Chapter 3. SSL Infrastructure 153.2.3. Generating the Certificate Authority SSL Key PairBefore creating the SSL key set required by the Web server, you must have a Certificate Authority(CA) SSL key pair generated. A CA SSL public certificate gets distributed to client systems of theSatellite or Proxy. The RHN SSL Maintenance Tool allows you to generate a CA SSL key pair ifneeded and re-use it for all subsequent RHN server deployments.The build process automatically creates the key pair and public RPM for distribution to clients. All CAcomponents end up in the build directory specified at the command line, typically /root/ssl-build(or /etc/sysconfig/rhn/ssl for older Satellites and Proxies). To generate a CA SSL key pair,issue a command like this:rhn-ssl-tool --gen-ca --password=MY_CA_PASSWORD --dir="/root/ssl-build" \--set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \--set-org-unit="SSL CA Unit"Replace the example values with those appropriate for your organization. This will result in the fol-lowing relevant files in the specified build directory:• RHN-ORG-PRIVATE-SSL-KEY — the private CA key• RHN-ORG-TRUSTED-SSL-CERT — the public CA certificate• rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm — the RPM prepared for distribution toclient systems• rhn-ca-openssl.cnf — the SSL CA configuration file• latest.txt — always lists the latest versions of the relevant files.Once finished, you’re ready to distribute the RPM to client systems. Refer to Section 3.3 Deployingthe CA SSL Public Certificate to Clients.3.2.4. Generating Web Server SSL Key SetsAlthough you must have a CA SSL key pair already generated, you will likely generate web serverSSL key sets more frequently, especially if more than one Proxy or Satellite is deployed. Note that thevalue for --set-hostname is different for each server. In other words, a distinct set of SSL keys andcertificates needs to be generated and installed for every distinct RHN server hostname.The server certificate build process works much like CA SSL key pair generation with one exception:All server components end up in subdirectories of the build directory that reflect the build system’smachine name, such as /root/ssl-build/MACHINE_NAME. To generate server certificates, issue acommand like this:rhn-ssl-tool --gen-server --password=MY_CA_PASSWORD --dir="/root/ssl-build" \--set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \--set-org-unit="IS/IT" --email="admin@example.com" \--set-hostname="rhnbox1.example.comReplace the example values with those appropriate for your organization. This will result in the fol-lowing relevant files in a machine-specific subdirectory of the build directory:• server.key — the Web server’s SSL private server key• server.csr — the Web server’s SSL certificate request• server.crt — the web server’s SSL public certificate