Self-Signed SSL Certificates
By default, SUSE Manager uses a self-signed certificate. In this case, the certificate is created and signed by SUSE Manager. This method does not use an independent certificate authority to guarantee that the details of the certificate are correct. Third party CAs perform checks to ensure that the information contained in the certificate is correct. For more on third party CAs, see Import SSL Certificates.
This section covers how to create or re-create your self-signed certificates on new or existing installation.
The host name of the SSL keys and certificates must match the fully qualified host name of the machine you deploy them on.
1. Re-Create Existing Server Certificates
If your existing certificates have expired or stopped working for any reason, you can generate a new server certificate from the existing CA.
-
On the SUSE Manager Server, at the command prompt, regenerate the server certificate:
mgrctl exec -ti -- rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \ --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \ --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \ --set-hostname="susemanager.example.com" --set-cname="example.com"
Ensure that the
set-cname
parameter is the fully qualified domain name of your SUSE Manager Server. You can use the theset-cname
parameter multiple times if you require multiple aliases.
The private key and the server certificate can be found in the directory /root/ssl-build/susemanager/
as server.key
and server.crt
.
The name of the last directory depends on the hostname used with --set-hostname
option.
2. Create a new CA and Server Certificates
Be careful when you need to replace the Root CA. It is possible to break the trust chain between the server and clients. If that happens, you need an administrative user to log in to every client and deploy the CA directly. |
-
On the SUSE Manager Server, at the command prompt, move the old certificate directory to a new location:
mgrctl exec -- mv /root/ssl-build /root/old-ssl-build
-
Generate a new CA certificate:
mgrctl exec -ti -- rhn-ssl-tool --gen-ca --dir="/root/ssl-build" --set-country="COUNTRY" \ --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \ --set-org-unit="ORGANIZATION UNIT" --set-common-name="SUSE Manager CA Certificate" \ --set-email="name@example.com"
-
Generate a new server certificate:
mgrctl exec -ti -- rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \ --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \ --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \ --set-hostname="susemanager.example.top" --set-cname="example.com"
Ensure that the
set-cname
parameter is the fully qualified domain name of your SUSE Manager Server. You can use the theset-cname
parameter multiple times if you require multiple aliases.You need to generate a server certificate also for each proxy, using their host names and cnames.