How does Red Hat's subscription-manager work?

Question

The Red Hat subscription-manager is a tool to register, attach and remove subscriptions from the command line. If I understand correctly, this tool connects to the customer portal to retrieve certificates. These certificates are then used, among other things, to download yum packages from the Red Hat repo.

Sources:

• https://linux.die.net/man/8/subscription-manager
• https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html-single/rhsm/index

There are several things that I don't understand:

1. Why can't a user copy a certificate from one Red Hat machine to another and use it there? I assume the certificate includes machine-specific values (according to the docs, they are called "facts"), but then...
2. How are the certificates loaded and checked by the other processes? For instance, I guess that yum must be using these certificates. But then the yum CLI tool must have been patched, right? Is the source code of these changes available?
3. Is the source code of the subscription-manager tool available? That would clarify many things.

Answer 1

1. Let's say you copied the certificate, but you will still need to register the server from which you copied the certificates. Each time you register the server, a separate secret key will be created for the machine. You cannot register your server with the subscription-manager by copying the certificate, since there cannot be the same secret keys for individual machines. After registering, you can access the generated keys in /etc/pki/entitlement directory.
You can examine the information about these certificates with the help of rct oropenssl. Samples available from https://access.redhat.com/solutions/189533

To better understand the difference, you can register two different machines with the same user and compare the certificates.

2. About the work of the yum command,
You can see the directory of the certificates used by this command by opening any file in /etc/yum.repos.d/. When you look at one of these files, you will see a line like the one below. sslclientkey=/etc/pki/entitlement/1234567890123456789-key.pem This file shows the private key of your machine

3. You can find information about its content at
https://github.com/candlepin/subscription-manager/tree/master/src/subscription_manager/scripts

Edit:

Not only certificates are used while being registered in the system. There are also ntp server(replay attack prevention), kerberos kdc(includes timestamp etc. ), user authentication etc. If you check the certificate information using openssl or other options you can get these informations. You are expecting the new machine subscribed when just copy necessary files from subscribed machine to the new machine right? Simply it will not because of KDC which is IdM uses. You should check this RedHat IdM Guide to better understanding.