1RCT(8) RHSM Certificate Tool RCT(8)
2
6 rct - Displays information (headers) about or size and statistics of a
7 entitlement, product, or identity certificate used by Red Hat Subscrip‐
8 tion Manager.
9
12 rct cat-cert [--no-content] [--no-products] /path/to/certificate.pem
13 rct stat-cert /path/to/certificate.pem rct cat-manifest [--no-content]
14 /path/to/consumer_export.zip rct dump-manifest [--destination /path]
15 [--force] /path/to/consumer_export.zip
16
19 Red Hat Subscription Manager uses X.509 certificates to identify a reg‐
20 istered system (identity certificate), the products installed on that
21 system (product certificates), and the subscriptions attached to the
22 system (entitlement certificates), including available content reposi‐
23 tories, products, and support levels. All of the information that Sub‐
24 scription Manager requires is contained in the body of the certificate.
25
28 stat-cert
29 Prints the size of the certificate and other details about the
30 certificate. The precise details depend on the type of certifi‐
31 cate being checked.
32 cat-cert
35 Prints the information that is contained in the certificate
36 itself, such as the certificate headers, serial numbers, prod‐
37 ucts, and content sets. Two options, --no-content and --no-prod‐
38 ucts, can be used to shorten the output to include only header
39 and descriptive information.
40 cat-manifest
43 Prints the information that is contained in the subscription
44 service manifest. The manifest is an archive of JSON files which
45 contain all of the subscription information for subscriptions
46 allocated to the on-premise service. The --no-content option can
47 be used to reduce the detail shown in the output.
48 dump-manifest
51 Extracts the contents of the manifest archive.
52
56 The rct tool is used to gather information about the already-issued
57 certificates being used by Subscription Manager. The main reason for
58 that is that certificate sizes, for a number of reasons, impact content
59 delivery service performance.
60 For large accounts and organizations, there can be a very large number
63 of products and content sets available. Older versions of entitlement
64 certificates (version 1.0) used different (less efficient) DER encod‐
65 ing, so that large amounts of information results in very large cer‐
66 tificates. (This is what caused timeouts or crashes when dealing with
67 some content services.) Newer entitlement certificate versions (version
68 3.0) use more efficient encoding on large content sets, , resulting in
69 smaller certificate content sizes and better service performance.
70 If there are problems with the content service timing out or returning
73 errors, then the rct stat-cert command can be used to check the size
74 and version of a given entitlement certificate quickly.
75 A large number of content sets is anything over 185 total sets. Both
78 the total number of content sets and the size of the DER encoding in
79 the certificate could affect performance.
80 OPTIONS
83 /path/to/cert.pem
84 Gives the full path and filename to the PEM certificate for the
85 given subscription, product, or system. This is required.
86 EXAMPLES
89 The statistics for an entitlement certificate show both the DER size
90 and the number of content sets, among other information:
91 * Type (entitlement certificate)
93 * Version (of the certificate style); newer versions will be
95 3.x, with better performance for handling large content sets
96 * DER size, which gives the size of the certificate contents
98 (not the size of the certificate file itself)
99 * Key size, for the associated key file, in bytes
101 * The total number of available content sets in the subscription
103 For example:
106 [root@server ~]# rct stat-cert /etc/pki/entitlement/2027912482659389239.pem
107 Type: Entitlement Certificate
108 Version: 1.0
109 DER size: 47555b
110 Subject Key ID size: 553b
111 Content sets: 100
112 While the size of the certificate is less of an issue for identity and
115 product certificates (which are quite small), the stat-cert command can
116 still be used to view the size and statistics of the certificates.
117 For a product certificate, the stat-cert command shows:
120 * Type (product certificate)
122 * Version (of the certificate style)
124 * DER size, which gives the size of the certificate contents
126 (not the size of the certificate file itself)
127 For example:
130 [root@server ~]# rct stat-cert /etc/pki/product/69.pem
131 Type: Product Certificate
132 Version: 1.0
133 DER size: 1558b
134 For an identity certificate:
137 * Type (identity certificate)
139 * Version (of the certificate style)
141 * DER size, which gives the size of the certificate contents
143 (not the size of the certificate file itself)
144 * Key size, for the associated key file, in bytes
146 For example:
149 [root@server ~]# rct stat-cert /etc/pki/consumer/cert.pem
150 Type: Identity Certificate
151 Version: 1.0
152 DER size: 1488b
153 Subject Key ID size: 20b
154
157 Each certificate contains a complete set of information with all of the
158 details for whatever element is being identified. That information can
159 be displayed, in pretty-print form, using the cat-cert command.
