Self-Signed SSL Certificates

By default, Uyuni uses a self-signed certificate. In this case, the certificate is created and signed by Uyuni. This method does not use an independent certificate authority to guarantee that the details of the certificate are correct. Third party CAs perform checks to ensure that the information contained in the certificate is correct. For more on third party CAs, see Import SSL Certificates.

This section covers how to create or re-create your self-signed certificates on new or existing installation.

The host name of the SSL keys and certificates must match the fully qualified host name of the machine you deploy them on.

1. Re-Create Existing Server Certificates

If your existing certificates have expired or stopped working for any reason, you can generate a new server certificate from the existing CA.

Procedure: Re-Creating an Existing Server Certificate
  1. On the Uyuni Server, at the command prompt, regenerate the server certificate:

    mgrctl exec -ti -- rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \
    --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
    --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \
    --set-hostname="susemanager.example.com" --set-cname="example.com"

    Ensure that the set-cname parameter is the fully qualified domain name of your Uyuni Server. You can use the the set-cname parameter multiple times if you require multiple aliases.

The private key and the server certificate can be found in the directory /root/ssl-build/susemanager/ as server.key and server.crt. The name of the last directory depends on the hostname used with --set-hostname option.

2. Create a new CA and Server Certificates

Be careful when you need to replace the Root CA. It is possible to break the trust chain between the server and clients. If that happens, you need an administrative user to log in to every client and deploy the CA directly.

Procedure: Creating New Certificates
  1. On the Uyuni Server, at the command prompt, move the old certificate directory to a new location:

    mgrctl exec -- mv /root/ssl-build /root/old-ssl-build
  2. Generate a new CA certificate:

    mgrctl exec -ti -- rhn-ssl-tool --gen-ca --dir="/root/ssl-build" --set-country="COUNTRY" \
    --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
    --set-org-unit="ORGANIZATION UNIT" --set-common-name="SUSE Manager CA Certificate" \
    --set-email="name@example.com"
  3. Generate a new server certificate:

    mgrctl exec -ti -- rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \
    --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
    --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \
    --set-hostname="susemanager.example.top" --set-cname="example.com"

    Ensure that the set-cname parameter is the fully qualified domain name of your Uyuni Server. You can use the the set-cname parameter multiple times if you require multiple aliases.

    You need to generate a server certificate also for each proxy, using their host names and cnames.