[Spacewalk-list] placing Satellite behind a VIP

wm-lists wm-lists at nixpeeps.com
Fri May 23 15:09:25 UTC 2014


So I discovered that if I manually sign the csr generated by the
rhn-ssl-tool, the generated certificate has the SAN information in it.

I'm guessing that the rhn-ssl-tool probably is missing something from the
command line for signing.  I've gone ahead and opened a support case with
Red Hat for this.

# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out
/tmp/server.crt -extensions v3_req -extfile rhn-server-openssl.cnf
Signature ok
subject=<subject>
Getting Private key
# openssl x509 -text -in /tmp/server.crt -noout
...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:<Name 1>, DNS:<Name 2>, DNS:<Name 3>


On Fri, May 23, 2014 at 10:19 AM, wm-lists <wm-lists at nixpeeps.com> wrote:

> Thanks for the response Justin. So I've been messing w/ the rhn-ssl-tool
> this morning to generate new webserver certs with SAN's in them.  I can see
>  in the .cnf file that the names are there
> # pages where one requests the certificate...
> subjectAltName          = @alt_names
>
> [alt_names]
> DNS.1 =<name1>
> DNS.2 =<name2>
> DNS.3 =<name3>
> DNS.4 = <name4>
>
> and I can see in the associated .csr file that the x509 output has the
> names
>             X509v3 Subject Alternative Name:
>                 DNS:<name 1>, DNS:<name 2>, DNS:<name 3>, DNS:<name 4>
>
> But I don't see any output in the .crt file that would indiicate the
> existence of SAN's
>
> Should the .crt file have this information in it?
>
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             X509v3 Key Usage:
>                 Digital Signature, Key Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client
> Authentication
>             Netscape Cert Type:
>                 SSL Server
>             Netscape Comment:
>                 RHN SSL Tool Generated Certificate
>             X509v3 Subject Key Identifier:
>               <numbers>
>             X509v3 Authority Key Identifier:
>                 keyid:<key>
>                 DirName<dir stuff>
>                 serial:<serial>
>
>
> Thanks for any input...
>
> Will
>
>
> On Fri, May 16, 2014 at 2:55 PM, Justin Edmands <shockwavecs at gmail.com>wrote:
>
>> On Fri, May 16, 2014 at 12:36 PM, wm-lists <wm-lists at nixpeeps.com> wrote:
>>
>>> I'm in the process of placing my satellite server and its passive backup
>>> at our DR location behind a VIP address (rhn.domain.net).  The VIP will
>>> forward traffic to whichever satellite is running (DR or Primary).  I've
>>> already got the failover/backup db part figured out.
>>> What I'm trying to figure out is whether I need to do a
>>> spacewalk-hostname-rename on the primary satellite server and give it the
>>> new VIP name or is there a better process for this.
>>>
>>> The idea is that I can configure the DR server w/ the same SSL
>>> configuration, restore the current db backup to the DR location and start
>>> up satellite there in the event something happens to our primary server.
>>>
>>> Any thoughts about how to handle this?
>>>
>>> Thanks!
>>> Will
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>
>> Well since you said the main reason is for SSL, just use a SAN. Subject
>> Alternative Name. If self signed, you can use quite a few. If provided by
>> 3rd party, I think most limit it to 5 SANs per cert.
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20140523/85853d7f/attachment.htm>


More information about the Spacewalk-list mailing list