导入 SSL 证书

本节介绍如何为新的 SUSE Multi-Linux Manager 安装配置 SSL 证书,以及如何替换现有证书。

在开始之前,请确保已准备好:

  • 一个证书颁发机构 (CA) SSL 公共证书。如果您使用 CA 链,则所有中间 CA 也必须可用。

  • 一个 SSL 服务器私用密钥

  • 一个 SSL 服务器证书

  • 一个 SSL 数据库私用密钥

  • 一个 SSL 数据库证书

所有文件必须采用 PEM 格式。

SSL 服务器证书的主机名必须与其部署到的计算机的完全限定主机名匹配。您可以在证书的 X509v3 Subject Alternative Name 部分中设置主机名,也可以根据环境的需要列出多个主机名。支持的密钥类型为 RSAEC(椭圆曲线)。

数据库 SSL 证书的主体备用名称必须是 reportdbdb

Third-party authorities commonly use intermediate CAs to sign requested server certificates. In this case, all CAs in the chain are required to be available. The mgrdadm commands are taking care of ordering the certificates. Ideally, the root CA should be in its own file. The server certificate file should contain the server certificate first, followed by all intermediate CA certificates in order.

1. 为新安装导入证书

By default, SUSE Multi-Linux Manager uses a self-signed certificate. Certificates can be imported with third-party certificates at the installation time.

Procedure: Importing certificates on a new SUSE Multi-Linux Manager server

  1. 根据 安装 SUSE Multi-Linux Manager 服务器 中的说明部署 SUSE Multi-Linux Manager 服务器。确保传递正确的文件作为 mgradm install podman 的参数。参数包括:

    第三方 SSL 证书标志:
      --ssl-ca-intermediate 字符串   中间 CA 证书路径
      --ssl-ca-root 字符串            根 CA 证书路径
      --ssl-server-cert 字符串        服务器证书路径
      --ssl-server-key 字符串         服务器密钥路径
      --ssl-db-ca-intermediate 字符串 数据库的中间 CA 证书路径(如果不同于服务器的相应证书)
      --ssl-db-ca-root 字符串          数据库的根 CA 证书路径(如果不同于服务器的相应证书)
      --ssl-db-cert 字符串             数据库证书路径
      --ssl-db-key 字符串              数据库密钥路径

Intermediate CAs can either be available in the file which is specified with --ssl-ca-root, or specified as extra options with --ssl-ca-intermediate. The --ssl-ca-intermediate option can be specified multiple times.

2. Import certificates for new proxy installations

The proxy certificates are embedded in the generated configuration. In order to use a third-party certificate, it needs to be provided during the configuration.

Procedure: Importing certificates on a new SUSE Multi-Linux Manager Proxy

  1. 根据 安装 SUSE Multi-Linux Manager 代理 中的说明安装 SUSE Multi-Linux Manager 代理。

  2. 按照提示完成设置。

    Use the same certificate authority (CA) to sign all certificates for servers and proxies. Certificates signed with different CAs do not match.

3. Replace certificates

You can replace active certificates on your SUSE Multi-Linux Manager installation with a new certificate. There are two cases to consider: replacing only the server or database certificate, and replacing the root CA.

Replacing the root certificate requires more time and planning to avoid disruption as all the registered proxies and systems will need to have the new CA in their database before switching to it at the server level.

When using third-party certificates signed by an intermediate CA, the intermediate CA certificates need to be appended to the server or database certificate file.

The order is important: first comes the server certificate, then the CAs from the one which signed the certificate to the one signed by the root CA. The root CA certificate should not be appended to the server certificate file.

Procedure: Replacing all existing certificates

  1. The following considers that you have root-ca.pem, intermediate-ca1.pem, intermediate-ca2.pem, server.pem and server.key files. It may be different depending on the number of intermediate CAs in the server certificate signature chain.

  2. Combine the intermediate CAs and server certificates. The order matters, the server must be first and the intermediate CAs in order. Do not add the root CA last into the chain as it will be passed separately to uyuni-ca and uyuni-db-ca secrets. If there is no intermediate CA, then you can use the server.pem instead of the combined file in the next steps.

    cat server.pem intermediate-ca1.pem intermediate-ca2.pem >combined-server.pem

  3. On the SUSE Multi-Linux Manager container host, at the command prompt, recreate podman certificate secrets passing the files paths:

    podman secret create --replace uyuni-ca $path_to_ca_certificate
podman secret create --replace uyuni-cert $path_to_combined_server_certificate
podman secret create --replace uyuni-key $path_to_server_key

podman secret create --replace uyuni-db-ca $path_to_database_ca_certificate
podman secret create --replace uyuni-db-cert $path_to_combined_database_certificate
podman secret create --replace uyuni-db-key $path_to_database_key
Procedure: Restarting the server

  1. 在容器主机上,重启服务以应用更改:

    mgradm restart

如果您使用的是代理,则需要使用相关代理的主机名和 cname 为每个代理生成一个服务器证书 RPM。生成新的配置 tarball 并进行部署。

有关详细信息,请参见 installation-and-upgrade:container-deployment/mlm/proxy-deployment-mlm.adoc#_generate_proxy_configuration

If the Root CA was changed, it needs to get deployed to all the clients connected to SUSE Multi-Linux Manager. This is ideally done in advance to minimize the disruption.

If the CA certificate was updated, a RPM file with Kiwi certificate needs to be repackaged.

On the SUSE Multi-Linux Manager Server container host, execute following command:

mgrctl exec mgr-package-rpm-certificate-osimage

After that, apply highstate on the Image Build hosts to deploy the new certificates for Kiwi to use.
Procedure: Deploying the root CA on clients

  1. 在 SUSE Multi-Linux Manager Web UI 中,导航到系统  概览

  2. 选中所有客户端以将其添加到系统集管理器。

  3. 导航到系统  系统集管理器  概览

  4. 状态字段中,单击 应用 以应用系统状态。

  5. Highstate 页面中,单击 应用 Highstate 以将更改传播到客户端。