Bug 855904 - Document how to update nss-db-gen generated certificates
Summary: Document how to update nss-db-gen generated certificates
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Documentation
Version: 2.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: 2.1.1
Assignee: Julie
QA Contact: Dan Macpherson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-10 15:02 UTC by James Slagle
Modified: 2016-02-18 05:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-04 05:09:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description James Slagle 2012-09-10 15:02:23 UTC 
The certs generated when nss-db-gen is run, both the qpid CA and qpid client cert are hardcoded to expire after one year.  You can no longer sync CDS's after the certs expire as the CDS's will fail connecting to qpid running on the RHUA.
Comment 1 wes hayutin 2012-09-10 15:39:55 UTC 
nss-db-gen uses the certutil command which has the option "-v"  to specify the number of months the cert will be valid.
The nss-db-gen script has a variable "VALID" which currently defaults to "12" , 12 months.  So it seems we can easily fix this, or maybe even doc the issue.

The option defaults to three months, so certs will expire after creation 12 + 3 months after they are created.

******************

-v valid-months

Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.
******************
Comment 2 James Slagle 2012-11-09 19:54:57 UTC 
What we need to do for this bug is provide the kbase article as input to our docs team to include in the documentation.
Comment 3 James Slagle 2012-11-09 19:55:42 UTC 
technical material will be forthcoming
Comment 5 James Slagle 2013-02-13 13:11:21 UTC 
Both those kbase articles show pretty much the same thing, but let's use this one:
https://access.redhat.com/knowledge/solutions/219703

I would think this would need to be in a new section in the Admin guide.
Comment 7 James Slagle 2013-02-20 12:52:25 UTC 
Just running nss-db-gen does not install the generated certificates on the RHUA and CDS systems, so in procedure 7.2, we also need to add the steps to run rhui-installer and then install the generated rpm's.

In the KBase article it's the steps that say:
* Use rhui-installer and config rpms to update and distribute the new qpid certificates across the RHUI environment. 

* Execute rhui-installer using the updated answers file. Again the only thing we updated in the answers file was the version. This will re-copy the updated qpid certificates to the RHUA and CDS's in the environment

* Distribute the updated config rpm's to the CDS's and install on the RHUA and CDS servers
Comment 8 Dan Macpherson 2013-02-21 15:57:59 UTC 
Added additional instructions and re-spinning the book.
Comment 10 Dan Macpherson 2013-03-04 05:09:12 UTC 
Verified and closing bug as this has been released.
Note You need to log in before you can comment on or make changes to this bug.