22 Chapter 3. SSL Infrastructure• rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm — the RPM prepared for dis-tribution to client systems. It contains the CA SSL public certificate (above) and installsit in this location: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT• rhn-ca-openssl.cnf — the SSL CA configuration file• latest.txt — always lists the latest versions of the relevant files.Once finished, you’re ready to distribute the RPM to client systems. Refer toSection 3.3 Deploying the CA SSL Public Certificate to Clients.3.2.4. Generating Web Server SSL Key SetsAlthough you must have a CA SSL key pair already generated, you will likely generateweb server SSL key sets more frequently, especially if more than one Proxy or Satellite isdeployed. Note that the value for --set-hostname is different for each server. In otherwords, a distinct set of SSL keys and certificates must be generated and installed for everydistinct RHN server hostname.The server certificate build process works much like CA SSL key pair generation withone exception: All server components end up in subdirectories of the build directory thatreflect the build system’s machine name, such as /root/ssl-build/MACHINE_NAME. Togenerate server certificates, issue a command like this:rhn-ssl-tool --gen-server --password=MY_CA_PASSWORD --dir="/root/ssl-build" \--set-state="North Carolina" --set-city="Raleigh" --set-org="Example Inc." \--set-org-unit="IS/IT" --email="admin@example.com" \--set-hostname="rhnbox1.example.comReplace the example values with those appropriate for your organization. This will resultin the following relevant files in a machine-specific subdirectory of the build directory:• server.key — the Web server’s SSL private server key• server.csr — the Web server’s SSL certificate request• server.crt — the web server’s SSL public certificate• rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm —the RPM prepared for distribution to RHN Servers. Its associated src.rpm file isalso generated. This RPM contains the above three files. It will install them in theselocations:• /etc/httpd/conf/ssl.key/server.key• /etc/httpd/conf/ssl.csr/server.csr• /etc/httpd/conf/ssl.crt/server.crt