My Favorites

Close

Please to see your favorites.


How to recreate SMT 11 CA and server certificate

This document (7006024) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Subscription Management tool or SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise Server 10

Situation

It is usually unnecessary to recreate the CA and server certificate. If you think your CA or server certificate are not functioning as expected, you may need to recreate them. This TID explains how.

Resolution

Delete the old CA
  1. Since YaST does not allow to delete the existing CA as long it has not expired, we have to delete the related files manually.
  2. Open up a shell and change to the /var/lib/CAM and move the directory of the existing CA to /tmp/, e.g. by executing "mv YaST_Default_CA /tmp/". Attention: Do not move or delete the ".cas" directory.

Create root CA
  1. From the root shell start 'yast2 ca_mgm'.
  2. Select 'Create Root CA'.
  3. For "CA Name" and "Common Name" enter "YaST_Default_CA". Please note not to use the server name or server FQDN in here, since this would complicate later error analysis!
  4. Enter the email address of the issuer (and select "add") and enter optional information such as organization, unit, locality, state and country.
  5. Select "Next".
  6. Choose the password, length of the key and its validity.
  7. Select "Next" to see an overview about the CA.
  8. Select "Create" to create the CA.

Create server certificate
  1. Select the newly created CA in the YaST2 CA management module.
  2. Press "Enter CA".
  3. Enter the CA password.
  4. Select the Certificates tab.
  5. Click on "Add" and choose Server Certificate.
  6. Provide the requested data:
  7. For Common Name put in the fully qualified domain name of the server (FQDN) of the server, for example "smt-server.example.net". This is mandatory!
  8. Add an valid email address of the server administrator and press "Add".
  9. Press "Next".
  10. Here it is possible to either use the CA password for the server certificate or a different one. Also key length and validity may be changed.
  11. Optional: Enter the IP Adress of the server as Subject Alternative Name. This ensures that clients can connect to the server via IP address.
    • Select 'Advanced Options'.
    • Select 'Subject Alt Name' (not to be confused with Issuer Alt Name!!).
    • Select 'Add'.
    • Choose 'IP' and put in the IP address of the server.
    • Select 'Ok'.
  12. Select 'Next' to get to an overview over the certificate.
  13. Select 'Create' to create the server certificate.

Export the certificate as common server certificate, so that the http server apache uses it
  1. On the certificates tab locate the "Export" button.
  2. Select "Export as common server certificate".
  3. Enter the password that was chosen for the server certificate.
  4. A message "Certificate has been written as common server certificate" will be displayed.

Export the CA certificate to the smt.crt file
  1. In the YaST2 CA management module change to the "Description" tab and select "Advanced / Export to File".
  2. Select "Only the Certificate in PEM Format" and enter "/srv/www/htdocs/smt.crt" as the filename.
  3. Select "Ok" to export the file.
  4. Leave YaST.

Restart SMT
  1. Restart the smt server by entering "rcsmt restart" into the root shell. This will also restart the http server apache, so that apache uses the new certificate.
Import the newly created CA to the SMT clients

  1. Execute "clientSetup4SMT.sh --host smt-server.example.net" (adjust the FQDN to your SMT server) to import the new CA to the SMT clients and to make the clients to trust the new CA. On SLE 11 clients you can alternatively use the "yast2 inst_suse_register" module (select "Advanced" and follow the instructions).
  2. Execute "suse_register -L /root/.suse_register.log" to register the client against the SMT server.


Additional Information

Please note: if the server certificate of the SMT system has expired (by default this happens after one year), you don't need to re-create the CA. Just create a new server certificate, export it as common server certificate and restart the smt service as described above. There is no need to make any changes to the clients either as they will automatically accept the new server certificate because they already trust the Root CA.

Please find more documentation on Certificates in the SMT 11 documentation at http://www.novell.com/documentation/smt11/. In here see chapter 7.3, Server Certificates.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7006024
  • Creation Date:18-MAY-10
  • Modified Date:10-SEP-13
    • SUSESubscription Management Tool
      SUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback