Description of RFE: Currently, our tooling (and documentation) rely on manual management of the x509 certificate serial number. This can lead to issues, if not appropriately incremented during successive signings. Openssl provides a mechanism to manage and auto-increment the certificate serial number: The -CAcreateserial option will create a serial number file to allow openssl to manage the serial number incrementing for each successive signing. Once this file exists, use the -CAserial option to supply this file when signing. I'd suggest leveraging this functionality going forward. -Todd
added to rhui-20 tracker
commit 8eb458c15562ed14b22380110c5a548f03aa32cb Author: Jay Dobies <jason.dobies> Date: Thu Jun 16 14:06:12 2011 -0400 706942 - Create serial number DB file when uploading the entitlement certificate and don't prompt for the serial number rhui-2.0/tools/src/rhui/common/cert_utils.py rhui-2.0/tools/src/rhui/tools/launcher.py rhui-2.0/tools/src/rhui/tools/screens/client.py
Fixed in RHUI 2.0.31.
Verified with build 2.0.37 Now rhui-manager is auto-generating the serial number for entitlement certs. And don't prompt to user for serial number. I generated two entitlement certs, one for rhel5 and other for rhel6. and did not get prompt for serial number input. for rhel6: ============= rhui (client) => c Local directory in which the client configuration files generated by this tool should be stored (if this directory does not exist, it will be created): /root/client_config Name of the RPM: rh-client-rhel6-config Version of the configuration RPM [2.0]: Full path to the entitlement certificate authorizing the client to access specific channels: /root/entitle_certs/rhel6.crt Full path to the private key for the above entitlement certificate: /root/entitle_certs/rhel6.key Full path to the CA certificate used to sign the CDS SSL certificate: /root/certs/ca_ssl.crt Select the CDS instance that should be the primary load balancer for the client. All other CDS instances will be listed as back up load balancers in the client's mirror list: 1 - dhcp201-121.englab.pnq.redhat.com 2 - dhcp201-120.englab.pnq.redhat.com Enter value (1-2) or 'b' to abort: 2 Load Balancer Order: dhcp201-120.englab.pnq.redhat.com dhcp201-121.englab.pnq.redhat.com Successfully created client configuration RPM. RPMs can be found at /root/client_config for rhel5: ========= ------------------------------------------------------------------------------ rhui (client) => c Local directory in which the client configuration files generated by this tool should be stored (if this