Skip to content

OpenSSL Certificates

Jump to bottom Edit New page
Ladislav Slezák edited this page Feb 27, 2019 · 18 revisions

Introduction

When using the SCC default server address (https://scc.suse.com) for registration the SSL certificate is already present in the installation system, the SCC certificate is signed by a well known certificate authority.

But when using a custom SMT or RMT local registration server it is quite common to use a self-signed certificate or a certificate signed by an unknown certificate authority (usually your own).

In that case YaST displays a popup that the SSL communication failed.

Importing a Self-signed SSL Certificate

YaST supports importing a self-signed certificate automatically.

sle15-sp1-certificate-failure-new-gui-self-signed

⚠️ When importing a self-signed certificate you should verify that the certificate subject and the issuer is correct and that the certificate fingerprint matches the expected value. Importing unknown or not verified certificates is a big security risk!

You should obtain the fingerprint value via a secure channel, the connection to the registration server will be as secure as the way how you verified the certificate. Importing an insecure certificate does not make the connection secure.

Importing a Certificate Signed by an Unknown Certificate Authority

Such certificates need to be imported manually, YaST cannot import custom certificates automatically. In that case you need to manually import the certificate into the system.

Installation

  • At the registration step switch to another console or press Ctrl+Alt+Shift+X combination in the graphical installation to start an xterm session (does not work in the text mode installation).
  • Save the certificate to the /etc/pki/trust/anchors/registration-server.pem file, you need to copy the certificate from disk, download it using curl, copy from an USB flash disk...
  • Then run the /usr/lib/YaST2/bin/install_ssl_certificates script
  • You might verify that the connection to the server now works correctly using the curl command
  • Switch back to the installer and continue with the registration step

sle15-sp1-certificate-failure-new

Installed System

  • Save the certificate to the /etc/pki/trust/anchors/registration-server.pem file, you need to copy the certificate from disk, download it using curl, copy from an USB flash disk...
  • Then run the update-ca-certificates script
  • You might verify that the connection to the server now works correctly using the curl command
  • Run the registration module

Details

The imported certificate is saved to /etc/pki/trust/anchors/registration-server.pem file into the installed system.

Add a custom footer
Add a custom sidebar
Clone this wiki locally