SSL Certificates

Uyuni uses SSL certificates to ensure that clients are registered to the correct server.

Every client that uses SSL to register to the Uyuni Server checks that it is connecting to the right server by validating against a server certificate. This process is called an SSL handshake.

During the SSL handshake, the client will check that the hostname in the server certificate matches what it expects. The client also needs to check if the server certificate is trusted.

Every Uyuni Server that uses SSL requires an SSL server certificate. Provide the path to the server certificate using the SERVER_CERT environment variable during setup, or with the --from-server-cert option of the rhn-ssl-tool command.

Certificate authorities (CAs) are certificates that are used to sign other certificates. All certificates must be signed by a certificate authority (CA) in order for them to be considered valid, and for clients to be able to successfully match against them.

When an organization signs its own certificate, the certificate is considered self-signed. A self-signed certificate is straight-forward to set up, and does not cost any money, but they are considered less secure. If you are using a self-signed certificate, you will have a root CA that is signed with itself. When you look at the details of a root CA, you will see that the subject has the same value as the issuer. Provide the path to your root CA certificate using the CA_CERT environment variable during setup, or with the --ca-cert option of the rhn-ssl-tool command.

In order for SSL authentication to work correctly, the client must trust the root CA. This means that the root CA must be installed on every client.

The default method of SSL authentication is for Uyuni to use self-signed certificates. In this case, Uyuni has generated all the certificates, and the root CA has signed the server certificate directly.

An alternative method is to use an intermediate CA. In this case, the root CA signs the intermediate CA. The intermediate CA can then sign any number of other intermediate CAs, and the final one signs the server certificate. This is referred to as a chained certificate.

If you are using intermediate CAs in a chained certificate, the root CA is installed on the client, and the server certificate is installed on the server. During the SSL handshake, clients must be able to verify the entire chain of intermediate certificates between the root CA and the server certificate, so they must be able to access all the intermediate certificates.

There are two main ways of achieving this. In Uyuni, by default, all the intermediate CAs are installed on the client. However, you could also configure your services on the server to provide them to the client. In this case, during the SSL handshake, the server presents the server certificate as well as all the intermediate CAs.

Whichever method you choose, you must ensure that the CA_CERT environment variable points to the root CA, and all intermediate CAs. It should not contain the server certificate. The server certificate must be defined at the SERVER_CERT environment variable.

By default, Uyuni uses a self-signed certificate. For additional security, you can arrange a third party CA to sign your certificates. Third party CAs perform checks to ensure that the information contained in the certificate is correct. They will usually charge an annual fee for this service. Using a third party CA makes certificates harder to spoof, and will provide additional protection for your installation. If you have certificates signed by a third party CA, you can import them to your Uyuni installation.