Import SSL Certificates

By default, SUSE Manager uses a self-signed certificate. For additional security, you can import a custom certificate, signed by a third party certificate authority (CA).

This section covers how to use an imported SSL certificate with a new SUSE Manager installation, and how to replace existing self-signed certificates with imported certificates.

Before you begin, ensure you have:

  • A certificate authority (CA) SSL public certificate. If you are chaining CAs, it must include the root CA, and all intermediate CAs.

  • An SSL server key

  • An SSL server certificate

Your key and certificate files must be in PEM format.

The host name of the SSL keys and certificates must match the fully qualified host name of the machine you deploy them on. You can set the host names in the X509v3 Subject Alternative Name section of the certificate. You can also list multiple host names if your environment requires it.

Third-party authorities commonly use intermediate CAs to sign requested server certificates. In this case, all CAs in the chain are required to be available in a single file to deploy the CA to the clients.

1. Import Certificates for New Installations

By default, SUSE Manager uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Server

  1. Install the SUSE Manager Server according to the instructions in Installation.

  2. Complete the initial setup according to SUSE Manager Server Setup.

  3. At the command prompt, point the SSL environment variables to the certificate file locations:

    export CA_CERT=<path_to_CA_certificates_file>
export SERVER_KEY=<path_to_web_server_key>
export SERVER_CERT=<path_to_web_server_certificate>

  4. Complete SUSE Manager setup:

    yast susemanager_setup

    When you are prompted for certificate details during setup, fill in random values. The values are overridden by the values you specified at the command prompt.

Execute the yast susemanager_setup command from the same shell you exported the environment variables from.

2. Import Certificates for New Proxy Installations

By default, SUSE Manager Proxy uses a self-signed certificate. After you have completed the initial setup, you can replace the default certificate with an imported certificate.

Procedure: Import Certificates on a New SUSE Manager Proxy

  1. Install the SUSE Manager Proxy according to the instructions in Installation.

  2. Complete the initial setup according to SUSE Manager Proxy Setup.

  3. At the command prompt, run:

    configure-proxy.sh

  4. At the Do you want to import existing certificates? prompt, type y.

  5. Follow the prompts to complete setup.

Use the same certificate authority to sign all server certificates for servers and proxies. Certificates signed with different CAs do not match.

3. Replace Certificates with a Third Party Certificate

You can replace active certificates on your SUSE Manager installation with a new third party certificate. To replace the certificates, you can replace the installed CA certificate RPM with a new RPM containing the third party certificate, and then update the database.

This procedure is similar to the one described in administration:ssl-certs-selfsigned.adoc#ssl-certs-selfsigned-create-replace. The difference is that we import the certificates generated by an external PKI.

Procedure: Replacing Existing Certificates

  1. On the SUSE Manager Server, at the command prompt, move the old certificate directory to a backup location:

    mv /root/ssl-build /root/old-ssl-build

  2. Generate a CA certificate RPM from the new certificate:

    rhn-ssl-tool --gen-ca --rpm-only --dir="/root/ssl-build" --from-ca-cert=<Path_to_CA_Certificates>

  3. Generate a new server certificate RPM:

    rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build" --from-server-key=<Server_Key_File> --from-server-cert=<Server_Cert_File>

When you create the new server certificate RPM, you might get a warning that server certificate request file could not be found. This file is not required, and the procedure completes correctly without it. However, if you want to avoid the error, you can copy the file into the server directory, and name it server.csr:

cp <Certificate_Request_File>.csr /root/ssl-build/<Server_Name>/server.csr

When you have created the new ssl-build directory, you can create combined certificate RPMs and deploy them on the clients. For the procedures to do this, see Self-Signed SSL Certificates.

If you are using a proxy, you need to generate a server certificate RPM for each proxy, using their host names and cnames.