Hello,

 

On November 7, 2024 the IT-IAM team will be shutting down the legacy Red Hat Certificate System (RHCS) offering that was signed by the old 2015 Root CA. We have been referring to this legacy service as RHCSv1.  The relatively few RHCSv1 signed certificates that are still valid should be replaced by certificates signed by the newer RHCSv2 service before November 7, 2024.[1,2]

 

This is happening because the RHCSv1 service is completely hosted on the RHV-RDU2 platform, which will be shut down on November 15, 2024.

We need to replace the

• secrets/insights-prod/rhsm-prod/pinhead/keystore.jks_qb64

• secrets/insights-stage/rhsm-stage/pinhead/keystore.jks_qb64
• secrets/insights-dev/rhsm-qa/pinhead/keystore.jks_qb64
• secrets/insights-dev/rhsm-ci/pinhead/keystore.jks_qb64

entries with new certificates and keys.  Note that stage, qa, and ci all use the same certificate and key.  Additionally, we need to check the truststore entries and ensure that RHCSv2 is in the truststore.

Done criteria:

• Keystores are updates for prod, stage, qa, and ci.
• Truststores are verified to contain the RHCSv2 signing certificate
• App Interface updates that bump the version number of the secret used from Vault
• MRs issued for those updates and /lgtm-ed if possible.
• Make sure all services have restarted to load the new certificate

Information on how to do this is located here and here