directory does not exist, it will be created): /root/client_config Name of the RPM: rh-client-rhel5-config Version of the configuration RPM [2.0]: Full path to the entitlement certificate authorizing the client to access specific channels: /root/entitle_certs/rhui_rhel5.crt Full path to the private key for the above entitlement certificate: /root/entitle_certs/rhui_rhel5.key Full path to the CA certificate used to sign the CDS SSL certificate: /root/certs/ca_ssl.crt Select the CDS instance that should be the primary load balancer for the client. All other CDS instances will be listed as back up load balancers in the client's mirror list: 1 - dhcp201-121.englab.pnq.redhat.com 2 - dhcp201-120.englab.pnq.redhat.com Enter value (1-2) or 'b' to abort: 2 Load Balancer Order: dhcp201-120.englab.pnq.redhat.com dhcp201-121.englab.pnq.redhat.com Successfully created client configuration RPM. RPMs can be found at /root/client_config
Verified the serial number for both rhel5 and rhel6 entitlement certs as below: rhel6.crt: this cert has the serial number 03 =============================================== [root@dhcp201-141 entitle_certs]# openssl x509 -in rhel6.crt -serial serial=03 -----BEGIN CERTIFICATE----- MIIFmDCCBICgAwIBAgIBAzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJJTjEL MAkGA1UECAwCTUgxDTALBgNVBAcMBFB1bmUxDzANBgNVBAoMBlJlZEhhdDENMAsG A1UECwwERW5nZzEOMAwGA1UEAwwFc2doYWkxHzAdBgkqhkiG9w0BCQEWEHNnaGFp QHJlZGhhdC5jb20wHhcNMTEwNzEyMDU0OTQ2WhcNMTIwNzExMDU0OTQ2WjAoMSYw JAYDVQQDEx1SZWQgSGF0IFVwZGF0ZSBJbmZyYXN0cnVjdHVyZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMoHbDJ6qujIcA+9vdVFLTtgwiPzqL94HZlE ZCGKqLiPEOIiyoOhR7mS99O8t2N2FI1YAnAAkjnwiAl3+7je8R8+KO6QGuzP8mw2 33wvEosFgq1Km7B3IKQfqAvNsPh76nYTVZgcbzpjVxcFBITeIJH/NtGJJtlIkYv3 7ShhbfrSgM8ZqO2Za8tHeAGEAnLh9sTEvjqdLDa/yQuGRgfMDOmvctCYR/K6fj3h 9buaCScm4AuVF2EBNSu7ckKP9YWlDGPf1icFxBR/g3ozYH0t0ZVNraUTG6Q+TOwT Au/7WoFprFVFpeoi/g++4j2kz1BOnAqH88PSLI5JivzJgYZQw+ECAwEAAaOCAnkw ggJ1MAkGA1UdEwQCMAAwTAYNKwYBBAGSCAkCqw0BAQQ7DDlSZWQgSGF0IEVudGVy cHJpc2UgTGludXggU2VydmVyIDYgT3B0aW9uYWwgVXBkYXRlcyAoUlBNcykwMQYN KwYBBAGSCAkCqw0BAgQgDB5yaGVsLXNlcnZlci02LW9wdGlvbmFsLXVwZGF0ZXMw XAYNKwYBBAGSCAkCqw0BBgRLDEljb250ZW50L2Rpc3QvcmhlbC9yaHVpL3NlcnZl ci02L3VwZGF0ZXMvJHJlbGVhc2V2ZXIvJGJhc2VhcmNoL29wdGlvbmFsL29zMEQG DSsGAQQBkggJAqsHAQEEMwwxUmVkIEhhdCBFbnRlcnByaXNlIExpbnV4IFNlcnZl ciA2IFJlbGVhc2VzIChSUE1zKTApBg0rBgEEAZIICQKrBwECBBgMFnJoZWwtc2Vy dmVyLTYtcmVsZWFzZXMwVAYNKwYBBAGSCAkCqwcBBgRDDEFjb250ZW50L2Rpc3Qv cmhlbC9yaHVpL3NlcnZlci02L3JlbGVhc2VzLyRyZWxlYXNldmVyLyRiYXNlYXJj aC9vczBDBg0rBgEEAZIICQKrCQEBBDIMMFJlZCBIYXQgRW50ZXJwcmlzZSBMaW51 