Bug 810691 - RFE: add a chapter or section to show how to update the entitlement-signing CA certificate
RFE: add a chapter or section to show how to update the entitlement-signing C...
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Documentation (Show other bugs)
2.1
Unspecified Linux
high Severity medium
: ---
: ---
Assigned To: Shikha
Martin Kočí
:
Depends On: 817736
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-08 07:04 EDT by Satoru SATOH
Modified: 2016-04-27 19:39 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Users can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-24 07:54:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Satoru SATOH 2012-04-08 07:04:28 EDT
Description of problem: There is a chapter explains how to update the 
identity certificate (Chapter 9. Identity Certificates) in RHUI 
Installation Guide. However there is no chapters nor sections shows
how to update the entitlement-signing CA certificate which was
configured at first launch of rhui-manager.

So there looks no way other than re-setup rhua if that 
entitlement-signing certificate was expired.


Expected results: A chapter shows how to update the 
entitlement-signing certificate and user can update it 
if it was expired.
Comment 1 Chris Morgan 2012-04-16 14:37:55 EDT
Goal should be to make the CA long lived before installing RHUI.  Updating CA's is not trivial.
Comment 4 Chris Morgan 2012-05-31 08:57:54 EDT
Hi Julie,

Development will need to provide this information to you.
Comment 5 James Slagle 2012-07-02 19:15:14 EDT
This is actually a fairly simple process.  I'm not sure if it requires it's own chapter or not.

Here's the material:

Before re-generating the entitlement-signing CA certificate, keep in mind that any client instances that have client configuration rpm's installed that contain certificates signed by your existing entitlement-signing CA certificate will cease to work.  These clients will need to be updated by installing new client configuration rpm's manually, or perhaps from an unprotected custom repository hosted in your RHUI infrastructure.

To update the entitlement-signing CA certificate and its private key, simply remove the following files from the /etc/pki/rhui directory (you may wish to back them up):
entitlement-ca.crt
entitlement-ca-key.pem
entitlement-ca.srl
identity.crt
identity.key

Note: The Identity certificate and its private key (identity.crt and identity.key) are removed because they are signed by the entitlement-signing CA certificate and thus must be regenerated.

The next time you start rhui-manager you will prompted for the new path to the entitlement-signing CA certificate and key, and a new identity certificate and key will also be generated.  This is further detailed in Section 4.1 of the Installation guide.
Comment 7 Martin Kočí 2012-07-26 08:18:31 EDT
Confirmed the section 6.1. Updating Entitlement-Signing CA Certificate is in new documentation 2.1 of the Administration Guide. 
Moving bug to VERIFIED.
Comment 8 Dan Macpherson 2012-08-14 00:39:06 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Comment 9 Dan Macpherson 2012-08-14 02:50:00 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.+The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Users can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Comment 11 errata-xmlrpc 2012-08-24 07:54:03 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1205.html

Note You need to log in before you can comment on or make changes to this bug.