rct man page

rct — Displays information (headers) about or size and statistics of a entitlement, product, or identity certificate used by Red Hat Subscription Manager.

Synopsis

rct cat-cert [--no-content] [--no-products] /path/to/certificate.pem rct stat-cert /path/to/certificate.pem rct cat-manifest [--no-content] /path/to/consumer_export.zip rct dump-manifest [--destination /path] [--force] /path/to/consumer_export.zip

Description

Red Hat Subscription Manager uses X.509 certificates to identify a registered system (identity certificate), the products installed on that system (product certificates), and the subscriptions attached to the system (entitlement certificates), including available content repositories, products, and support levels. All of the information that Subscription Manager requires is contained in the body of the certificate.

Commands

stat-cert
Prints the size of the certificate and other details about the certificate. The precise details depend on the type of certificate being checked.
cat-cert
Prints the information that is contained in the certificate itself, such as the certificate headers, serial numbers, products, and content sets. Two options, --no-content and --no-products, can be used to shorten the output to include only header and descriptive information.
cat-manifest
Prints the information that is contained in the subscription service manifest. The manifest is an archive of JSON files which contain all of the subscription information for subscriptions allocated to the on-premise service. The --no-content option can be used to reduce the detail shown in the output.
dump-manifest
Extracts the contents of the manifest archive.

The Stat-Cert Command

The rct tool is used to gather information about the already-issued certificates being used by Subscription Manager. The main reason for that is that certificate sizes, for a number of reasons, impact content delivery service performance.

For large accounts and organizations, there can be a very large number of products and content sets available. Older versions of entitlement certificates (version 1.0) used different (less efficient) DER encoding, so that large amounts of information results in very large certificates. (This is what caused timeouts or crashes when dealing with some content services.) Newer entitlement certificate versions (version 3.0) use more efficient encoding on large content sets, , resulting in smaller certificate content sizes and better service performance.

If there are problems with the content service timing out or returning errors, then the rct stat-cert command can be used to check the size and version of a given entitlement certificate quickly.

A large number of content sets is anything over 185 total sets. Both the total number of content sets and the size of the DER encoding in the certificate could affect performance.

Options

/path/to/cert.pem
Gives the full path and filename to the PEM certificate for the given subscription, product, or system. This is required.

Examples

The statistics for an entitlement certificate show both the DER size and the number of content sets, among other information:

* Type (entitlement certificate)

* Version (of the certificate style); newer versions will be 3.x, with better performance for handling large content sets

* DER size, which gives the size of the certificate contents (not the size of the certificate file itself)

* Key size, for the associated key file, in bytes

* The total number of available content sets in the subscription

For example:

[root@server ~]# rct stat-cert /etc/pki/entitlement/2027912482659389239.pem
Type: Entitlement Certificate
Version: 1.0
DER size: 47555b
Subject Key ID size: 553b
Content sets: 100

While the size of the certificate is less of an issue for identity and product certificates (which are quite small), the stat-cert command can still be used to view the size and statistics of the certificates.

For a product certificate, the stat-cert command shows:

* Type (product certificate)

* Version (of the certificate style)

* DER size, which gives the size of the certificate contents (not the size of the certificate file itself)

For example:

[root@server ~]# rct stat-cert /etc/pki/product/69.pem
Type: Product Certificate
Version: 1.0
DER size: 1558b

For an identity certificate:

* Type (identity certificate)

* Version (of the certificate style)

* DER size, which gives the size of the certificate contents (not the size of the certificate file itself)

* Key size, for the associated key file, in bytes

For example:

[root@server ~]# rct stat-cert /etc/pki/consumer/cert.pem
Type: Identity Certificate
Version: 1.0
DER size: 1488b
Subject Key ID size: 20b

The Cat-Cert Command

Each certificate contains a complete set of information with all of the details for whatever element is being identified. That information can be displayed, in pretty-print form, using the cat-cert command.

