How do I correctly generate a certificate for Subscription Manager

The Subscription Manager installation requires a certificate, and if you don’t have an existing certificate available you can generate one yourself (useful for development environments), but you need to be sure to generate it correctly.

You can use OpenSSL (as explained by the installation documentation), but this process does require some additional explanation.

1. Generate a key that is at least 2048-bit long

If using OpenSSL, ensure the following command passes a key length of at least 2048, since Subscription Manager requires a 2048-bit key minimum:

openssl genrsa -out privatekey.pem 2048

2. Choosing the right Common Name (CN)

For use as a signing/encryption certificate, the Common Name (CN) of the certificate can be any name you choose. It does not need to match the DNS name of the hosting machine (as an SSL certificate does).

3. Enter the correct CN when exporting the x509 certificate to a .pfx file

When generating the .pfx file using the command:

openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer

Make sure you enter a Common Name (CN) when prompted. You will select this CN again when installing Subscription Manager.