Scope:

• Get the pull requests created and connect with Candlepin team to discuss/request review.

The RHEL package subscription-manager-rhsm-certificates provides most of the trust chain for RHSM host certs in the PEM bundle /etc/rhsm/ca/redhat-uep.pem. The file contains the root CA (Entitlement Master CA) and first intermediate CA (Red Hat Entitlement Operations Authority). It's missing the intermediate Candlepin CAs that sit between the operations cert and RHSM end-entity cert for each host.

In order to use TLS client cert authentication or PKINIT, we are going to need the entire trust chain. PKINIT requires the full chain on in the KDC (IdM server) and kinit (IdM client). TLS client certificate authentication only needs the chain on the server side. It would help us a lot if the entire chain is shipped in RHEL and kept up-to-date by the team that maintains the subscription-manager-rhsm-certificates package.

requests
 

• include the entire cert chain for RHSM certs (/etc/pki/consumer/cert.pem) in the package
• update the chain bundle whenever a new CA is introduced.

blockers

The current Candlepin CA has a SHA-1 signature, which is not supported on RHEL 9. See HMSIDM-146

verification

Once the CAs are in the file, this command should succeed on enrolled RHEL 8 and 9 machines.

 $ openssl verify -show_chain -CAfile /etc/rhsm/ca/redhat-uep.pem /etc/pki/consumer/cert.pem
/etc/pki/consumer/cert.pem: OK
Chain:
depth=0: O = 7648012, CN = 58207b45-ba0e-499c-9bf8-551b44748fbb (untrusted)
depth=1: C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Candlepin Authority, emailAddress = ca-support@redhat.com
depth=2: C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Entitlement Operations Authority, emailAddress = ca-support@redhat.com
depth=3: C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Entitlement Master CA, emailAddress = ca-support@redhat.com