[Spacewalk-list] Auto-deploying renewed cert

Daryl Rose darylrose at outlook.com
Mon Oct 9 19:09:46 UTC 2017 

Avi,


Thank you very much for the explanation.   They're very helpful, and I'm not as concerned as I was previously.


Thanks


Daryl


________________________________
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> on behalf of Avi Miller <avi.miller at oracle.com>
Sent: Monday, October 9, 2017 10:59 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Auto-deploying renewed cert

Hi,


> On 9 Oct 2017, at 6:12 am, Daryl Rose <darylrose at outlook.com> wrote:
>
> I am also thinking that Avi and I are not talking about the same cert.  I am not using the signed cert from SW, but I am using a signed cert from an CA.

We are talking about the same certificate, but perhaps I'm not being clear. :)

There are two certificates at play here:

1. The CA's SSL certificate chain (which is "RHN-ORG-TRUSTED-SSL-CERT")
2. The Spacewalk Server's certificate (which is "server.crt" in /root/ssl-build/<hostname>/

When Spacewalk is installed using the default self-signed certificates, it first creates its own Certificate Authority (CA). In order for clients to validate certificates signed by this CA, you have to distribute the RHN-ORG-TRUSTED-SSL-CERT created by the installer to each client.

Using the replacement procedure from our documentation, you replace the Spacewalk generated CA certificate with the full keychain provided by your CA. This keychain has a pretty long lifespan (usually about 10 years).

Now, when you need to renew your Spacewalk Server certificate ("server.crt"), your CA is going to sign it with the *same* CA chain it used for the first one. Therefore, your clients do NOT need to be updated. They will continue to validate the renewed certificate installed on your Spacewalk Server with the existing RHN-ORG-TRUSTED-SSL-CERT you distributed initially.

The only times you have to replace RHN-ORG-TRUSTED-SSL-CERT are:

1. If you change your CA, e.g. if you switch SSL certificate providers
2. The CA certificate chain actually expires

I hope that makes more sense!

Thanks,
Avi

--
Oracle <http://www.oracle.com>
Oracle | Integrated Cloud Applications and Platform Services<http://www.oracle.com/>
www.oracle.com
Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services.



Avi Miller | Product Management Director | +61 (3) 8616 3496
Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia


_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
Spacewalk-list Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/spacewalk-list>
www.redhat.com
Red Hat Linux is the centerpiece of a complete solution that includes software, support, training, and services. We feature a broad range of solutions to serve a ...



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20171009/430e26d6/attachment.htm>

More information about the Spacewalk-list mailing list