[Spacewalk-list] Can rhn-org-trusted-ssl-cert be renamed?
Mark Prangnell
2018-11-21 16:50:13 UTC

I'm in the process of writing some internal documentation ref usage and updating of ssl wildcard certs within my company with spacewalk and the question has been asked whether the ca-cert value (RHN-ORG-TRUSTED-SSL-CERT) can be set to something different (ie, more related to own company) or is the usage of the name RHN-ORG-TRUSTED-SSL-CERT hardcoded in some way in spacewalk?

Every piece of documentation I've been able to find references using this particular name for the cert.


Mark Prangnell
Network Services Engineer

T 0845 4566541 W talktalk.co.uk<https://www.talktalk.co.uk/>
TalkTalk Group Plc

[Loading Image...]

This communication together with any attachments transmitted with it
("this E-Mail") is intended only for the use of the addressee and may contain
information which is privileged and confidential. If the reader of this E-Mail
is not the intended recipient or the employee or agent responsible for
delivering it to the intended recipient you are hereby notified that any use,
dissemination, forwarding, printing or copying of this E-Mail is strictly
prohibited. Addressees should check this E-mail for viruses. The Company makes
no representations as regards the absence of viruses in this E-Mail. If you
have received this E-Mail in error please notify our IT Service Desk
immediately by e-mail at ***@talktalkplc.com Please then immediately
delete, erase or otherwise destroy this E-Mail and any copies of it.

Any opinions expressed in this E-Mail are those of the author and do not
necessarily constitute the views of the Company. Nothing in this E-Mail shall
bind the Company in any contract or obligation.

For the purposes of this E-Mail "the Company" means TalkTalk Telecom Group PLC
and/or any of its subsidiaries.

Please feel free to visit our website: www.talktalkgroup.com

TalkTalk Telecom Group Plc (Registered in England & Wales No. 7105891)
11 Evesham Street, London W11 4AR
Avi Miller
2018-11-21 19:45:11 UTC
Hey Mark,
I’m in the process of writing some internal documentation ref usage and updating of ssl wildcard certs within my company with spacewalk and the question has been asked whether the ca-cert value (RHN-ORG-TRUSTED-SSL-CERT) can be set to something different (ie, more related to own company) or is the usage of the name RHN-ORG-TRUSTED-SSL-CERT hardcoded in some way in spacewalk?
It's possible to rename RHN-ORG-TRUSTED-SSL-CERT on the clients but you'll have to then change the sslCACert value in /etc/sysconfig/rhn/up2date to point to the right certificate. This is supposed to work for osad as well, but you may need to manually set osa_ssl_cert in /etc/sysconfig/rhn/osad.conf manually as well.

And make sure that these values are still in place after any upgrade of the Spacewalk client, I guess. :)


Oracle <http://www.oracle.com>
Avi Miller | Product Management Director | +61 (3) 8616 3496
Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia
Mark Prangnell
2018-11-22 17:12:28 UTC
Thanks Avi,

I shall look into that.

To change it server side, would it be a case of concatinating the various files you would normally put into RHN-ORG-TRUSTED-SSL-CERT into file with name of choosing and then generate the public CA cert package (running the rhn_ssl-dbstore command) just using the different file name instead?


-----Original Message-----
From: spacewalk-list-***@redhat.com <spacewalk-list-***@redhat.com> On Behalf Of Avi Miller
Sent: 21 November 2018 19:45
To: spacewalk-***@redhat.com
Subject: Re: [Spacewalk-list] Can rhn-org-trusted-ssl-cert be renamed?

This mail originated from OUTSIDE the TalkTalk Group PLC Corporate Network. Treat hyperlinks and attachments in this email with caution.

Hey Mark,
I’m in the process of writing some internal documentation ref usage and updating of ssl wildcard certs within my company with spacewalk and the question has been asked whether the ca-cert value (RHN-ORG-TRUSTED-SSL-CERT) can be set to something different (ie, more related to own company) or is the usage of the name RHN-ORG-TRUSTED-SSL-CERT hardcoded in some way in spacewalk?
It's possible to rename RHN-ORG-TRUSTED-SSL-CERT on the clients but you'll have to then change the sslCACert value in /etc/sysconfig/rhn/up2date to point to the right certificate. This is supposed to work for osad as well, but you may need to manually set osa_ssl_cert in /etc/sysconfig/rhn/osad.conf manually as well.

And make sure that these values are still in place after any upgrade of the Spacewalk client, I guess. :)


Oracle <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oracle.com&amp;data=02%7C01%7Cmprangnell%40talktalkplc.com%7C2833fe9f62c049fb39fd08d64fea08f4%7Cd481b6128d2a409f97389508185d1a50%7C0%7C0%7C636784263942558824&amp;sdata=c3rOiYdQTBT%2Fct%2FeodAU8Y6jcxOAdcWLJUw0I4eVwqw%3D&amp;reserved=0>
Avi Miller | Product Management Director | +61 (3) 8616 3496 Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia

Spacewalk-list mailing list
This communication together with any attachments transmitted with it
("this E-Mail") is intended only for the use of the addressee and may contain
information which is privileged and confidential. If the reader of this E-Mail
is not the intended recipient or the employee or agent responsible for
delivering it to the intended recipient you are hereby notified that any use,
dissemination, forwarding, printing or copying of this E-Mail is strictly
prohibited. Addressees should check this E-mail for viruses. The Company makes
no representations as regards the absence of viruses in this E-Mail. If you
have received this E-Mail in error please notify our IT Service Desk
immediately by e-mail at ***@talktalkplc.com Please then immediately
delete, erase or otherwise destroy this E-Mail and any copies of it.