eCBTZXJ2ZXIgNiBVcGRhdGVzIChSUE1zKTAoBg0rBgEEAZIICQKrCQECBBcMFXJo ZWwtc2VydmVyLTYtdXBkYXRlczBTBg0rBgEEAZIICQKrCQEGBEIMQGNvbnRlbnQv ZGlzdC9yaGVsL3JodWkvc2VydmVyLTYvdXBkYXRlcy8kcmVsZWFzZXZlci8kYmFz ZWFyY2gvb3MwDQYJKoZIhvcNAQEFBQADggEBAEfVzLQgotvmbZcxuvHh3igNMYd+ +tsDj1X73GgpyOD08WV5smj6S04n0WwEOmXyd1h/zfxEp5kxEwWwwR200mLivtH1 XBIPpm6nm85+M9kPb+z9pp7mHSUpm/2ShN9MGxu8lo6atbhY7xBPdLbj2a7Cs+sr ihEWMnXbbkiI9+W22bnAAMvTGh9pIS4tCsUDWFo/7XtdX9NBqtShARUAbDipup+o TTMGaFjUIVJabJkFp15EhTAf7TSGuu6xiNtTKeH4u+u8kicwpqn/nSi4+tsAyLQy KYmW8AEyKPZNpj7frRBANb63aWuIQHgQQ7k0wFJo8DL612MY8HluWF9YuQY= -----END CERTIFICATE----- rhui_rhel5.crt: this has the serial number 04: ================================================= [root@dhcp201-141 entitle_certs]# openssl x509 -in rhui_rhel5.crt -serial serial=04 -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIBBDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJJTjEL MAkGA1UECAwCTUgxDTALBgNVBAcMBFB1bmUxDzANBgNVBAoMBlJlZEhhdDENMAsG A1UECwwERW5nZzEOMAwGA1UEAwwFc2doYWkxHzAdBgkqhkiG9w0BCQEWEHNnaGFp QHJlZGhhdC5jb20wHhcNMTEwNzEyMDU1MDI0WhcNMTIwNzExMDU1MDI0WjAoMSYw JAYDVQQDEx1SZWQgSGF0IFVwZGF0ZSBJbmZyYXN0cnVjdHVyZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMA4umm8bK1pfS+LUlG4XPqUZ6DjAbbDaL5R qeTbvCTLd3/s/dUykzm1WmT4EwMhYAhXt0PONEshcSa88Xf6EmSKcIg1WXqmIfWx ZoZE6SnR5RhdiSnptBrLf2zpqCNSSC+Yh9+1BTc6MzitMg/S2NogzjQvoZXF2/0f 9vBzLrh/IItn9cxwRuQ0EIbS2a1pFqVEe72XzXCAchITL9f0ePpXbeBPq+F9umdk 4BAFu2rhElaZdBI+2wKDMCV6ld78kX3HWdHMDXsnpVoOdx49i3IqC7HxMp/cmmUE TOOVIcXMc1kjB2mlIVtQQePHw3D7aQS/Go+pIDx/KC/a6+Eqv6sCAwEAAaOCAWsw ggFnMAkGA1UdEwQCMAAwOwYNKwYBBAGSCAkCqn0BAQQqDChSZWQgSGF0IFVwZGF0 ZSBJbmZyYXN0cnVjdHVyZSAxLjEgKFJQTXMpMBsGDSsGAQQBkggJAqp9AQIECgwI cmh1aS0xLjEwUgYNKwYBBAGSCAkCqn0BBgRBDD9jb250ZW50L2Rpc3QvcmhlbC9y aHVpL3NlcnZlci8kcmVsZWFzZXZlci8kYmFzZWFyY2gvcmh1aS8xLjEvb3MwOwYN KwYBBAGSCAkCqwABAQQqDChSZWQgSGF0IFVwZGF0ZSBJbmZyYXN0cnVjdHVyZSAx LjIgKFJQTXMpMBsGDSsGAQQBkggJAqsAAQIECgwIcmh1aS0xLjIwUgYNKwYBBAGS CAkCqwABBgRBDD9jb250ZW50L2Rpc3QvcmhlbC9yaHVpL3NlcnZlci8kcmVsZWFz ZXZlci8kYmFzZWFyY2gvcmh1aS8xLjIvb3MwDQYJKoZIhvcNAQEFBQADggEBAKZQ PGHFCM9w13M67wS+nZmdRzMm1hljChsz6AG0ZYNscFWiLeM/y6/rOW4YH42x8jbs bHSlVOnhVKsLXFWaLcOF4UZYpsv4Isy/wTZqxth4HIoyFdb/jVjmCm4m3Ci6tOaJ 8FLukxFOJzRk3+aOYFAxz3xy/6107pcYXo3iRH+OV0p8U7bZ7uFQSNiUS2702pRC GUn52/G1kwX2qZ32IBvU75sYzM7TDCJYoDWjNBb+3Q2Z9ppyXTWChSKip7u5pPmF 7peV/NVq9yFaem6jTCUlxPazTJafCUemDtfBMIxJvc5d0RvGq3b78xKnjnfm1hou hcycMfijKYbu809Y6hc= -----END CERTIFICATE----- [root@dhcp201-141 entitle_certs]# rhui-manager
moving to release pending
closing out, product released