Complete Red Hat Subscription Management Guide: Register, Configure Repos, and Apply Security Updates

Red Hat Enterprise Linux (RHEL) subscription management is essential for accessing software repositories, updates, and support. This comprehensive guide covers the complete lifecycle: registering systems, attaching subscriptions, managing repositories, applying updates including specific RHSA/CVE patches, downloading packages, and unregistering systems. Whether you’re setting up new servers or managing existing infrastructure, mastering subscription-manager and repository configuration ensures secure, up-to-date enterprise Linux environments.

📑 Table of Contents

Understanding Red Hat Subscription Management
Registering Systems with Red Hat
Register with Username and Password
Register with Activation Key (Recommended for Automation)
Register to Red Hat Satellite
Verify Registration
Managing Subscriptions
List Available Subscriptions
Attach Subscriptions
View Consumed Subscriptions
Remove Subscriptions
Managing Repositories
List Repositories
Enable Repositories
Common RHEL 8/9 Repository IDs
Disable Repositories
Applying Updates for Specific RHSA and CVE
Understanding RHSA (Red Hat Security Advisory)
List Available Security Updates
Apply Specific RHSA Update
Apply Updates for Specific CVE
Apply All Security Updates
Get Information About Specific Advisory
Configuring Repository for Security Updates Only
Create Custom Repo Configuration
Configure Yum to Filter Updates
Downloading RPM Packages
Download Specific Package
Download All Packages from Repository (Mirror Creation)
Download Only Security Updates
Refreshing Subscription Data
Unregistering Systems
Standard Unregister
Clean Subscription Data
Unregister from Satellite
Remove Legacy RHN Registration (RHEL 5/6)
Clean Yum Cache After Unregistering
Troubleshooting Common Issues
Issue: “This system is not registered”
Issue: “No subscriptions are available”
Issue: Repositories not enabled after attaching subscription
Issue: Certificate errors
Best Practices
Registration Best Practices
Subscription Management
Security Update Strategy
Frequently Asked Questions
Do I need to unregister a system before decommissioning it?
What’s the difference between activation keys and username/password registration?
How do I apply only security updates without other package updates?
Can I download packages for a different RHEL version than I’m running?
How do I find which RHSA addresses a specific CVE?
What happens to my repositories when I unregister?
How do I register a system if I don’t know my organization ID?
Can I use the same activation key for RHEL 7, 8, and 9?
How do I apply updates from a specific date range?
What’s the difference between subscription-manager refresh and yum makecache?
Conclusion

Understanding Red Hat Subscription Management

Red Hat uses subscription-based access to software repositories, updates, and support. Systems must be registered to receive updates through:

Red Hat Subscription Management (RHSM): Modern method using subscription-manager (RHEL 6+)
Red Hat Satellite: On-premise subscription and content management
Red Hat Customer Portal: Web-based subscription administration

Registering Systems with Red Hat

Register with Username and Password

# Register system with Red Hat account
subscription-manager register --username=your-username

# You'll be prompted for password
# System receives UUID and appears in Customer Portal

Register with Activation Key (Recommended for Automation)

# Register using activation key and organization ID
subscription-manager register \
  --org=YOUR_ORG_ID \
  --activationkey=YOUR_ACTIVATION_KEY

# Example:
subscription-manager register \
  --org=1234567 \
  --activationkey=rhel8-prod-servers

Register to Red Hat Satellite

# Register to Satellite server instead of Red Hat CDN
subscription-manager register \
  --org=YOUR_ORG \
  --activationkey=YOUR_KEY \
  --serverurl=https://satellite.example.com

# Or with username/password:
subscription-manager register \
  --serverurl=https://satellite.example.com \
  --username=admin

Verify Registration

# Check registration status
subscription-manager status

# View system identity
subscription-manager identity

# Example output:
# system identity: 12345678-90ab-cdef-1234-567890abcdef
# name: server01.example.com
# org name: Example Corp
# org ID: 1234567

Managing Subscriptions

List Available Subscriptions

# View all available subscriptions for your account
subscription-manager list --available

# View available subscriptions with details
subscription-manager list --available --all

# Filter by match (e.g., RHEL server subscriptions)
subscription-manager list --available --matches="*Server*"

Attach Subscriptions

Auto-attach (Recommended for Simple Cases)

