Before making any adjustments, I made a backup of all of the files that I would be messing with using the tar command.
# tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \ /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem
The first think that I wanted to do was change the hostname of my server to be something more user friendly. In my environment we have a very specific host naming convention that is extremely useful in determining the location, type, and environment of a server. They do not always make great URLs, so I wanted to CNAME it to satelite.example.com.
To change the hostname of the satellite server, you need to use the spacewalk-hostname-rename command. Unfortunately, it checks the hostname in a couple of different way, including /proc/sys/kernel/hostname, the hostname command, and in /etc/sysconfig/network. In order to make the command work, I temporarily changed the hostname of the box.
# hostname satellite.example.com # vi /etc/sysconfig/network HOSTNAME=satellite.example.com
After the hostname change is complete, you can run the spacewalk-hostname-rename command. When you run the command it will generate new certificates for you as
well. Make sure you use the correct values for the CA you plan to use.
Once you have completed the rename and the services have been restarted, you will need to get the CSR and upload it to your CA. The CSR is located in /root/ssl-build/satellite/server.csr. After you have processed it through your CA and have received the cert, you need to install it on the server. To do that you will need to create a package and then install it.
# rhn-ssl-tool --gen-server --set-hostname=satellite --rpm-only rpm -Uvh ./ssl-build/satellite/rhn-org-httpd-ssl-key-pair-satellite-1.0-2.noarch.rpm
The last thing is to setup your Root CA. Copy the Root CA into the RHN-ORG -TRUSTED-SSL-CERT file in /var/www/html/pub, /usr/share/rhn, and /root/ssl_build. Once you have copied the file over you can update the SSL package for the hosts and copy it to the pub directory. Once you have created the DB you can add need to add it to the local database with the rhn-ssl-dbstore command.
# rhn-ssl-tool --gen-ca --rpm-only # cp rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm /var/www/html/pub/ # rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CER
If you cert has an intermediate cert in addition to a root cert, you can chain them by combining both of them into the RHN-ORG-TRUSTED-SSL-CERT file, adding the intermediate followed by the root.