[Spacewalk-list] Renewing Third-Party CA SSL Certificate with FQDN

Olly Mason ollymason at gmail.com
Fri Oct 30 15:18:24 UTC 2015 

On 28 October 2015 at 02:14, Jun <junk at mle.org> wrote:

> Hoping someone can offer some advice on the following situation.
>
> Have an internal spacewalk 2.2 server that is using a third-party CA
> certificate (not an internal CA)
> * The CSR used for the current ssl certificate specified the CN with
> the short hostname (not FQDN).  For example, if hostname =
> myserver.domain.com, CN = myserver
> * The ssl certificate is expiring.
> * The third-party CA is no longer issuing ssl certificates for short
> hostnames
>
> Would like to use the same CA and minimize impact.
>
> Would something like this be sufficient; if not, appreciate any
> suggestions:
> * manually generate a new CSR with CN with fully qualified hostname
> using the existing server key
> * submit CSR to same third-party CA
> * backup /etc/httpd/conf/ssl.*, /etc/pki, /root/ssl-build,
> /var/www/html/pub, jabberd/server.pem
> install new third-party CA ssl certificate:
> During maintenance:
> * replace a copy of the new ssl certificate (.crt) and .csr in Apache
> directories
> * convert crt to pem and update /etc/pki/spacewalk/jabberd/server.pem
> * stop spacewalk
> * clear jabber database
> * start spacewalk
>
> Hoping the clients do not have to be updated (i.e.
> /etc/sysconfig/rhn/up2date or RHN-ORG-TRUSTED-SSL-CERT)
> Appears they are referencing the shortname (but the domain being used
> is in the dns search order)
>
> Thank you for your advice.
>

Hi Jun,
Whilst a manual creation of a CSR is possible, I believe you can also
generate it with rhn-ssl-tool - using set-hostname and set-cname to change
the CN and SANs (respectively, if you use them). I would advise using a
cname of your short name, if your CA will issue a cert including a short
name as a SAN. Depending on what you want to do with spacewalk this may be
enough:
* if you are not using SSL from the clients (serverURL in up2date doesn't
include https) then you don't even need the cname
* if you are using SSL from the clients but don't use osad, the URL needs
to match a SAN in the cert, but that's it. rhn_check, the yum client etc
don't require the CN of the server cert to match the hostname to which you
connect, only that it be a valid cert from an authority that your clients
trust.
* if you are using SSL from the clients and use osad, then I believe you
will need to change the spacewalk name (see spacewalk-hostname-rename) and
the serverURL on each client to match the CN of the cert. This is because
of domain names being used in the jabber protocol as well as on initial
connection, and a CN-specific check in the osad and osa-dispatcher jabber
clients.

RHN-ORG-TRUSTED-SSL-CERT is the CA cert of the spacewalk instance, and is
required in case of the CA not being trusted by your OS in general. It
won't need to change.

Regards,

>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20151030/61cbe046/attachment.htm>

More information about the Spacewalk-list mailing list