# Automatically attach best-matched subscription
subscription-manager attach --auto

# System analyzes installed products and attaches appropriate subscription

Attach Specific Pool

# List available pools with IDs
subscription-manager list --available

# Attach specific pool by ID
subscription-manager attach --pool=POOL_ID

# Example:
subscription-manager attach --pool=8a85f99c7db4827d017dc512fcad1234

# Attach multiple pools
subscription-manager attach \
  --pool=POOL_ID_1 \
  --pool=POOL_ID_2

View Consumed Subscriptions

# Show currently attached subscriptions
subscription-manager list --consumed

# View subscription details
subscription-manager list --consumed --all

Remove Subscriptions

# Remove specific subscription by serial number
subscription-manager remove --serial=SERIAL_NUMBER

# Remove all subscriptions
subscription-manager remove --all

Managing Repositories

List Repositories

# List all enabled repositories
subscription-manager repos --list-enabled

# List all available repositories
subscription-manager repos --list

# List disabled repositories
subscription-manager repos --list-disabled

Enable Repositories

# Enable specific repository
subscription-manager repos --enable=REPO_ID

# Example: Enable RHEL 8 BaseOS and AppStream
subscription-manager repos \
  --enable=rhel-8-for-x86_64-baseos-rpms \
  --enable=rhel-8-for-x86_64-appstream-rpms

# Enable multiple repositories at once
subscription-manager repos \
  --enable=rhel-8-for-x86_64-baseos-rpms \
  --enable=rhel-8-for-x86_64-appstream-rpms \
  --enable=rhel-8-for-x86_64-supplementary-rpms

Common RHEL 8/9 Repository IDs

# RHEL 8
rhel-8-for-x86_64-baseos-rpms
rhel-8-for-x86_64-appstream-rpms
rhel-8-for-x86_64-supplementary-rpms
codeready-builder-for-rhel-8-x86_64-rpms

# RHEL 9
rhel-9-for-x86_64-baseos-rpms
rhel-9-for-x86_64-appstream-rpms
rhel-9-for-x86_64-supplementary-rpms
codeready-builder-for-rhel-9-x86_64-rpms

Disable Repositories

# Disable specific repository
subscription-manager repos --disable=REPO_ID

# Disable all repositories
subscription-manager repos --disable="*"

# Then enable only what you need
subscription-manager repos \
  --disable="*" \
  --enable=rhel-8-for-x86_64-baseos-rpms \
  --enable=rhel-8-for-x86_64-appstream-rpms

Applying Updates for Specific RHSA and CVE

Understanding RHSA (Red Hat Security Advisory)

RHSA provides security updates for vulnerabilities. Each advisory has a unique ID like RHSA-2024:1234.

List Available Security Updates

# Install yum-plugin-security (RHEL 7)
yum install yum-plugin-security

# List all security updates
yum updateinfo list security

# List critical security updates
yum updateinfo list sec-severity:Critical

# List updates for specific CVE
yum updateinfo list cve CVE-2024-1234

Apply Specific RHSA Update

# Apply specific RHSA
yum update --advisory=RHSA-2024:1234

# Example: Apply RHSA-2024:0500
yum update --advisory=RHSA-2024:0500 -y

# For RHEL 8/9 (dnf):
dnf update --advisory=RHSA-2024:1234

Apply Updates for Specific CVE

# Update packages affected by specific CVE
yum update --cve=CVE-2024-1234

# Example: Fix Heartbleed
yum update --cve=CVE-2014-0160

# For RHEL 8/9:
dnf update --cve=CVE-2024-1234

Apply All Security Updates

# Apply all available security updates
yum update --security

# Apply only critical security updates
yum update --sec-severity=Critical

# For RHEL 8/9:
dnf update --security

Get Information About Specific Advisory

# View details of RHSA
yum updateinfo info RHSA-2024:1234

# Example output shows:
# - Affected packages
# - CVEs addressed
# - Severity level
# - Description

Configuring Repository for Security Updates Only

Create Custom Repo Configuration

# Edit repo file to include only security updates
vim /etc/yum.repos.d/rhel-security.repo

# Add:
[rhel-8-baseos-security]
name=RHEL 8 BaseOS Security Updates Only
baseurl=https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
includepkgs=*security*

