Import SSL Certificates
This section covers how to configure SSL certificate for new SUSE Manager installation, and how to replace existing certificates.
Before you begin, ensure you have:
-
A certificate authority (CA) SSL public certificate. If you are using a CA chain, all intermediate CAs must also be available.
-
An SSL server private key
-
An SSL server certificate
All files must be in PEM format.
The host name of the SSL server certificate must match the fully qualified host name of the machine you deploy them on.
You can set the host names in the X509v3 Subject Alternative Name
section of the certificate.
You can also list multiple host names if your environment requires it.
Supported Key types are RSA
and EC
(Elliptic Curve).
Third-party authorities commonly use intermediate CAs to sign requested server certificates. In this case, all CAs in the chain are required to be available. If there is no extra parameter or option available to specify intermediate CAs, take care that all CAs (Root CA and intermediate CAs) are stored in one file.
1. Import Certificates for New Installations
By default, SUSE Manager uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.
-
Deploy the SUSE Manager Server according to the instructions in Deploy SUSE Manager 5.0 Server. Make sure to pass the correct files as parameters to
mgradm install podman
. The parameters are:3rd Party SSL Certificate Flags: --ssl-ca-intermediate strings Intermediate CA certificate path --ssl-ca-root string Root CA certificate path --ssl-server-cert string Server certificate path --ssl-server-key string Server key path
2. Import Certificates for New Proxy Installations
By default, SUSE Manager Proxy uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.
-
Install the SUSE Manager Proxy according to the instructions in Deploy a SUSE Manager 5.0 Proxy.
-
Follow the prompts to complete setup.
Use the same certificate authority to sign all server certificates for servers and proxies. Certificates signed with different CAs do not match. |
3. Replace Certificates
You can replace active certificates on your SUSE Manager installation with a new certificate. To replace the certificates, you can replace the installed CA certificate with the new CA, and then update the database.
-
On the SUSE Manager Server, at the command prompt, call the command
mgr-ssl-cert-setup
and provide the certificates as parameters:mgrctl exec -- mgr-ssl-cert-setup --root-ca-file=<Path_to_Root_CA_Certificate> --server-cert-file=<Server_Cert_File> --server-key-file=<Server_Key_File>
Intermediate CAs can either be available in the file which is specified with --root-ca-file
or specified as extra options with --intermediate-ca-file
.
The --intermediate-ca-file
option can be specified multiple times.
This command performs a number of tests on the provided files to test if they are valid and can be used for the requested use case.
-
Restart services to pick up the changes:
mgrctl exec -- spacewalk-service stop mgrctl exec -- systemctl restart postgresql.service mgrctl exec -- spacewalk-service start
If you are using a proxy, you need to generate a server certificate RPM for each proxy, using their host names and cnames.
You should use mgr-ssl-cert-setup
also on a SUSE Manager Proxy to replace the certificates.
Because the SUSE Manager Proxy does not have a postgreSQL database, only spacewalk-service restart
is sufficient.
If the Root CA was changed, it needs to get deployed to all the clients connected to SUSE Manager.
-
In the SUSE Manager Web UI, navigate to
. -
Check all your Salt Clients to add them to the system set manager.
-
Navigate to
. -
In the
States
field, click Apply to apply the system states. -
In the
Highstate
page, click Apply Highstate to propagate the changes to the clients.