Hide Forgot
Description of problem: There is a chapter explains how to update the identity certificate (Chapter 9. Identity Certificates) in RHUI Installation Guide. However there is no chapters nor sections shows how to update the entitlement-signing CA certificate which was configured at first launch of rhui-manager. So there looks no way other than re-setup rhua if that entitlement-signing certificate was expired. Expected results: A chapter shows how to update the entitlement-signing certificate and user can update it if it was expired.
Goal should be to make the CA long lived before installing RHUI. Updating CA's is not trivial.
Hi Julie, Development will need to provide this information to you.
This is actually a fairly simple process. I'm not sure if it requires it's own chapter or not. Here's the material: Before re-generating the entitlement-signing CA certificate, keep in mind that any client instances that have client configuration rpm's installed that contain certificates signed by your existing entitlement-signing CA certificate will cease to work. These clients will need to be updated by installing new client configuration rpm's manually, or perhaps from an unprotected custom repository hosted in your RHUI infrastructure. To update the entitlement-signing CA certificate and its private key, simply remove the following files from the /etc/pki/rhui directory (you may wish to back them up): entitlement-ca.crt entitlement-ca-key.pem entitlement-ca.srl identity.crt identity.key Note: The Identity certificate and its private key (identity.crt and identity.key) are removed because they are signed by the entitlement-signing CA certificate and thus must be regenerated. The next time you start rhui-manager you will prompted for the new path to the entitlement-signing CA certificate and key, and a new identity certificate and key will also be generated. This is further detailed in Section 4.1 of the Installation guide.
This procedure has been added to Administration Guide. Link: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.1/html/Administration_Guide/chap-Administration_Guide-Identity_Certificates.html#Administration_Guide-Identity_Certificates-Update_Cert Regards, Shikha
Confirmed the section 6.1. Updating Entitlement-Signing CA Certificate is in new documentation 2.1 of the Administration Guide. Moving bug to VERIFIED.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Csers can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.+The Red Hat Update Infrastrucutre Installation Guide was missing a chapter for updating an expired entitlement-signing certificate. This update adds a new chapter to the Installation Guide. Users can now update expired entitlement-signing certificate with Chapter 6. Identity Certificates.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-1205.html