[Spacewalk-list] Regenerating ssl certificate with Spacewalk 2.4 SHA1 to SHA2

[Ian Bishop]

Because our vuln scanner catches that the SSL cert has been hashed by an insecure algorithm (SHA1).

So we would need to update the shared cert...

Ian

-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Tomas Lestach
Sent: Monday, October 26, 2015 8:46 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Regenerating ssl certificate with Spacewalk 2.4 SHA1 to SHA2

> The question is after upgrading from Spacewalk 2.3 to 2.4, can I
> generate a new SHA256 ssl cert/RPM with the spacewalk-certs-tool
> (rhn-ssl-tool --gen-server) for each of the web servers and proxies
> without having to change the certs on the clients?  From my digging it
> looks like I should be able to do that without creating a new
> RHN-ORG-TRUSTED-SSL-CERT.  So the answer seems to be yes.  Can anyone
> confirm?

The question is, why you'd want to re-generate new SSL certificate(s) after the upgrade. Cannot you continue using the existing one(s)?

RHN-ORG-TRUSTED-SSL-CERT is actually the SSL certificate, so my answer is yes, after you refresh the SSL certificate, you need to distribute it to all your clients to use SSL communication.

> Also, this would be very useful info for the 2.3 to 2.4 upgrade
> document.

https://fedorahosted.org/spacewalk/wiki/HowToUpgrade

Regards,
--
Tomas Lestach
Red Hat Satellite Engineering, Red Hat

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
________________________________
This email is intended only for the addressee. It may contain confidential or proprietary information that cannot be disclosed without BCLC's permission. If you have received this email in error, please notify the sender immediately and delete the email.