Bug 810691

Summary: RFE: add a chapter or section to show how to update the entitlement-signing CA certificate
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Satoru SATOH <ssato>
Component: DocumentationAssignee: Shikha <snansi>
Status: CLOSED ERRATA QA Contact: Martin Kočí <mkoci>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1CC: belong, cmorgan, dmacpher, jslagle, juwu, kbidarka, mkoci, sghai, tsanders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Users can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-24 11:54:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 817736    
Bug Blocks:    

Description Satoru SATOH 2012-04-08 11:04:28 UTC 
Description of problem: There is a chapter explains how to update the 
identity certificate (Chapter 9. Identity Certificates) in RHUI 
Installation Guide. However there is no chapters nor sections shows
how to update the entitlement-signing CA certificate which was
configured at first launch of rhui-manager.

So there looks no way other than re-setup rhua if that 
entitlement-signing certificate was expired.


Expected results: A chapter shows how to update the 
entitlement-signing certificate and user can update it 
if it was expired.
Comment 1 Chris Morgan 2012-04-16 18:37:55 UTC 
Goal should be to make the CA long lived before installing RHUI.  Updating CA's is not trivial.
Comment 4 Chris Morgan 2012-05-31 12:57:54 UTC 
Hi Julie,

Development will need to provide this information to you.
Comment 5 James Slagle 2012-07-02 23:15:14 UTC 
This is actually a fairly simple process.  I'm not sure if it requires it's own chapter or not.

Here's the material:

Before re-generating the entitlement-signing CA certificate, keep in mind that any client instances that have client configuration rpm's installed that contain certificates signed by your existing entitlement-signing CA certificate will cease to work.  These clients will need to be updated by installing new client configuration rpm's manually, or perhaps from an unprotected custom repository hosted in your RHUI infrastructure.

To update the entitlement-signing CA certificate and its private key, simply remove the following files from the /etc/pki/rhui directory (you may wish to back them up):
entitlement-ca.crt
entitlement-ca-key.pem
entitlement-ca.srl
identity.crt
identity.key

Note: The Identity certificate and its private key (identity.crt and identity.key) are removed because they are signed by the entitlement-signing CA certificate and thus must be regenerated.

The next time you start rhui-manager you will prompted for the new path to the entitlement-signing CA certificate and key, and a new identity certificate and key will also be generated.  This is further detailed in Section 4.1 of the Installation guide.
Comment 6 Shikha 2012-07-15 10:18:09 UTC 
This procedure has been added to Administration Guide. Link:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.1/html/Administration_Guide/chap-Administration_Guide-Identity_Certificates.html#Administration_Guide-Identity_Certificates-Update_Cert
Regards,
Shikha
Comment 7 Martin Kočí 2012-07-26 12:18:31 UTC 
Confirmed the section 6.1. Updating Entitlement-Signing CA Certificate is in new documentation 2.1 of the Administration Guide. 
Moving bug to VERIFIED.
Comment 8 Dan Macpherson 2012-08-14 04:39:06 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Comment 9 Dan Macpherson 2012-08-14 06:50:00 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.+The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Users can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Comment 11 errata-xmlrpc 2012-08-24 11:54:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1205.html