Any opinions expressed in this E-Mail are those of the author and do not
necessarily constitute the views of the Company. Nothing in this E-Mail shall
bind the Company in any contract or obligation.

For the purposes of this E-Mail "the Company" means TalkTalk Telecom Group PLC
and/or any of its subsidiaries.

Please feel free to visit our website: www.talktalkgroup.com

TalkTalk Telecom Group Plc (Registered in England & Wales No. 7105891)
11 Evesham Street, London W11 4AR
Avi Miller
2018-11-22 17:56:39 UTC
Post by Mark Prangnell
To change it server side, would it be a case of concatinating the various files you would normally put into RHN-ORG-TRUSTED-SSL-CERT into file with name of choosing and then generate the public CA cert package (running the rhn_ssl-dbstore command) just using the different file name instead?
To be honest, I've never considered changing it server-side so I can't answer this with any degree of certainty. However, you're correct in your assessment, but note that the RPMs will not be created correctly because they are hard-coded to look for RHN-ORG-TRUSTED-SSL-CERT. This may cause problems down the track if you want to PXE boot systems and have them auto-register to Spacewalk.

Also, why exactly do you want to change the name of this file anyway? :) I suspect that while it could be made to work, you're just setting yourself up for future technical debt on every upgrade of every system.


Oracle <http://www.oracle.com>
Avi Miller | Product Management Director | +61 (3) 8616 3496
Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia
Mark Prangnell
2018-11-26 09:42:21 UTC
Thanks Avi,

RPMs not being created properly is and causing issues down the line is good enough reason not to do it! :)

Main reason behind the thinking of changing it so it would be clear that is using our particular ssl cert information as opposed to something which could be missed in the event of an update or a platform rebuild.

Thanks for the information.


Mark Prangnell
Network Services Engineer

T 0845 4566541  W talktalk.co.uk
TalkTalk Group Plc

-----Original Message-----
From: spacewalk-list-***@redhat.com <spacewalk-list-***@redhat.com> On Behalf Of Avi Miller
Sent: 22 November 2018 17:57
To: spacewalk-***@redhat.com
Subject: Re: [Spacewalk-list] Can rhn-org-trusted-ssl-cert be renamed?

This mail originated from OUTSIDE the TalkTalk Group PLC Corporate Network. Treat hyperlinks and attachments in this email with caution.

Post by Mark Prangnell
To change it server side, would it be a case of concatinating the various files you would normally put into RHN-ORG-TRUSTED-SSL-CERT into file with name of choosing and then generate the public CA cert package (running the rhn_ssl-dbstore command) just using the different file name instead?
To be honest, I've never considered changing it server-side so I can't answer this with any degree of certainty. However, you're correct in your assessment, but note that the RPMs will not be created correctly because they are hard-coded to look for RHN-ORG-TRUSTED-SSL-CERT. This may cause problems down the track if you want to PXE boot systems and have them auto-register to Spacewalk.

Also, why exactly do you want to change the name of this file anyway? :) I suspect that while it could be made to work, you're just setting yourself up for future technical debt on every upgrade of every system.


Oracle <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oracle.com&amp;data=02%7C01%7Cmprangnell%40talktalkplc.com%7C5422c4eddb1c40d872b908d650a3f8a1%7Cd481b6128d2a409f97389508185d1a50%7C0%7C0%7C636785062518517476&amp;sdata=Sf6xRnXshXQgpXtRMkDy%2FXaB6gaRHjnxS3aZ9y%2FLnic%3D&amp;reserved=0>
Avi Miller | Product Management Director | +61 (3) 8616 3496 Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia

Spacewalk-list mailing list
This communication together with any attachments transmitted with it
("this E-Mail") is intended only for the use of the addressee and may contain
information which is privileged and confidential. If the reader of this E-Mail
is not the intended recipient or the employee or agent responsible for
delivering it to the intended recipient you are hereby notified that any use,
dissemination, forwarding, printing or copying of this E-Mail is strictly
prohibited. Addressees should check this E-mail for viruses. The Company makes
no representations as regards the absence of viruses in this E-Mail. If you
have received this E-Mail in error please notify our IT Service Desk
immediately by e-mail at ***@talktalkplc.com Please then immediately
delete, erase or otherwise destroy this E-Mail and any copies of it.

Any opinions expressed in this E-Mail are those of the author and do not
necessarily constitute the views of the Company. Nothing in this E-Mail shall
bind the Company in any contract or obligation.

For the purposes of this E-Mail "the Company" means TalkTalk Telecom Group PLC
and/or any of its subsidiaries.

Please feel free to visit our website: www.talktalkgroup.com

TalkTalk Telecom Group Plc (Registered in England & Wales No. 7105891)
11 Evesham Street, London W11 4AR