Options

/path/to/cert.pem
Gives the full path and filename to the PEM certificate for the given subscription, product, or system. This is required.
--no-content
Returns all of the certification information, order information, and product information, but excludes all of the Content sections, which significantly reduced the information printed to stdout. This is for an entitlement certificate only.
--no-products
Returns all of the certification information, order information, and content (repository) information, but excludes all of the Product sections, which significantly reduced the information printed to stdout. This is for an entitlement certificate only.
/path/to/cert.pem
Gives the full path and filename to the PEM certificate for the given subscription, product, or system.

Output

The command returns the most basic information about the certificate -- such as its directory path, its serial number and subject name, and its validity period (start and end dates) -- in the Certificate section:

* Path -- the filesystem location where the certificate is installed

* Version -- the certificate format version -- P * Serial -- the serial number for the certificate

* Start/End Date -- the validity period for the certificate

* Alt Name -- the subject alternative name, which uses the hostname of the system rather than the UUID (for identity certificates only)

The Subject DN of the certificate is in the Subject section.

For example, for the identity certificate:

[root@server ~]# rct cat-cert /etc/pki/consumer/cert.pem

+-------------------------------------------+
        Identity Certificate
+-------------------------------------------+

Certificate:
        Path: /etc/pki/consumer/cert.pem
        Version: 1.0
        Serial: 824613308750035399
        Start Date: 2012-11-09 16:20:22+00:00
        End Date: 2013-11-09 16:20:22+00:00
        Alt Name: server.example.com

Subject:
        CN: e94bc90e-44a1-4f8c-b6fc-0a3e9d6fac2b

A product certificate contains additional information in a Product section, which defines the information for the specific installed product, such as its name, product version, and any yum tags used for that product. For example:

[root@server ~]# rct cat-cert /etc/pki/product/69.pem

+-------------------------------------------+
        Product Certificate
+-------------------------------------------+

Certificate:
        Path: /etc/pki/product/69.pem
        Version: 1.0
        Serial: 12750047592154746449
        Start Date: 2012-10-04 18:45:02+00:00
        End Date: 2032-09-29 18:45:02+00:00

Subject:
        CN: Red Hat Product ID [b4f7ac9e-b7ed-45fa-9dcc-323beb20e916]

Product:
        ID: 69
        Name: Red Hat Enterprise Linux Server
        Version: 6.4
        Arch: x86_64
        Tags: rhel-6,rhel-6-server

The most information is contained in the entitlement certificate. Along with the Certificate and Subject, it also has a Product section that defines the product group that is covered by the subscription.

Then, it contains an Order section that details everything related to the purchase of the subscription (such as the contract number, service level, total quantity, quantities assigned to the system, and other details on the subscription).

A subscription for a product covers the version purchased and every previous version of the product. For example, when a subscription is purchased for Red Hat Enterprise Linux 6.4, the subscription provides full access to all RHEL 6 repositories, plus access to all RHEL 5 repositories and then other included product content repositories, like Subscription Asset Manager. Every available content repository is listed in a Content section that contains the repository name, associated tags, its URL, and a notice on whether the yum repository is enabled by default. For example:

[root@server ~]# rct cat-cert /etc/pki/entitlement/2027912482659389239.pem
+-------------------------------------------+
        Entitlement Certificate
+-------------------------------------------+

Certificate:
        Path: /etc/pki/entitlement/2027912482659389239.pem
        Version: 1.0
        Serial: 2027912482659389239
        Start Date: 2011-12-31 05:00:00+00:00
        End Date: 2012-12-31 04:59:59+00:00

Subject:
        CN: 8a99f9843adc8b8f013ae5f9de022b73

Product:
        ID: 69
        Name: Red Hat Enterprise Linux Server
        Version:
        Arch: x86_64,ia64,x86
        Tags:

Order:
        Name: Red Hat Enterprise Linux Server, Premium (8 sockets) (Up to 4 guests)
        Number: 2673502
        SKU: RH0103708
        Contract: 10011052
        Account: 5206751
        Service Level: Premium
        Service Type: L1-L3
        Quantity: 100
        Quantity Used: 1
        Socket Limit: 8
        Virt Limit:
        Virt Only: False
        Subscription:
        Stacking ID:
        Warning Period: 0
        Provides Management: 0

