How to replace tls certificate in suse manager

In my blog about how to obtain a signed ssl certificate using acme-dns and letsencrypt this blog is about how to replace self-signed ssl certificate in SUSE Manager with the fresh signed certificate from letsencrypt and use it.

Although SUSE Manager official documentation explains quite well how to replace ssl/tls certificates but I have been asked by so many users with questions that brought me to write this blog and try to give a better demo and understanding how it works.


You have CA chain in pem format.

You have SUSE Manager host certificate signing request file (csr)

You have signed SUSE Manager host server certificate + server certificate private key file, both in pem format

Copy all above files to SUSE Manager host into a directory e.g. /root/certs/


Now follow the steps as in SUSE Manager 4.1 doc

Run below commands as root user:

mv /root/ssl-build /root/old-ssl-build

mgr-ssl-tool --gen-ca --rpm-only --from-ca-cert=certs/AllCA.pem

mgr-ssl-tool --gen-server --rpm-only --from-server-key=certs/privkey1.pem --from-server-cert=certs/servercert1.pem

Now the directory /root/ssl-build/ is created and filled with CA file and rpm and tar files in which the certificates (Root CA + server certificate + server private key) are stored.

Let's do a quick check and this step is important to have successful result.

cd /root/certs

openssl verify -CAfile RHN-ORG-TRUSTED-SSL-CERT ./sumahostname/server.crt

./sumahostname/server.crt: OK

The status must be OK. If not then the root CA file is most probably not correct.

So now we checked the server cert is ok and we should installed the newest rpm on the suse manager host.

Take always the last recent up-to-date rpm version.

rpm -Uvh /root/certs/susemanagerhostname/rhn-org-httpd-ssl-key-pair-suma2-1.0-6.noarch.rpm

With the rpm command we just "deployed" the server certificate and private key to the apache web server on suse manager host.

Now we deploy the root CA file and the rpm to two places as below command shown:

/usr/bin/ --source-dir /root/ssl-build --target-dir /srv/www/htdocs/pub/ --trust-dir=/etc/pki/trust/anchors/

Now one of the last step is to update the database which is needed:

/usr/bin/rhn-ssl-dbstore --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT

After all steps we finally restart existing suse manager service:

spacewalk-service restart

To deploy to existing salt-minion clients the new CA file you can use SUSE Manager Web UI and run highstate.

Watch out that osa-dispatcher and cobblerd services on SUSE Manager hosts are running successful.


In order to be on safe side it is a good practice to combine the initial CA into the CA file which come your Certificate Authority. This approach makes sure that the clients will be able to trust both server certificates (self-signed and signed by real CA) and won't get any ssl handshake issues and ensure business continuity.

Diese Webseite verwendet Cookies. Durch die weitere Nutzung stimmen Sie der Verwendung von Cookies zu.