Self-Signed SSL Certificates

Table of Contents

1. Re-Create Existing Server Certificates
2. Create a new CA and Server Certificates

By default, SUSE Manager uses a self-signed certificate. In this case, the certificate is created and signed by SUSE Manager. This method does not use an independent certificate authority to guarantee that the details of the certificate are correct. Third-party CAs perform checks to ensure that the information contained in the certificate is correct.

For more information on third-party CAs, see Import SSL Certificates.
For more information on replacing certificates, see administration:ssl-certs-imported.adoc#ssl-certs-import-replace.

This section covers how to create or re-create your self-signed certificates on new or existing installation.

The hostname of the SSL keys and certificates must match the fully qualified hostname of the machine you deploy them on.

1. Re-Create Existing Server Certificates

If your existing certificates have expired or stopped working for any reason, you can generate a new server certificate from the existing CA.

Procedure: Re-Creating an Existing Server Certificate

On the SUSE Manager Server, at the command prompt, regenerate the server certificate:

rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \
--set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
--set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \
--set-hostname="susemanager.example.com" --set-cname="example.com" --no-rpm

Ensure that the set-cname parameter is the fully qualified domain name of your SUSE Manager Server. You can use the set-cname parameter multiple times if you require multiple aliases.

The private key and the server certificate can be found in the directory /root/ssl-build/susemanager/ as server.key and server.crt. The name of the last directory depends on the hostname used with --set-hostname option.

Deploy the new certificate and key using the mgr-ssl-cert-setup tool. For more information see as administration:ssl-certs-imported.adoc#ssl-certs-import-replace.

2. Create a new CA and Server Certificates

Be careful when you need to replace the Root CA. It is possible to break the trust chain between the server and clients. If that happens, you need an administrative user to log in to every client and deploy the CA directly.

Procedure: Creating New Certificates

On the SUSE Manager Server, at the command prompt, move the old certificate directory to a new location:
```
mv /root/ssl-build /root/old-ssl-build
```

Generate a new CA certificate:

rhn-ssl-tool --gen-ca --dir="/root/ssl-build" --set-country="COUNTRY" \
--set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
--set-org-unit="ORGANIZATION UNIT" --set-common-name="SUSE Manager CA Certificate" \
--set-email="name@example.com"

Generate a new server certificate:
```
rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \
--set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
--set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \
--set-hostname="susemanager.example.top" --set-cname="example.com"
```
Ensure that the set-cname parameter is the fully qualified domain name of your SUSE Manager Server. You can use the set-cname parameter multiple times if you require multiple aliases.

You need to generate a server certificate also for each proxy, using their hostnames and cnames.