rhsmcertd should check the server for a newer version of its id certificate in the same way it does for entitlement certificates, and grab it if appropriate. As things stand, the certificates expire in one year, and are only regenerated via a manual command run on the client. We're adding support to autoregen of the id cert in candlepin, but the client still needs to learn how to grab it. Without this, after a year of registration, a sysadmin will have to manually refresh the cert. That would get very annoying!
Note that this bug has been cloned to bug #827035 commit bfff510f60ccc647f60ffdcb56b0101e1cccfe57 Refs: <origin/827035>, subscription-manager-1.0.3-1-77-gbfff510 Author: jesus m. rodriguez <jmrodri> AuthorDate: Mon Jun 11 17:43:35 2012 -0400 Commit: jesus m. rodriguez <jmrodri> CommitDate: Mon Jun 18 11:03:01 2012 -0400 827035: update identity certificate
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
*** Bug 834309 has been marked as a duplicate of this bug. ***
# rpm -qa | egrep "subscription-manager|python-rhsm" subscription-manager-migration-1.0.6-1.el5 subscription-manager-1.0.6-1.el5 subscription-manager-gui-1.0.6-1.el5 subscription-manager-debuginfo-1.0.6-1.el5 python-rhsm-1.0.3-1.el5 subscription-manager-firstboot-1.0.6-1.el5 # curl -k -u testuser1:password -stderr /dev/null https://fsharath-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool { "release": "1", "result": true, "standalone": true, "timeUTC": "2044-05-01T04:05:50.708+0000", "version": "0.7.3" } # subscription-manager config --server.hostname fsharath-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1 # subscription-manager register --org=admin Username: testuser1 Password: The system has been registered with id: b0f9baf1-2fda-4817-a1cc-0ca72989c368 # openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: Jun 5 21:30:45 2012 GMT Not After : Jun 5 21:30:45 2028 GMT Executing the below command on client and server (dates should be in sync) # date 050100002028 Mon May 1 00:00:00 EDT 2028 # service rhsmcertd restart Stopping rhsmcertd [FAILED] Starting rhsmcertd 240 1440 [ OK ] [root@fsharath-rhel59server sub-man]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: May 1 04:00:18 2028 GMT Not After : May 1 04:00:18 2044 GMT Moving Bur to VERIFIED
Bug Clean Up, these are in the current release.