160 OPTIONS
163 /path/to/cert.pem
164 Gives the full path and filename to the PEM certificate for the
165 given subscription, product, or system. This is required.
166 --no-content
169 Returns all of the certification information, order information,
170 and product information, but excludes all of the Content sec‐
171 tions, which significantly reduced the information printed to
172 stdout. This is for an entitlement certificate only.
173 --no-products
176 Returns all of the certification information, order information,
177 and content (repository) information, but excludes all of the
178 Product sections, which significantly reduced the information
179 printed to stdout. This is for an entitlement certificate only.
180 /path/to/cert.pem
183 Gives the full path and filename to the PEM certificate for the
184 given subscription, product, or system.
185 OUTPUT
188 The command returns the most basic information about the certificate --
189 such as its directory path, its serial number and subject name, and its
190 validity period (start and end dates) -- in the Certificate section:
191 * Path -- the filesystem location where the certificate is
193 installed
194 * Version -- the certificate format version -- P * Serial -- the
196 serial number for the certificate
197 * Start/End Date -- the validity period for the certificate
199 * Alt Name -- the subject alternative name, which uses the host‐
201 name of the system rather than the UUID (for identity certifi‐
202 cates only)
203 The Subject DN of the certificate is in the Subject section.
205 For example, for the identity certificate:
208 [root@server ~]# rct cat-cert /etc/pki/consumer/cert.pem
209 +-------------------------------------------+
211 Identity Certificate
212 +-------------------------------------------+
213 Certificate:
215 Path: /etc/pki/consumer/cert.pem
216 Version: 1.0
217 Serial: 824613308750035399
218 Start Date: 2012-11-09 16:20:22+00:00
219 End Date: 2013-11-09 16:20:22+00:00
220 Alt Name: server.example.com
221 Subject:
223 CN: e94bc90e-44a1-4f8c-b6fc-0a3e9d6fac2b
224 A product certificate contains additional information in a Product sec‐
227 tion, which defines the information for the specific installed product,
228 such as its name, product version, and any yum tags used for that prod‐
229 uct. For example:
230 [root@server ~]# rct cat-cert /etc/pki/product/69.pem
231 +-------------------------------------------+
233 Product Certificate
234 +-------------------------------------------+
235 Certificate:
237 Path: /etc/pki/product/69.pem
238 Version: 1.0
239 Serial: 12750047592154746449
240 Start Date: 2012-10-04 18:45:02+00:00
241 End Date: 2032-09-29 18:45:02+00:00
242 Subject:
244 CN: Red Hat Product ID [b4f7ac9e-b7ed-45fa-9dcc-323beb20e916]
245 Product:
247 ID: 69
248 Name: Red Hat Enterprise Linux Server
249 Version: 6.4
250 Arch: x86_64
251 Tags: rhel-6,rhel-6-server
252 The most information is contained in the entitlement certificate. Along
255 with the Certificate and Subject, it also has a Product section that
256 defines the product group that is covered by the subscription.
257 Then, it contains an Order section that details everything related to
259 the purchase of the subscription (such as the contract number, service
260 level, total quantity, quantities assigned to the system, and other
261 details on the subscription).
262 A subscription for a product covers the version purchased and every
264 previous version of the product. For example, when a subscription is
265 purchased for Red Hat Enterprise Linux 6.4, the subscription provides
266 full access to all RHEL 6 repositories, plus access to all RHEL 5
267 repositories and then other included product content repositories, like
268 Subscription Asset Manager. Every available content repository is
269 listed in a Content section that contains the repository name, associ‐
270 ated tags, its URL, and a notice on whether the yum repository is
271 enabled by default. For example:
272 [root@server ~]# rct cat-cert /etc/pki/entitlement/2027912482659389239.pem
273 +-------------------------------------------+
274 Entitlement Certificate
275 +-------------------------------------------+
276 Certificate:
278 Path: /etc/pki/entitlement/2027912482659389239.pem
279 Version: 1.0
280 Serial: 2027912482659389239
281 Start Date: 2011-12-31 05:00:00+00:00
282 End Date: 2012-12-31 04:59:59+00:00
283 Subject:
285 CN: 8a99f9843adc8b8f013ae5f9de022b73
286 Product:
288 ID: 69
289 Name: Red Hat Enterprise Linux Server
290 Version:
291 Arch: x86_64,ia64,x86
292 Tags:
293 Order:
295 Name: Red Hat Enterprise Linux Server, Premium (8 sockets) (Up to 4 guests)
296 Number: 2673502
297 SKU: RH0103708
298 Contract: 10011052
299 Account: 5206751
300 Service Level: Premium
301 Service Type: L1-L3
302 Quantity: 100
303 Quantity Used: 1
304 Socket Limit: 8
305 Virt Limit:
306 Virt Only: False
307 Subscription:
308 Stacking ID:
309 Warning Period: 0
310 Provides Management: 0
311 Content:
313 Type: yum
314 Name: Red Hat Enterprise Linux 6 Server (RPMs)
315 Label: rhel-6-server-rpms
316 Vendor: Red Hat
317 URL: /content/dist/rhel/server/6/$releasever/$basearch/os
318 GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
319 Enabled: True
320 Expires: 86400
321 Required Tags: rhel-6-server
322
325 A subscription management service is allocated a specific bloc of sub‐
326 scriptions that are available to an account. This list of subscriptions
327 is the manifest for the service. The cat-manifest command reads and
328 prints the details of the manifest, such as the creation date, the sys‐
329 tem UUID and name, available products, and subscription details.
