate strings   Intermediate CA certificate path
      --ssl-ca-root string            Root CA certificate path
      --ssl-server-cert string        Server certificate path
      --ssl-server-key string         Server key path

2. Import Certificates for New Proxy Installations

By default, SUSE Manager Proxy uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Proxy

  1. Install the SUSE Manager Proxy according to the instructions in SUSE Manager 5.0 Proxy Deployment.

  2. Follow the prompts to complete setup.

Use the same certificate authority (CA) to sign all server certificates for servers and proxies. Certificates signed with different CAs do not match.

3. Replace Certificates

You can replace active certificates on your SUSE Manager installation with a new certificate. To replace the certificates, you can replace the installed CA certificate with the new CA, and then update the database.

Procedure: Replacing Existing Certificates

  1. On the SUSE Manager container host, at the command prompt, temporarily copy the certificate files to the container:

    for f in <Root_CA_Certificate> <Server_Cert_File> <Server_Key_File>; do
  mgrctl cp $f server:/tmp
done

  2. On the SUSE Manager container host, call the following command to run mgr-ssl-cert-setup inside the container providing certificates as parameters:

    mgrctl exec -ti -- mgr-ssl-cert-setup --root-ca-file=/tmp/<Root_CA_Certificate> \
  --server-cert-file=/tmp/<Server_Cert_File> --server-key-file=/tmp/<Server_Key_File>

  3. Remove the temporarily copied files from the container:

    mgrctl exec -ti -- rm /tmp/<Root_CA_Certificate> /tmp/<Server_Cert_File> \
  /tmp/<Server_Key_File>

Intermediate CAs can either be available in the file which is specified with --root-ca-file or specified as extra options with --intermediate-ca-file. The --intermediate-ca-file option can be specified multiple times. The mgr-ssl-cert-setup command tests if provided files are valid and suitable for the requested use case. The command then copies or deploys the files to all the places where they are needed.

Procedure: Restarting the Server

  1. On the containter host, restart the server to pick up the changes:

    mgradm restart

If you are using a proxy, you need to generate a server certificate RPM for each proxy, using their hostnames and cnames. Generate a new configuration tarball and deploy it.

For more information, see installation-and-upgrade:container-deployment/suma/proxy-deployment-suma.adoc#_generate_proxy_configuration.

If the Root CA was changed, it needs to get deployed to all the clients connected to SUSE Manager.

Procedure: Deploying the Root CA on Clients

  1. In the SUSE Manager Web UI, navigate to Systems  Overview.

  2. Check all your clients to add them to the system set manager.

  3. Navigate to Systems  System Set Manager  Overview.

  4. In the States field, click Apply to apply the system states.

  5. In the Highstate page, click Apply Highstate to propagate the changes to the clients.