Content:
        Type: yum
        Name: Red Hat Enterprise Linux 6 Server (RPMs)
        Label: rhel-6-server-rpms
        Vendor: Red Hat
        URL: /content/dist/rhel/server/6/$releasever/$basearch/os
        GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
        Enabled: True
        Expires: 86400
        Required Tags: rhel-6-server

The Cat-Manifest Command

A subscription management service is allocated a specific bloc of subscriptions that are available to an account. This list of subscriptions is the manifest for the service. The cat-manifest command reads and prints the details of the manifest, such as the creation date, the system UUID and name, available products, and subscription details.

There are multiple JSON files in the archive, identifying different aspects of the subscription service and subscription configuration, such as the general manifest properties, subscription information, content and repository information, and product information.

Options

--no-content
Excludes all of the Content Sets sections, which significantly reduces the information printed to stdout.
/path/to/consumer_export.zip
Gives the path and filename (by default, consumer_export.zip) for the manifest file on the local system. This is required.

Examples

The command pretty-prints all of the details about the manifest itself and the allocated subscriptions, products, and content.

[root@server ~]# rct cat-manifest /tmp/consumer_export.zip
+-------------------------------------------+
                Manifest
+-------------------------------------------+
General:
    Server: candlepin
    Server Version: 1.3
    Date Created: 13 April 2013
    Creator: admin

Consumer:
    Name: server.example.com
    UUID:
    Type: system

Subscriptions:
    Name:                Red Hat Enterprise Linux
    Quantity:            249237
    Created:             12/01/2011
    Start Date:          01/01/2012
    End Date:            01/01/2022
    Service Level:       Premium
    Service Type:        Physical
    Architectures:       x86,x86_64
    SKU:                 SYS0395
    Contract:            12345678
    Order:               09876543
    Account:             abcd1234
    Entitlement File:    /etc/pki/entitlement/2027912482659389239.pem
    Certificate File:    /etc/pki/product/69.pem
    Certificate Version: 3

The Dump-Manifest Command

A subscription management service is allocated a specific bloc of subscriptions that are available to an account. This list of subscriptions is the manifest for the service. The cat-manifest command prints the contents of the manifest.

Options

/path/to/consumer_export.zip
Gives the path and filename (by default, consumer_export.zip) for the manifest file on the local system. This is required.
--destination=PATH
Specifies an export directory to which to extract and save the contents of the manifest archive. If no destination is given, then the archive is extracted to the local directory.
--force, -f
Overwrites any existing archive files. If a manifest archive already exists in the specified location (for example, if the manifest has already been dumped once), then attempting to dump the manifest to the same location will fail. Using the --force option forces the dump operation to complete and overwrites the previous file.

Examples

This command simply extracts the manifest files to a given location (the working directory by default). The manifest itself contains multiple JSON files, with separate JSON files providing details on the manifest itself, each individual product, each individual subscription, and details for the specific, on-premise subscription management service.

For example:

[root@server ~]# rct dump-manifest --destination /export/archives/sam/manifest /tmp/consumer_export.zip
The manifest has been dumped to the /export/archives/sam/manifest directory.

Files

* Product certificates: /etc/pki/product/*.pem

* Subscription certificates: etc/pki/entitlement/<serial#>.pem

* System identity certificates: /etc/pki/consumer/cert.pem

* The manifest: consumer_export.zip

Bugs

This tool is part of Red Hat Subscription Manager. To file bugs against this command-line tool, go to <https://bugzilla.redhat.com>, and select Red Hat > Red Hat Enterprise Linux > subscription-manager.

Authors

Deon Lackey <dlackey@redhat.com>, Michael Stead <mstead@redhat.com>, and James Bowes <jbowes@redhat.com>. The rct tool was written by James Bowes.

Info

RHSM Certificate Tool