Import SSL Certificates

This section covers how to configure SSL certificate for new SUSE Manager installation, and how to replace existing certificates.

Before you begin, ensure you have:

  • A certificate authority (CA) SSL public certificate. If you are using a CA chain, all intermediate CAs must also be available.

  • An SSL server private key

  • An SSL server certificate

All files must be in PEM format.

The hostname of the SSL server certificate must match the fully qualified hostname of the machine you deploy them on. You can set the hostnames in the X509v3 Subject Alternative Name section of the certificate. You can also list multiple hostnames if your environment requires it. Supported Key types are RSA and EC (Elliptic Curve).

Third-party authorities commonly use intermediate CAs to sign requested server certificates. In this case, all CAs in the chain are required to be available. If there is no extra parameter or option available to specify intermediate CAs, take care that all CAs (Root CA and intermediate CAs) are stored in one file.

1. Import Certificates for New Installations

By default, SUSE Manager uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Server

  1. Install the SUSE Manager Server according to the instructions in Installation.

  2. Complete the initial setup according to SUSE Manager Server Setup.

  3. At the command prompt, point the SSL environment variables to the certificate file locations:

    export CA_CERT=<path_to_CA_certificates_file>
export SERVER_KEY=<path_to_web_server_key>
export SERVER_CERT=<path_to_web_server_certificate>

  4. Complete SUSE Manager setup:

    yast susemanager_setup

    When you are prompted for certificate details during setup, fill in random values. The values are overridden by the values you specified at the command prompt.

Execute the yast susemanager_setup command from the same shell you exported the environment variables from.

2. Import Certificates for New Proxy Installations

By default, SUSE Manager Proxy uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Proxy

  1. Install the SUSE Manager Proxy according to the instructions in Installation.

  2. Complete the initial setup according to SUSE Manager Proxy Setup.

  3. At the command prompt, run:

    configure-proxy.sh

  4. At the Do you want to import existing certificates? prompt, type y.

  5. Follow the prompts to complete setup.

Use the same certificate authority (CA) to sign all server certificates for servers and proxies. Certificates signed with different CAs do not match.

3. Replace Certificates

You can replace active certificates on your SUSE Manager installation with a new certificate. To replace the certificates, you can replace the installed CA certificate with the new CA, and then update the database.

3.1. On the Server

Procedure: Replacing Existing Certificates

  1. On the SUSE Manager Server, at the command prompt, call the command mgr-ssl-cert-setup with the certificates as parameters:

    mgr-ssl-cert-setup --root-ca-file=<Path_to_Root_CA_Certificate> \
  --server-cert-file=<Server_Cert_File> --server-key-file=<Server_Key_File>

Intermediate CAs can either be available in the file which is specified with --root-ca-file or specified as extra options with --intermediate-ca-file. The --intermediate-ca-file option can be specified multiple times. This command performs a number of tests on the provided files to test if they are valid and can be used for the requested use case.

  1. Restart services to pick up the changes:

    spacewalk-service stop
systemctl restart postgresql.service
spacewalk-service start

3.2. On the Proxy

If you are using a proxy, you need to generate a server certificate for the proxy on the SUSE Manager server and copy the files to the proxy. Alternatively, you let your own Certificate Authority generate these files and provide them on the proxy. After the files are availableon the proxy, use mgr-ssl-cert-setup also on a SUSE Manager Proxy to replace the certificates. Because the SUSE Manager Proxy does not have a postgreSQL database, the dedicated proxy restart command is sufficient:

spacewalk-proxy restart

3.3. Deploy the Root CA on Salt Clients

If the Root CA was changed, it needs to get deployed to all the clients connected to SUSE Manager.

Procedure: Deploying the Root CA on Salt Clients

  1. In the SUSE Manager Web UI, navigate to Systems  Overview.

  2. Check all your Salt Clients to add them to the system set manager.

  3. Navigate to Systems  System Set Manager  Overview.

  4. In the States field, click Apply to apply the system states.

  5. In the Highstate page, click Apply Highstate to propagate the changes to the clients.

3.4. Extra handling of traditional Clients

Traditional Clients are deprecated and should be replaced with Salt Client.

If the CA needs to be replaced when there are still traditional managed clients connected to SUSE Manager some extra steps are required.

Important is, that the clients do not get disconnected when the new CA is activated on the SUSE Manager Server and Proxies. Deploy the 'old' and the 'new' Root CA certificates to the affected clients and trust them. Use a configuration channel to deploy the certificte files to the clients and the remote command feature to regenerate the trust store.

After the new certificates are activated on the SUSE Manager Server and Proxies, test if the connections are working and actions can still be scheduled on the clients. If this is the case, the 'old' Root CA can be removed from clients.