Import SSL Certificates
This section covers how to configure SSL certificate for new SUSE Multi-Linux Manager installation, and how to replace existing certificates.
Before you begin, ensure you have:
-
A certificate authority (CA) SSL public certificate. If you are using a CA chain, all intermediate CAs must also be available.
-
An SSL server private key
-
An SSL server certificate
-
An SSL database private key
-
An SSL database certificate
All files must be in PEM format.
The hostname of the SSL server certificate must match the fully qualified hostname of the machine you deploy them on.
You can set the hostnames in the X509v3 Subject Alternative Name section of the certificate.
You can also list multiple hostnames if your environment requires it.
Supported Key types are RSA and EC (Elliptic Curve).
|
Database SSL certificates require |
Third-party authorities commonly use intermediate CAs to sign requested server certificates.
In this case, all CAs in the chain are required to be available.
The mgrdadm commands are taking care of ordering the certificates.
Ideally, the root CA should be in its own file.
The server certificate file should contain the server certificate first, followed by all intermediate CA certificates in order.
1. Import Certificates for New Installations
By default, SUSE Multi-Linux Manager uses a self-signed certificate. Certificates can be imported with third-party certificates at the installation time.
Deploy the SUSE Multi-Linux Manager Server according to the instructions in Install SUSE Multi-Linux Manager Server. Make sure to pass the correct files as parameters to
mgradm install podman. The parameters are:3rd Party SSL Certificate Flags: --ssl-ca-intermediate strings Intermediate CA certificate path --ssl-ca-root string Root CA certificate path --ssl-server-cert string Server certificate path --ssl-server-key string Server key path --ssl-db-ca-intermediate strings Intermediate CA certificate path for the database if different from the server one --ssl-db-ca-root string Root CA certificate path for the database if different from the server one --ssl-db-cert string Database certificate path --ssl-db-key string Database key path
Intermediate CAs can either be available in the file which is specified with --ssl-ca-root, or specified as extra options with --ssl-ca-intermediate.
The --ssl-ca-intermediate option can be specified multiple times.
2. Import certificates for new proxy installations
The proxy certificates are embedded in the generated configuration. In order to use a third-party certificate, it needs to be provided during the configuration.
Install the SUSE Multi-Linux Manager Proxy according to the instructions in Install SUSE Multi-Linux Manager Proxy.
Follow the prompts to complete setup.
Use the same certificate authority (CA) to sign all certificates for servers and proxies. Certificates signed with different CAs do not match.
3. Replace certificates
You can replace active certificates on your SUSE Multi-Linux Manager installation with a new certificate. There are two cases to consider: replacing only the server or database certificate, and replacing the root CA.
Replacing the root certificate requires more time and planning to avoid disruption as all the registered proxies and systems will need to have the new CA in their database before switching to it at the server level.
When using third-party certificates signed by an intermediate CA, the intermediate CA certificates need to be appended to the server or database certificate file.
The order is important: first comes the server certificate, then the CAs from the one which signed the certificate to the one signed by the root CA. The root CA certificate should not be appended to the server certificate file.
The following considers that you have
root-ca.pem,intermediate-ca1.pem,intermediate-ca2.pem,server.pemandserver.keyfiles. It may be different depending on the number of intermediate CAs in the server certificate signature chain.Combine the intermediate CAs and server certificates. The order matters, the server must be first and the intermediate CAs in order. Do not add the root CA last into the chain as it will be passed separately to
uyuni-caanduyuni-db-casecrets. If there is no intermediate CA, then you can use theserver.peminstead of the combined file in the next steps.cat server.pem intermediate-ca1.pem intermediate-ca2.pem >combined-server.pemOn the SUSE Multi-Linux Manager container host, at the command prompt, recreate podman certificate secrets passing the files paths:
podman secret create --replace uyuni-ca $path_to_ca_certificate podman secret create --replace uyuni-cert $path_to_combined_server_certificate podman secret create --replace uyuni-key $path_to_server_key podman secret create --replace uyuni-db-ca $path_to_database_ca_certificate podman secret create --replace uyuni-db-cert $path_to_combined_database_certificate podman secret create --replace uyuni-db-key $path_to_database_key
On the container host, restart the server to pick up the changes:
mgradm restart
If you are using a proxy, you need to generate a server certificate RPM for each proxy, using their hostnames and cnames. Generate a new configuration tarball and deploy it.
For more information, see installation-and-upgrade:container-deployment/mlm/proxy-deployment-mlm.adoc#_generate_proxy_configuration.
If the Root CA was changed, it needs to get deployed to all the clients connected to SUSE Multi-Linux Manager. This is ideally done in advance to minimize the disruption.
|
If the CA certificate was updated, a RPM file with Kiwi certificate needs to be repackaged. On the SUSE Multi-Linux Manager Server container host, execute following command: After that, apply highstate on the Image Build hosts to deploy the new certificates for Kiwi to use. |
In the SUSE Multi-Linux Manager Web UI, navigate to .
Check all your clients to add them to the system set manager.
Navigate to .
In the
Statesfield, click Apply to apply the system states.In the
Highstatepage, click Apply Highstate to propagate the changes to the clients.