Configure Yum to Filter Updates

For comprehensive Yum/DNF command usage, see our detailed guide: Complete Yum and DNF Commands Guide

Downloading RPM Packages

Download Specific Package

# Download package without installing
yumdownloader package-name

# Download with dependencies
yumdownloader --resolve package-name

# Download to specific directory
yumdownloader --destdir=/tmp/rpms httpd

# For RHEL 8/9:
dnf download package-name
dnf download --resolve --destdir=/tmp/rpms httpd

Download All Packages from Repository (Mirror Creation)

# Install reposync
yum install yum-utils

# Download entire repository
reposync --gpgcheck -l \
  --repoid=rhel-8-for-x86_64-baseos-rpms \
  --download_path=/var/repos/rhel8 \
  --downloadcomps \
  --download-metadata

# For RHEL 8/9:
dnf install dnf-plugins-core
dnf reposync \
  --repo=rhel-8-for-x86_64-baseos-rpms \
  --download-path=/var/repos/rhel8 \
  --download-metadata

Download Only Security Updates

# Download security updates only
yumdownloader --security --resolve

# Or use reposync with filters
reposync --repoid=rhel-8-baseos-rpms \
  --download_path=/var/repos/security \
  --downloadcomps \
  --newest-only

Refreshing Subscription Data

# Refresh subscription information
subscription-manager refresh

# Force refresh and update entitlements
subscription-manager refresh --force

# Update repository data
yum clean all
yum makecache

Unregistering Systems

Standard Unregister

# Unregister system from Red Hat
subscription-manager unregister

# This removes:
# - System from Customer Portal
# - Entitlement certificates
# - Repository access

Clean Subscription Data

# Clean all subscription data
subscription-manager clean

# This removes:
# - Consumer certificates (/etc/pki/consumer/)
# - Entitlement certificates (/etc/pki/entitlement/)
# - Facts (/etc/rhsm/facts/)

Unregister from Satellite

# Same command works for Satellite
subscription-manager unregister

# Clean local data
subscription-manager clean

Remove Legacy RHN Registration (RHEL 5/6)

# For old RHN Classic systems
rm -f /etc/sysconfig/rhn/systemid

# Remove RHN packages (if migrating to RHSM)
yum remove rhn-* yum-rhn-plugin

Clean Yum Cache After Unregistering

# Remove cached repository data
rm -rf /var/cache/yum/*
yum clean all

# For RHEL 8/9:
dnf clean all
rm -rf /var/cache/dnf/*

Troubleshooting Common Issues

Issue: “This system is not registered”

# Check current status
subscription-manager status

# Re-register if needed
subscription-manager register --username=USERNAME

# Verify network connectivity
ping subscription.rhsm.redhat.com
curl -I https://subscription.rhsm.redhat.com

Issue: “No subscriptions are available”

# Verify account has available subscriptions in portal
subscription-manager list --available

# If none available, check Customer Portal:
# https://access.redhat.com/management/subscriptions

# Contact Red Hat support if subscriptions missing

Issue: Repositories not enabled after attaching subscription

# Refresh entitlements
subscription-manager refresh

# Manually enable repositories
subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms

# Verify
subscription-manager repos --list-enabled

Issue: Certificate errors

# Remove and regenerate certificates
subscription-manager remove --all
subscription-manager clean
subscription-manager register --username=USERNAME
subscription-manager attach --auto

Best Practices

Registration Best Practices

Use activation keys for automated deployments
Document activation keys and organization IDs
Use Satellite for large-scale management
Tag systems with meaningful names in Customer Portal

Subscription Management

Use auto-attach for simple environments
Track subscription usage in Customer Portal
Unregister decommissioned systems promptly
Review subscription consumption quarterly

Security Update Strategy

Apply critical security updates within 24 hours
Test important/moderate updates in dev first
Subscribe to RHSA mailing lists
Use –advisory flag for targeted updates
Maintain offline repository mirrors for air-gapped systems

Frequently Asked Questions

Do I need to unregister a system before decommissioning it?