330 There are multiple JSON files in the archive, identifying different
333 aspects of the subscription service and subscription configuration,
334 such as the general manifest properties, subscription information, con‐
335 tent and repository information, and product information.
336 OPTIONS
339 --no-content
340 Excludes all of the Content Sets sections, which significantly
341 reduces the information printed to stdout.
342 /path/to/consumer_export.zip
345 Gives the path and filename (by default, consumer_export.zip)
346 for the manifest file on the local system. This is required.
347 EXAMPLES
350 The command pretty-prints all of the details about the manifest itself
351 and the allocated subscriptions, products, and content.
352 [root@server ~]# rct cat-manifest /tmp/consumer_export.zip
353 +-------------------------------------------+
354 Manifest
355 +-------------------------------------------+
356 General:
357 Server: candlepin
358 Server Version: 1.3
359 Date Created: 13 April 2013
360 Creator: admin
361 Consumer:
363 Name: server.example.com
364 UUID:
365 Content Access Mode: entitlement
366 Type: system
367 Subscriptions:
369 Name: Red Hat Enterprise Linux
370 Quantity: 249237
371 Created: 12/01/2011
372 Start Date: 01/01/2012
373 End Date: 01/01/2022
374 Service Level: Premium
375 Service Type: Physical
376 Architectures: x86,x86_64
377 SKU: SYS0395
378 Contract: 12345678
379 Order: 09876543
380 Account: abcd1234
381 Entitlement File: /etc/pki/entitlement/2027912482659389239.pem
382 Certificate File: /etc/pki/product/69.pem
383 Certificate Version: 3
384
387 A subscription management service is allocated a specific bloc of sub‐
388 scriptions that are available to an account. This list of subscriptions
389 is the manifest for the service. The cat-manifest command prints the
390 contents of the manifest.
391 OPTIONS
394 /path/to/consumer_export.zip
395 Gives the path and filename (by default, consumer_export.zip)
396 for the manifest file on the local system. This is required.
397 --destination=PATH
400 Specifies an export directory to which to extract and save the
401 contents of the manifest archive. If no destination is given,
402 then the archive is extracted to the local directory.
403 --force, -f
406 Overwrites any existing archive files. If a manifest archive
407 already exists in the specified location (for example, if the
408 manifest has already been dumped once), then attempting to dump
409 the manifest to the same location will fail. Using the --force
410 option forces the dump operation to complete and overwrites the
411 previous file.
412 EXAMPLES
415 This command simply extracts the manifest files to a given location
416 (the working directory by default). The manifest itself contains multi‐
417 ple JSON files, with separate JSON files providing details on the mani‐
418 fest itself, each individual product, each individual subscription, and
419 details for the specific, on-premise subscription management service.
420 For example:
423 [root@server ~]# rct dump-manifest --destination /export/archives/sam/manifest /tmp/consumer_export.zip
424 The manifest has been dumped to the /export/archives/sam/manifest directory.
425
428 * Product certificates: /etc/pki/product/*.pem
429 * Subscription certificates: etc/pki/entitlement/<serial#>.pem
431 * System identity certificates: /etc/pki/consumer/cert.pem
433 * The manifest: consumer_export.zip
435
438 This tool is part of Red Hat Subscription Manager. To file bugs against
439 this command-line tool, go to <https://bugzilla.redhat.com>, and select
440 Red Hat > Red Hat Enterprise Linux > subscription-manager.
441
445 Deon Lackey <dlackey@redhat.com>, Michael Stead <mstead@redhat.com>,
446 and James Bowes <jbowes@redhat.com>. The rct tool was written by James
447 Bowes.
448
451 Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General
452 Public License, version 2 (GPLv2). A copy of this license is available
453 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
454 RCT(8)