3.2.3. Generating the Certificate Authority SSL Key Pair
Before creating the SSL key set required by the Web server, you must generate a Certificate Authority (CA) SSL key pair. A CA SSL public certificate is distributed to client systems of the Satellite or Proxy. The RHN SSL Maintenance Tool allows you to generate a CA SSL key pair if needed and re-use it for all subsequent RHN server deployments.
The build process automatically creates the key pair and public RPM for distribution to clients. All CA components end up in the build directory specified at the command line, typically
/root/ssl-build
(or /etc/sysconfig/rhn/ssl
for older Satellites and Proxies). To generate a CA SSL key pair, issue a command like this:
rhn-ssl-tool --gen-ca --password=MY_CA_PASSWORD --dir="/root/ssl-build" \ --set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \ --set-org-unit="SSL CA Unit"
Replace the example values with those appropriate for your organization. This will result in the following relevant files in the specified build directory:
RHN-ORG-PRIVATE-SSL-KEY
— the CA SSL private keyRHN-ORG-TRUSTED-SSL-CERT
— the CA SSL public certificaterhn-org-trusted-ssl-cert-VER-REL.noarch.rpm
— the RPM prepared for distribution to client systems. It contains the CA SSL public certificate (above) and installs it in this location:/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
rhn-ca-openssl.cnf
— the SSL CA configuration filelatest.txt
— always lists the latest versions of the relevant files.
Once finished, you're ready to distribute the RPM to client systems. Refer to Section 3.3, “Deploying the CA SSL Public Certificate to Clients”.