Yes, always unregister systems before decommissioning to free subscription entitlements for other systems. Use “subscription-manager unregister” before shutting down or deleting VMs. If forgotten, remove systems from the Red Hat Customer Portal web interface, though this takes longer to sync.

What’s the difference between activation keys and username/password registration?

Activation keys are designed for automation (kickstart, Ansible, cloud-init) and don’t require interactive password entry. They can pre-configure repository enablement and subscription attachment. Username/password registration is for manual, interactive registration and requires credentials each time. Use activation keys for infrastructure-as-code and automated deployments.

How do I apply only security updates without other package updates?

Use “yum update –security” (RHEL 7) or “dnf update –security” (RHEL 8/9). This applies only packages with security errata, excluding bug fix and enhancement updates. For specific severity levels, use “–sec-severity=Critical” or “–sec-severity=Important”. This approach minimizes changes while maintaining security.

Can I download packages for a different RHEL version than I’m running?

No, subscription-manager and yumdownloader only access repositories for your currently running RHEL version. To download RHEL 9 packages, you need a RHEL 9 system with appropriate subscriptions. Alternatively, download ISOs from Customer Portal or use a system running the target version for package downloads.

How do I find which RHSA addresses a specific CVE?

Use “yum updateinfo list cve CVE-2024-1234” to see which advisory addresses that CVE. You can also search the Red Hat Customer Portal Security page (https://access.redhat.com/security/security-updates/) by CVE number for detailed information including affected packages and RHSA numbers.

What happens to my repositories when I unregister?

When you unregister, /etc/yum.repos.d/redhat.repo is emptied or removed since you no longer have subscription entitlements. Cached packages in /var/cache/yum remain but you can’t download new updates. Custom repository files in /etc/yum.repos.d/ are not affected. Re-registering regenerates redhat.repo based on your new subscriptions.

How do I register a system if I don’t know my organization ID?

Log into Red Hat Customer Portal (access.redhat.com), go to Subscription Management, and your organization ID appears in the top right. Alternatively, register another system with username/password, then run “subscription-manager identity” to see the org ID. Activation keys also include the org ID in their configuration.

Can I use the same activation key for RHEL 7, 8, and 9?

Technically yes, but it’s not recommended. Create version-specific activation keys with appropriate repositories enabled for each major version. RHEL 7 uses different repository IDs than RHEL 8/9. Version-specific keys prevent confusion and ensure correct repositories are enabled automatically during registration.

How do I apply updates from a specific date range?

There’s no built-in date-range filter in yum/dnf. Use “yum updateinfo list” to see advisory dates, then apply specific advisories with “yum update –advisory=RHSA-2024:XXXX”. For automation, parse updateinfo XML or use Red Hat Satellite which provides advanced filtering by date, CVE, severity, and package.

What’s the difference between subscription-manager refresh and yum makecache?

“subscription-manager refresh” updates your subscription entitlements and repository access from Red Hat serversâ€”it affects which repos you can access. “yum makecache” downloads package metadata from already-enabled repositoriesâ€”it updates package lists but doesn’t change subscriptions. Run refresh after subscription changes, makecache to update package information.

Conclusion

Effective Red Hat subscription management ensures your systems remain secure, supported, and up-to-date. From initial registration through daily operations to eventual decommissioning, mastering subscription-manager, repository configuration, and targeted update application enables efficient RHEL fleet management. Whether managing individual servers or enterprise-scale deployments, these tools provide the control needed for maintaining secure, compliant Red Hat Enterprise Linux environments.

For comprehensive Yum and DNF command usage beyond subscription management, see our Complete Yum and DNF Commands Guide.

Was this article helpful?

About the Author: Ramesh Sundararamaiah

Red Hat Certified Architect

Ramesh is a Red Hat Certified Architect with extensive experience in enterprise Linux environments. He specializes in system administration, DevOps automation, and cloud infrastructure. Ramesh has helped organizations implement robust Linux solutions and optimize their IT operations for performance and reliability.

Expertise: Red Hat Enterprise Linux, CentOS, Ubuntu, Docker, Ansible, System Administration, DevOps