Chapter 4. Managing Red Hat entitlement certificates
4.1. Red Hat Update Appliance certificates
The RHUA in RHUI uses the following certificates and keys:
- Content certificate and private key
- Entitlement certificate and private key
- SSL certificate and private key
- Cloud provider’s CA certificate
The RHUA is configured with the content certificate and the entitlement certificate. The RHUA uses the content certificate to connect to the Red Hat CDN. It also uses the Red Hat CA certificate to verify the connection to the Red Hat CDN. As the RHUA is the only component that connects to the Red Hat CDN, it is the only RHUI component that has this certificate deployed. It should be noted that multiple RHUI installations can use the same content certificate. For instance, the Amazon EC2 cloud runs multiple RHUI installations (one per region), but each RHUI installation uses the same content certificate.
Clients use the entitlement certificate to permit access to packages in RHUI. To perform an environment health check, the RHUA attempts a yum
request against each CDS. To succeed, the yum
request must specify a valid entitlement certificate.
4.2. Content delivery server certificates
Each CDS node in RHUI uses the following certificates and keys:
- SSL certificate and private key
- Cloud provider’s CA certificate
The only certificate necessary for the CDS is an SSL certificate, which permits HTTPS communications between the client and the CDS. The SSL certificates are scoped to a specific hostname, so a unique SSL certificate is required for each CDS node. If SSL errors occur when connecting to a CDS, verify that the certificate’s common name is set to the fully qualified domain name (FQDN) of the CDS on which it is installed.
The CA certificate is used to verify that the entitlement certificate sent by the client as part of a yum
request was signed by the cloud provider. This prevents a rogue instance from generating its own entitlement certificate for unauthorized use within RHUI.
4.3. Client certificates
Each client in the RHUI uses an entitlement certificate and private key as well as the cloud provider’s CA certificate.
The entitlement certificate and its private key enable information encryption from the CDS back to the client. Each client uses the entitlement certificate when connecting to the CDS to prove it has permission to download its packages. All clients use a single entitlement certificate.
The cloud provider’s CA certificate is used to verify the CDS’s SSL certificate when connecting to it. This ensures that a rogue instance is not impersonating the CDS and introducing potentially malicious packages into the client.
The CA certificate verifies the SSL certificate, not the entitlement certificate. The reverse is true for the CDS node. The SSL certificate and private key are used to encrypt data from the client to the CDS. The CA certificate present on the CDS verifies that the CDS node should trust the entitlement certificate sent by the client.
4.3.1. Listing the entitled products for a certificate
The Entitlements Manager screen is used to list entitled products in the current Red Hat content certificates and to upload new certificates.
Procedure
Navigate to the Red Hat Update Infrastructure Management Tool home screen:
[root@rhua ~]# rhui-manager
-
Press
n
to select manage Red Hat entitlement certificates. From the Entitlements Manager screen, press
l
to list data about the current content certificate:rhui (entitlements) => l Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Debug RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem Red Hat Enterprise Linux 8 for ARM 64 - AppStream (RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Source RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (Debug RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem Red Hat Enterprise Linux 8 for ARM 64 - BaseOS (Source RPMs) from RHUI Expiration: 02-27-2022 Certificate: c885597492374720bb5d398c3f65d1ed.pem
Verification
- You will see a list of the entitled products in the current Red Hat content certificates.
4.3.2. Listing custom repository entitlements
You can use the Entitlements Manager screen to list custom repository entitlements.
Procedure
Navigate to the Red Hat Update Infrastructure Management Tool home screen:
[root@rhua ~]# rhui-manager
-
Press
n
to select manage Red Hat entitlement certificates. From the Entitlements Manager screen, press
c
to list data about the custom repository entitlements:rhui (entitlements) => c Custom Repository Entitlements For each entitlement URL listed, the corresponding repositories that are configured with that entitlement are listed. /protected/$basearch/os Name: Repo 1 URL: protected/i386/os Name: Repo 2 URL: protected/x86_64/os