[Spacewalk-list] Auto-deploying renewed cert
Avi Miller
avi.miller at oracle.com
Mon Oct 9 15:59:25 UTC 2017
Hi,
> On 9 Oct 2017, at 6:12 am, Daryl Rose <darylrose at outlook.com> wrote:
>
> I am also thinking that Avi and I are not talking about the same cert. I am not using the signed cert from SW, but I am using a signed cert from an CA.
We are talking about the same certificate, but perhaps I'm not being clear. :)
There are two certificates at play here:
1. The CA's SSL certificate chain (which is "RHN-ORG-TRUSTED-SSL-CERT")
2. The Spacewalk Server's certificate (which is "server.crt" in /root/ssl-build/<hostname>/
When Spacewalk is installed using the default self-signed certificates, it first creates its own Certificate Authority (CA). In order for clients to validate certificates signed by this CA, you have to distribute the RHN-ORG-TRUSTED-SSL-CERT created by the installer to each client.
Using the replacement procedure from our documentation, you replace the Spacewalk generated CA certificate with the full keychain provided by your CA. This keychain has a pretty long lifespan (usually about 10 years).
Now, when you need to renew your Spacewalk Server certificate ("server.crt"), your CA is going to sign it with the *same* CA chain it used for the first one. Therefore, your clients do NOT need to be updated. They will continue to validate the renewed certificate installed on your Spacewalk Server with the existing RHN-ORG-TRUSTED-SSL-CERT you distributed initially.
The only times you have to replace RHN-ORG-TRUSTED-SSL-CERT are:
1. If you change your CA, e.g. if you switch SSL certificate providers
2. The CA certificate chain actually expires
I hope that makes more sense!
Thanks,
Avi
--
Oracle <http://www.oracle.com>
Avi Miller | Product Management Director | +61 (3) 8616 3496
Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia
More information about the Spacewalk-list
mailing list