Creating the RHSM entitlement certificates

You must create and download certificates through the Red Hat Subscription Management system. From the Red Hat portal, you must register a system then attach your subscriptions (entitlements) to that system.

About this task

This section describes the steps you need to create RHSM certificates through the Red Hat Subscription Management system. This entails registering a system then attaching your subscriptions (entitlements) to that system.

You must have at least one set of certificates that you need to download. You only need to register at least one system and attach the subscriptions (entitlements) to cover your machines.

Note: The System Identity Certificate is no longer required from v1.0.2.0 of the RHSM Download Plug-in and RHSM download Cacher.
Note: Red Hat requires Oracle Java users to enable a new content set to access the Oracle Java SE software. To deploy Oracle Java patches, create separate certificates for Oracle Java (Restricted Maintenance) with the Oracle Java Add-On (Physical or Virtual Nodes) subscription. The steps for creating the certificate and attaching them to a subscription are detailed in this section. For more information about Red Hat requirement to enable the new content set, see the Red Hat Knowledge base site.


  1. Log in to the Red Hat Customer Portal at
  2. Go to the Subscription Overview page at Click Systems.
  3. Click New to create a new system.
  4. Fill in the form with the following information then click Create.
    • System type: Virtual system type
    • Name
    • Architecture: x84_64

      If you are using System z, select s390x.

    • Number of Sockets or LPARS - this field displays when you select Physical system type
    • Number of vCPUs - this field displays when you select Virtual system type
    • Red Hat Enterprise Linux version: 7.2

    Selecting Red Hat Enterprise Linux version 7.2 will create entitlement certificates that also work with RHEL 6. The RHSM download plug-in does not support RHEL 5.

    Note: This should not affect the entitlement but only the cert format.

  5. When the page has refreshed, click the Subscriptions tab and click Attach Subscriptions.

    Note: You only need to do this step once for your BESServers as you can attach multiple subscriptions for the system that you are registering, to cover access to RHEL 6 and RHEL 7 packages.
  6. Select the subscriptions that will be attached to the system that you created and click Attach Subscriptions.

  7. The page displays the subscriptions attached to the system. Click Download Certificates.

  8. Unzip the downloaded certificate. Red hat now uses a single certificate instead of the earlier RHSM version which required having both an entitlement certificate and an identity certificate.

    Note: Ensure that your Red Hat subscriptions are active to avoid errors.
  9. Go to <BES Server>\DownloadPlugins\RHSMProtocol\certs and create a folder. Place the zipped certificates in the newly-created folder. Ensure that your Red Hat subscriptions are active to avoid errors.
    Note: In the plugin.ini, the "rootCertDir" value should be "certs", which is the default value. This is the relative path from the RHSMDownloadPlugin.exe to the rootCertDir called "certs".

    You can run verify access to the repos when you run RHSMPlugin.exe --check-baserepos. For more information, see the Verifying RHSM download plug-in certificate access to Red Hat repositories section.