RHN Proxy Server 2.1: Installation Guide | ||
---|---|---|
![]() |
Appendix F. Quick Start Guide for Manual Installation and Configuration |
![]() |
Although it is not a requirement, we strongly recommend end-to-end SSL for the entire Spacewalk transaction set. If Spacewalk clients are to connect securely to the RHN Proxy Server, the server must have a valid SSL certificate.
Follow these steps to generate a valid private certificate (which assume you are running on the system acting as the RHN Proxy Broker Server). When filling out the various certificate forms in the steps below, be sure to enter information as correctly and consistently as possible. Also make certain that any hostname information requested matches the hostname for the RHN Proxy Server system itself.
Create a new directory (for example, /root/certs/) and make it your working directory.
Generate a private certificate authority key:
openssl genrsa -des3 -out ca.key 1024 |
Generate a certificate authority certificate, and sign it with the private certificate authority key:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt |
This command generates a certificate authority certificate that expires in one year. If you do not want to reconfigure SSL for this RHN Proxy Server in a year, make the -days parameter arbitrarily large.
Generate the server's private key with the following command:
openssl genrsa -out server.key 1024 |
Generate a certificate request:
openssl req -new -key server.key -out server.csr |
Generate a server certificate by signing the certificate request with the private key and certificate for the certificate authority.
sh /var/www/rhns/certs/sign.sh |
After this step, two RPM packages will appear in your directory: rhns-ssl-cert-1.0-1.noarch.rpm and rhns-ca-cert-1.0-1.noarch.rpm (the version and release numbers may be different).
Install the rhns-ssl-cert RPM package on the machine acting as the RHN Proxy Broker Server:
rpm -Uvh rhns-ssl-cert-1.0-1.noarch.rpm |
Distribute the rhns-ca-cert RPM package to all the client systems running the Red Hat Update Agent.