[Spacewalk-list] placing Satellite behind a VIP
wm-lists
wm-lists at nixpeeps.com
Fri May 23 15:09:25 UTC 2014
So I discovered that if I manually sign the csr generated by the
rhn-ssl-tool, the generated certificate has the SAN information in it.
I'm guessing that the rhn-ssl-tool probably is missing something from the
command line for signing. I've gone ahead and opened a support case with
Red Hat for this.
# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out
/tmp/server.crt -extensions v3_req -extfile rhn-server-openssl.cnf
Signature ok
subject=<subject>
Getting Private key
# openssl x509 -text -in /tmp/server.crt -noout
...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:<Name 1>, DNS:<Name 2>, DNS:<Name 3>
On Fri, May 23, 2014 at 10:19 AM, wm-lists <wm-lists at nixpeeps.com> wrote:
> Thanks for the response Justin. So I've been messing w/ the rhn-ssl-tool
> this morning to generate new webserver certs with SAN's in them. I can see
> in the .cnf file that the names are there
> # pages where one requests the certificate...
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1 =<name1>
> DNS.2 =<name2>
> DNS.3 =<name3>
> DNS.4 = <name4>
>
> and I can see in the associated .csr file that the x509 output has the
> names
> X509v3 Subject Alternative Name:
> DNS:<name 1>, DNS:<name 2>, DNS:<name 3>, DNS:<name 4>
>
> But I don't see any output in the .crt file that would indiicate the
> existence of SAN's
>
> Should the .crt file have this information in it?
>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> Netscape Cert Type:
> SSL Server
> Netscape Comment:
> RHN SSL Tool Generated Certificate
> X509v3 Subject Key Identifier:
> <numbers>
> X509v3 Authority Key Identifier:
> keyid:<key>
> DirName<dir stuff>
> serial:<serial>
>
>
> Thanks for any input...
>
> Will
>
>
> On Fri, May 16, 2014 at 2:55 PM, Justin Edmands <shockwavecs at gmail.com>wrote:
>
>> On Fri, May 16, 2014 at 12:36 PM, wm-lists <wm-lists at nixpeeps.com> wrote:
>>
>>> I'm in the process of placing my satellite server and its passive backup
>>> at our DR location behind a VIP address (rhn.domain.net). The VIP will
>>> forward traffic to whichever satellite is running (DR or Primary). I've
>>> already got the failover/backup db part figured out.
>>> What I'm trying to figure out is whether I need to do a
>>> spacewalk-hostname-rename on the primary satellite server and give it the
>>> new VIP name or is there a better process for this.
>>>
>>> The idea is that I can configure the DR server w/ the same SSL
>>> configuration, restore the current db backup to the DR location and start
>>> up satellite there in the event something happens to our primary server.
>>>
>>> Any thoughts about how to handle this?
>>>
>>> Thanks!
>>> Will
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>
>> Well since you said the main reason is for SSL, just use a SAN. Subject
>> Alternative Name. If self signed, you can use quite a few. If provided by
>> 3rd party, I think most limit it to 5 SANs per cert.
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20140523/85853d7f/attachment.htm>
More information about the Spacewalk-list
mailing list