Task #6830


Update yum/dnf documentation on how .repo files can be configured to present a client cert and key

Added by bmbouter about 3 years ago. Updated over 1 year ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Sprint Candidate:


Ticket moved to GitHub: "pulp/pulp-certguard/142":

The cert and key from clients now occur during TLS submission. That means these docs are out of date.

We should update the docs to show how a yum/dnf client can be configured to submit the cert and key via TLS.

Actions #1

Updated by bmbouter about 3 years ago

  • Tracker changed from Issue to Task
  • Project changed from Pulp to CertGuard
  • % Done set to 0
Actions #2

Updated by OnceUponALoop almost 3 years ago

Hey all - I just watched the "Pulp certguard Tour - 2020.05.20" youtube video, thank you for putting that together it was useful.

I especially appreciate the dev overview of the code structure in the end. It makes it easier to jump in by saving all the "what the hell is going on here" upfront cost.

Regarding the yum configuration - I'm familiar enough with the topic that I thought I could respond to the videos request for yum x509-auth configuration details.

Yum x509

Yum can either have the x509 cert info in the it's main configuration or in each repo configuration.

Assuming we've already configure Pulp and have placed the required certificates in /etc/pki/entitelments/ (this is the default RHSM path, I'm not sure if there's a more standards-compliant path)

  • Global

    Define the x509 info in /etc/yum.conf and it will apply to all repos.


     # x509 Auth Info
     sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
     sslclientkey    = /etc/pki/entitlement/<user-key>.pem
     sslcacert       = /etc/pki/entitlement/<ca-cert>.pem

    To exclude a certain repo from the x509 configuration, update the repo configuration as follows

     name            = Unprotected Repo - Global x509 is configured
     baseurl         =
     sslverify       = 1
     enabled         = 1
     gpgcheck        = 1
     gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PULP-REPO-CLEAR
     # Auth Not Needed
     sslclientcert = _none_
     sslclientkey  = _none_
     sslcacert     = _none_
  • Per Repo

    Define the x509 info for each repo that supports certguard (if repos have different certguards) in /etc/yum.repos.d/<repo-name>.repo

    This is probably the most straightforward implementation, and should be recommended as it avoids all the corner cases as well.

     name            = Cert Guard Protected Repo
     baseurl         =
     sslverify       = 1
     enabled         = 1
     gpgcheck        = 1
     gpgkey          = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-MYREPO
     # x509 Auth
     sslclientcert   = /etc/pki/entitlement/<user-cert>.pem
     sslclientkey    = /etc/pki/entitlement/<user-key>.pem
     sslcacert       = /etc/pki/entitlement/<ca-cert>.pem
Actions #3

Updated by bmbouter almost 3 years ago

  • Priority changed from Normal to High
Actions #4

Updated by pulpbot over 1 year ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF