From 67d2585bb97cfe99dc696c56449e02ddd12dd50d Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Fri, 11 Apr 2025 21:58:37 +0200
Subject: [PATCH 01/23] Implement initial question to import certificate

---
 service/lib/agama/registration.rb             | 170 ++++++++---
 service/lib/agama/ssl/certificate.rb          | 256 ++++++++++++++++
 service/lib/agama/ssl/certificate_details.rb  |  59 ++++
 service/lib/agama/ssl/errors.rb               |  53 ++++
 service/lib/agama/ssl/fingerprint.rb          |  23 ++
 service/run_tests_in_container.sh             |   2 +-
 service/test/agama/registration_test.rb       |  40 ++-
 .../agama/ssl/certificate_details_spec.rb     |  64 ++++
 service/test/agama/ssl/certificate_spec.rb    | 282 ++++++++++++++++++
 service/test/agama/ssl/fingerprint_spec.rb    |  66 ++++
 .../test/fixtures/anchors/openssl/8820a2e8.0  |   1 +
 .../test/fixtures/anchors/openssl/8f13f82e.0  |   1 +
 .../fixtures/anchors/openssl/YaST_Team.pem    |  23 ++
 service/test/fixtures/anchors/pem/8820a2e8.0  |   1 +
 service/test/fixtures/anchors/pem/8f13f82e.0  |   1 +
 .../test/fixtures/anchors/pem/YaST_Team.pem   |  23 ++
 service/test/fixtures/test.pem                |  20 ++
 17 files changed, 1040 insertions(+), 45 deletions(-)
 create mode 100644 service/lib/agama/ssl/certificate.rb
 create mode 100644 service/lib/agama/ssl/certificate_details.rb
 create mode 100644 service/lib/agama/ssl/errors.rb
 create mode 100644 service/lib/agama/ssl/fingerprint.rb
 create mode 100755 service/test/agama/ssl/certificate_details_spec.rb
 create mode 100755 service/test/agama/ssl/certificate_spec.rb
 create mode 100755 service/test/agama/ssl/fingerprint_spec.rb
 create mode 120000 service/test/fixtures/anchors/openssl/8820a2e8.0
 create mode 120000 service/test/fixtures/anchors/openssl/8f13f82e.0
 create mode 100644 service/test/fixtures/anchors/openssl/YaST_Team.pem
 create mode 120000 service/test/fixtures/anchors/pem/8820a2e8.0
 create mode 120000 service/test/fixtures/anchors/pem/8f13f82e.0
 create mode 100644 service/test/fixtures/anchors/pem/YaST_Team.pem
 create mode 100644 service/test/fixtures/test.pem

diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index 58fce1e108..dc94db2cb5 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -29,6 +29,9 @@
 require "agama/cmdline_args"
 require "agama/errors"
 require "agama/registered_addon"
+require "agama/ssl/certificate"
+require "agama/ssl/certificate_details"
+require "agama/ssl/errors"
 
 Yast.import "Arch"
 Yast.import "Pkg"
@@ -36,6 +39,8 @@
 module Agama
   # Handles everything related to registration of system to SCC, RMT or similar.
   class Registration
+    include Yast::I18n
+
     # NOTE: identical and keep in sync with Software::Manager::TARGET_DIR
     TARGET_DIR = "/run/agama/zypp"
     private_constant :TARGET_DIR
@@ -84,54 +89,58 @@ def initialize(software_manager, logger)
     def register(code, email: "")
       return if product.nil? || reg_code
 
-      reg_params = connect_params(token: code, email: email)
+      catch_registration_errors do
+        reg_params = connect_params(token: code, email: email)
 
-      @login, @password = SUSE::Connect::YaST.announce_system(reg_params, target_distro)
-      # write the global credentials
-      # TODO: check if we can do it in memory for libzypp
-      SUSE::Connect::YaST.create_credentials_file(@login, @password, GLOBAL_CREDENTIALS_PATH)
+        @login, @password = SUSE::Connect::YaST.announce_system(reg_params, target_distro)
+        # write the global credentials
+        # TODO: check if we can do it in memory for libzypp
+        SUSE::Connect::YaST.create_credentials_file(@login, @password, GLOBAL_CREDENTIALS_PATH)
 
-      activate_params = {}
-      service = SUSE::Connect::YaST.activate_product(base_target_product, activate_params, email)
-      process_service(service)
+        activate_params = {}
+        service = SUSE::Connect::YaST.activate_product(base_target_product, activate_params, email)
+        process_service(service)
 
-      @reg_code = code
-      @email = email
-      run_on_change_callbacks
+        @reg_code = code
+        @email = email
+        run_on_change_callbacks
+      end
     end
 
     def register_addon(name, version, code)
-      register_version = if version.empty?
-        # version is not specified, find it automatically
-        find_addon_version(name)
-      else
-        # use the explicitly required version
-        version
+      catch_registration_errors do
+        register_version = if version.empty?
+          # version is not specified, find it automatically
+          find_addon_version(name)
+        else
+          # use the explicitly required version
+          version
+        end
+
+        if @registered_addons.any? { |a| a.name == name && a.version == register_version }
+          @logger.info "Addon #{name}-#{register_version} already registered, skipping registration"
+          return
+        end
+
+        @logger.info "Registering addon #{name}-#{register_version}"
+        # do not log the code, but at least log if it is empty
+        @logger.info "Using empty registration code" if code.empty?
+
+        target_product = OpenStruct.new(
+          arch:       Yast::Arch.rpm_arch,
+          identifier: name,
+          version:    register_version
+        )
+        activate_params = { token: code }
+        service = SUSE::Connect::YaST.activate_product(target_product, activate_params, @email)
+        process_service(service)
+
+        @registered_addons << RegisteredAddon.new(name, register_version, !version.empty?, code)
+        # select the products to install
+        @software.addon_products(find_addon_products)
+
+        run_on_change_callbacks
       end
-
-      if @registered_addons.any? { |a| a.name == name && a.version == register_version }
-        @logger.info "Addon #{name}-#{register_version} already registered, skipping registration"
-        return
-      end
-
-      @logger.info "Registering addon #{name}-#{register_version}"
-      # do not log the code, but at least log if it is empty
-      @logger.info "Using empty registration code" if code.empty?
-
-      target_product = OpenStruct.new(
-        arch:       Yast::Arch.rpm_arch,
-        identifier: name,
-        version:    register_version
-      )
-      activate_params = { token: code }
-      service = SUSE::Connect::YaST.activate_product(target_product, activate_params, @email)
-      process_service(service)
-
-      @registered_addons << RegisteredAddon.new(name, register_version, !version.empty?, code)
-      # select the products to install
-      @software.addon_products(find_addon_products)
-
-      run_on_change_callbacks
     end
 
     # Deregisters the selected product.
@@ -252,9 +261,88 @@ def credentials_path(file)
     def connect_params(params = {})
       default_params = {}
       default_params[:url] = registration_url if registration_url
+      default_params[:verify_callback] = verify_callback
       default_params.merge(params)
     end
 
+    # returns SSL verify callback
+    def verify_callback
+      lambda do |verify_ok, context|
+
+        # we cannot raise an exception with details here (all exceptions in
+        # verify_callback are caught and ignored), we need to store the error
+        # details in a global instance
+        store_ssl_error(context) unless verify_ok
+
+        verify_ok
+      rescue StandardError => e
+        @logger.error "Exception in SSL verify callback: #{e.class}: #{e.message} : #{e.backtrace}"
+        # the exception will be ignored, but reraise anyway...
+        raise e
+
+      end
+    end
+
+    def store_ssl_error(context)
+      @logger.error "SSL verification failed: #{context.error}: #{context.error_string}"
+      SSL::Errors.instance.ssl_error_code = context.error
+      SSL::Errors.instance.ssl_error_msg = context.error_string
+      SSL::Errors.instance.ssl_failed_cert =
+        context.current_cert ? SSL::Certificate.load(context.current_cert) : nil
+    end
+
+    def catch_registration_errors(&block)
+      # import the SSL certificate just once to avoid an infinite loop
+      certificate_imported = false
+      begin
+        # reset the previous SSL errors
+        Agama::SSL::Errors.instance.reset
+
+        block.call
+
+        true
+      rescue OpenSSL::SSL::SSLError => e
+        @logger.error "OpenSSL error: #{e}"
+        should_retry = handle_ssl_error(e, certificate_imported)
+        if should_retry
+          certificate_imported = true
+          SSL::Errors.instance.ssl_failed_cert.import
+          retry
+        end
+        false
+      end
+    end
+
+    def handle_ssl_error(_error, certificate_imported)
+      return false if certificate_imported
+
+      cert = SSL::Errors.instance.ssl_failed_cert
+      error_code = SSL::Errors.instance.ssl_error_code
+
+      puts "cert #{cert} code #{error_code}"
+      if cert && SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
+        message = format(
+          _("Secure Connection Error for %{url}: %{error}. Certificate details %{details}."),
+          url:     registration_url || "https://scc.suse.com",
+          error:   SSL::ErrorCodes::OPENSSL_ERROR_MESSAGES[error_code],
+          details: SSL::CertificateDetails.new(cert).summary
+        )
+        question = Agama::Question.new(
+          qclass:         "registration.certificate",
+          text:           message,
+          options:        [:Import, :Abort],
+          default_option: :Abort
+        )
+
+        questions_client = Agama::DBus::Clients::Questions.new(logger: @logger)
+        questions_client.ask(question) do |question_client|
+          return question_client.answer == :Import
+        end
+      end
+
+      false
+    end
+
     # Returns the URL of the registration server
     #
     # At this point, it just checks the kernel's command-line.
diff --git a/service/lib/agama/ssl/certificate.rb b/service/lib/agama/ssl/certificate.rb
new file mode 100644
index 0000000000..80a2907a40
--- /dev/null
+++ b/service/lib/agama/ssl/certificate.rb
@@ -0,0 +1,256 @@
+require "openssl"
+require "suse/connect"
+require "yast2/execute"
+require "agama/ssl/fingerprint"
+require "agama/ssl/certificate_details"
+
+module Agama
+  module SSL
+    # class handling SSL certificate
+    class Certificate
+      include Yast::Logger
+
+      Yast.import "Stage"
+      Yast.import "Installation"
+
+      # Path to the registration certificate in the instsys
+      INSTSYS_CERT_DIR = "/etc/pki/trust/anchors".freeze
+      INSTSYS_SERVER_CERT_FILE = File.join(INSTSYS_CERT_DIR, "registration_server.pem").freeze
+      # Path to system CA certificates
+      CA_CERTS_DIR = "/var/lib/ca-certificates".freeze
+
+      # all used certificate paths, this is used during upgrade to import
+      # the old certificate into the inst-sys, put the older paths at the end
+      # so the newer paths are checked first
+      PATHS = [
+        # the YaST (SUSEConnect) current default path
+        # /etc/pki/trust/anchors/registration_server.pem
+        SUSE::Connect::YaST::SERVER_CERT_FILE,
+        # old location of the certificate (before moved to /etc)
+        # https://bugzilla.suse.com/show_bug.cgi?id=1130864
+        "/usr/share/pki/trust/anchors/registration_server.pem",
+        # RMT certificate
+        # https://github.com/SUSE/rmt/blob/b240ce577bd1637cfb57548f2741a1925cf3e4ee/public/tools/rmt-client-setup#L214
+        "/etc/pki/trust/anchors/rmt-server.pem",
+        # SMT certificate
+        # https://github.com/SUSE/smt/blob/SMT12/script/clientSetup4SMT.sh#L245
+        "/etc/pki/trust/anchors/registration-server.pem",
+        # the SLE11 path (for both YaST and the clientSetup4SMT.sh script)
+        # https://github.com/yast/yast-registration/blob/Code-11-SP3/src/modules/Register.ycp#L296-L297
+        "/etc/ssl/certs/registration-server.pem"
+      ].freeze
+
+      attr_reader :x509_cert
+
+      # Path to store the certificate of the registration server
+      #
+      # @return [String] Path to store the certificate
+      def self.default_certificate_path
+        INSTSYS_SERVER_CERT_FILE
+      end
+
+      def initialize(x509_cert)
+        @x509_cert = x509_cert
+      end
+
+      def self.load_file(file)
+        load(File.read(file))
+      end
+
+      def self.load(data)
+        cert = OpenSSL::X509::Certificate.new(data)
+        Certificate.new(cert)
+      end
+
+      def self.download(url, insecure: false)
+        # TODO
+        #result = Downloader.download(url, insecure: insecure)
+        #load(result)
+      end
+
+      # Path to temporal CA certificates (to be used only in instsys)
+      TMP_CA_CERTS_DIR = "/var/lib/YaST2/ca-certificates".freeze
+
+      # Update instys CA certificates
+      #
+      # update-ca-certificates script cannot be used in inst-sys.
+      # See bsc#981428 and bsc#989787.
+      #
+      # @return [Boolean] true if update was successful; false otherwise.
+      #
+      # @see CA_CERTS_DIR
+      # @see TMP_CA_CERTS_DIR
+      def self.update_instsys_ca
+        FileUtils.mkdir_p(TMP_CA_CERTS_DIR)
+        # Extract system certs in openssl and pem formats
+        Yast::Execute.locally("trust", "extract", "--format=openssl-directory",
+          "--filter=ca-anchors", "--overwrite", File.join(TMP_CA_CERTS_DIR, "openssl"))
+        Yast::Execute.locally("trust", "extract", "--format=pem-directory-hash",
+          "--filter=ca-anchors", "--overwrite", File.join(TMP_CA_CERTS_DIR, "pem"))
+
+        # Copy certificates/links
+        new_files = []
+        ["pem", "openssl"].each do |subdir|
+          files = Dir[File.join(TMP_CA_CERTS_DIR, subdir, "*")]
+          next if files.empty?
+
+          subdir = File.join(CA_CERTS_DIR, subdir)
+          FileUtils.mkdir_p(subdir) unless Dir.exist?(subdir)
+          files.each do |file|
+            # FileUtils.cp does not seem to allow copying the links without dereferencing them.
+            Yast::Execute.locally("cp", "--no-dereference", "--preserve=links", file, subdir)
+            new_files << File.join(subdir, File.basename(file))
+          end
+        end
+
+        # Cleanup
+        FileUtils.rm_rf(TMP_CA_CERTS_DIR)
+
+        return false if new_files.empty?
+
+        # Reload SUSEConnect internal cert pool (suseconnect-ng only)
+        SUSE::Connect::SSLCertificate.reload if SUSE::Connect::SSLCertificate.respond_to?(:reload)
+
+        # Check that last file was copied to return true or false
+        File.exist?(new_files.last)
+      end
+
+      # certificate serial number (in HEX format, e.g. AB:CD:42:FF...)
+      def serial
+        x509_cert.serial.to_s(16).scan(/../).join(":")
+      end
+
+      def issued_on
+        x509_cert.not_before.localtime.strftime("%F")
+      end
+
+      def valid_yet?
+        Time.now > x509_cert.not_before
+      end
+
+      def expires_on
+        x509_cert.not_after.localtime.strftime("%F")
+      end
+
+      def expired?
+        Time.now > x509_cert.not_after
+      end
+
+      def subject_name
+        find_subject_attribute("CN")
+      end
+
+      def subject_organization
+        find_subject_attribute("O")
+      end
+
+      def subject_organization_unit
+        find_subject_attribute("OU")
+      end
+
+      def issuer_name
+        find_issuer_attribute("CN")
+      end
+
+      def issuer_organization
+        find_issuer_attribute("O")
+      end
+
+      def issuer_organization_unit
+        find_issuer_attribute("OU")
+      end
+
+      def fingerprint(sum)
+        case sum.upcase
+        when Fingerprint::SHA1
+          sha1_fingerprint
+        when Fingerprint::SHA256
+          sha256_fingerprint
+        else
+          raise "Unsupported checksum type '#{sum}'"
+        end
+      end
+
+      # Import the certificate
+      #
+      # Depending if running in installation or in a installed system,
+      # it will rely on #import_to_instsys or #import_to_system methods.
+      #
+      # @return [true] true if import was successful
+      #
+      # @raise Connect::SystemCallError
+      # @raise Cheetah::ExecutionFailed
+
+      # @see #import_to_instsys
+      def import
+        import_to_instsys
+      end
+
+      # Import the certificate to the installation system
+      #
+      # This method exists because the procedure to import certificates
+      # to installation system is slightly different to the one followed
+      # to import certificates to a installed system.
+      #
+      # @param target_path [String] where the imported certificate will be saved,
+      #   the path should contain the INSTSYS_CERT_DIR prefix otherwise it might
+      #   not work correctly.
+      # @return [Boolean] true if import was successful; false otherwise.
+      #
+      # @see update_instsys_ca
+      def import_to_instsys(target_path = self.class.default_certificate_path)
+        # Copy certificate
+        File.write(target_path, x509_cert.to_pem)
+
+        # Update database
+        self.class.update_instsys_ca
+      end
+
+      # Log the certificate details
+      def log_details
+        require "registration/ssl_certificate_details"
+        # log also the dates
+        log.info("#{CertificateDetails.new(self).summary}\n" \
+          "Issued on: #{issued_on}\nExpires on: #{expires_on}")
+
+        # log a warning for expired certificate
+        expires = x509_cert.not_after.localtime
+        log.warn("The certificate has EXPIRED! (#{expires})") if expires < Time.now
+      end
+
+    private
+
+      # @param x509_name [OpenSSL::X509::Name] name object
+      # @param attribute [String] requested attribute name. e.g. "CN"
+      # @return attribut value or nil if not defined
+      def find_name_attribute(x509_name, attribute)
+        # to_a returns an attribute list, e.g.:
+        # [["CN", "linux", 19], ["emailAddress", "root@...", 22], ["O", "YaST", 19], ...]
+        _attr, value, _code = x509_name.to_a.find { |a| a.first == attribute }
+        value
+      end
+
+      def find_issuer_attribute(attribute)
+        find_name_attribute(x509_cert.issuer, attribute)
+      end
+
+      def find_subject_attribute(attribute)
+        find_name_attribute(x509_cert.subject, attribute)
+      end
+
+      def sha1_fingerprint
+        Fingerprint.new(
+          Fingerprint::SHA1,
+          ::SUSE::Connect::YaST.cert_sha1_fingerprint(x509_cert)
+        )
+      end
+
+      def sha256_fingerprint
+        Fingerprint.new(
+          Fingerprint::SHA256,
+          ::SUSE::Connect::YaST.cert_sha256_fingerprint(x509_cert)
+        )
+      end
+    end
+  end
+end
diff --git a/service/lib/agama/ssl/certificate_details.rb b/service/lib/agama/ssl/certificate_details.rb
new file mode 100644
index 0000000000..25c130ad9c
--- /dev/null
+++ b/service/lib/agama/ssl/certificate_details.rb
@@ -0,0 +1,59 @@
+require "agama/ssl/fingerprint"
+
+module Agama
+  # class handling SSL certificate
+  module SSL
+    class CertificateDetails
+      include Yast::I18n
+
+      # indent size used in summary text
+      INDENT = " " * 3
+
+      def initialize(certificate)
+        textdomain "registration"
+        @certificate = certificate
+      end
+
+      def subject
+        identity_details(certificate.subject_name, certificate.subject_organization,
+          certificate.subject_organization_unit)
+      end
+
+      def issuer
+        identity_details(certificate.issuer_name, certificate.issuer_organization,
+          certificate.issuer_organization_unit)
+      end
+
+      def summary(small_space: false)
+        summary = _("Certificate:") + "\n" + _("Issued To") + "\n" + subject +
+          "\n" + _("Issued By") + "\n" + issuer + "\n" + _("SHA1 Fingerprint: ") +
+          "\n" + INDENT + certificate.fingerprint(Fingerprint::SHA1).value + "\n" +
+          _("SHA256 Fingerprint: ") + "\n"
+
+        sha256 = certificate.fingerprint(Fingerprint::SHA256).value
+        summary += if small_space
+          # split the long SHA256 digest to two lines in small text mode UI
+          INDENT + sha256[0..59] + "\n" + INDENT + sha256[60..-1]
+        else
+          INDENT + sha256
+        end
+
+        summary
+      end
+
+    private
+
+      attr_reader :certificate
+
+      def identity_details(cn, o, ou)
+        # label followed by the SSL certificate identification
+        _("Common Name (CN): ") + (cn || "") + "\n" +
+          # label followed by the SSL certificate identification
+          _("Organization (O): ") + (o || "") + "\n" +
+          # label followed by the SSL certificate identification
+          _("Organization Unit (OU): ") + (ou || "") + "\n"
+      end
+    end
+  end
+end
+
diff --git a/service/lib/agama/ssl/errors.rb b/service/lib/agama/ssl/errors.rb
new file mode 100644
index 0000000000..ac47ffe4ba
--- /dev/null
+++ b/service/lib/agama/ssl/errors.rb
@@ -0,0 +1,53 @@
+require "yast"
+
+module Agama
+  module SSL
+    # remember the details about SSL verification failure
+    # the attributes are read from the SSL error context
+    class Errors < Struct.new(:ssl_error_code, :ssl_error_msg, :ssl_failed_cert)
+      include Singleton
+
+      def reset
+        self.ssl_error_code = nil
+        self.ssl_error_msg = nil
+        self.ssl_failed_cert = nil
+      end
+    end
+
+    module ErrorCodes
+      extend Yast::I18n
+      textdomain "registration"
+
+      # "certificate has expired"
+      EXPIRED = 10
+      # "self signed certificate"
+      SELF_SIGNED_CERT = 18
+      # "self signed certificate in certificate chain"
+      SELF_SIGNED_CERT_IN_CHAIN = 19
+      # "unable to get local issuer certificate"
+      NO_LOCAL_ISSUER_CERTIFICATE = 20
+
+      # openSSL error codes for which the import SSL certificate dialog is shown,
+      # for the other error codes just the error message is displayed
+      # (importing the certificate would not help)
+      IMPORT_ERROR_CODES = [
+        SELF_SIGNED_CERT,
+        SELF_SIGNED_CERT_IN_CHAIN
+      ].freeze
+
+      # error code => translatable error message
+      # @note the text messages need to be translated at runtime via _() call
+      # @note we do not translate every possible OpenSSL error message, just the most common ones
+      OPENSSL_ERROR_MESSAGES = {
+        # TRANSLATORS: SSL error message
+        EXPIRED                     => N_("Certificate has expired"),
+        # TRANSLATORS: SSL error message
+        SELF_SIGNED_CERT            => N_("Self signed certificate"),
+        # TRANSLATORS: SSL error message
+        SELF_SIGNED_CERT_IN_CHAIN   => N_("Self signed certificate in certificate chain"),
+        # TRANSLATORS: SSL error message
+        NO_LOCAL_ISSUER_CERTIFICATE => N_("Unable to get local issuer certificate")
+      }.freeze
+    end
+  end
+end
diff --git a/service/lib/agama/ssl/fingerprint.rb b/service/lib/agama/ssl/fingerprint.rb
new file mode 100644
index 0000000000..1b3080e9fa
--- /dev/null
+++ b/service/lib/agama/ssl/fingerprint.rb
@@ -0,0 +1,23 @@
+module Agama
+  module SSL
+    class Fingerprint
+      attr_reader :sum, :value
+
+      SHA1 = "SHA1".freeze
+      SHA256 = "SHA256".freeze
+
+      def initialize(sum, value)
+        @sum = sum
+        @value = value
+      end
+
+      def ==(other)
+        return false if other.nil?
+
+        # case insensitive compare of the fingerprint value
+        # (ignore optional colon separators)
+        sum.casecmp(other.sum) == 0 && value.tr(":", "").casecmp(other.value.tr(":", "")) == 0
+      end
+    end
+  end
+end
diff --git a/service/run_tests_in_container.sh b/service/run_tests_in_container.sh
index c298048703..a718ebadd2 100644
--- a/service/run_tests_in_container.sh
+++ b/service/run_tests_in_container.sh
@@ -4,7 +4,7 @@ set -ex
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 podman create -ti --rm --entrypoint '["sh", "-c"]' --name agama_ruby_tests -v $SCRIPT_DIR/..:/checkout registry.opensuse.org/yast/head/containers_tumbleweed/yast-ruby sh
 podman start agama_ruby_tests
-podman exec agama_ruby_tests zypper --non-interactive install yast2-iscsi-client yast2-bootloader ruby3.3-rubygem-eventmachine
+podman exec agama_ruby_tests zypper --non-interactive install yast2-iscsi-client yast2-bootloader ruby3.4-rubygem-eventmachine
 if podman exec --workdir /checkout/service agama_ruby_tests rake test:unit; then
   if [ "$KEEP_RUNNING" != "1" ]; then
     podman stop agama_ruby_tests
diff --git a/service/test/agama/registration_test.rb b/service/test/agama/registration_test.rb
index 92baaf5367..52edf6c21d 100644
--- a/service/test/agama/registration_test.rb
+++ b/service/test/agama/registration_test.rb
@@ -56,6 +56,16 @@
   let(:service) { OpenStruct.new(name: "test-service", url: nil) }
   let(:cmdline_args) { Agama::CmdlineArgs.new({}) }
 
+  describe "#verify_callback" do
+    it "stores to SSL::Error ssl error details" do
+      error = double(error: 20, error_string: "Error", current_cert: nil)
+
+      subject.send(:verify_callback).call(false, error)
+      expect(Agama::SSL::Errors.instance.ssl_error_code).to eq 20
+      expect(Agama::SSL::Errors.instance.ssl_error_msg).to eq "Error"
+    end
+  end
+
   describe "#register" do
     context "if there is no product selected yet" do
       let(:product) { nil }
@@ -85,7 +95,7 @@
       context "and the product is not registered yet" do
         it "announces the system" do
           expect(SUSE::Connect::YaST).to receive(:announce_system).with(
-            { token: "11112222", email: "test@test.com" },
+            { token: "11112222", email: "test@test.com", verify_callback: anything },
             "test-5-x86_64"
           )
 
@@ -99,7 +109,8 @@
 
           it "registers using the given URL" do
             expect(SUSE::Connect::YaST).to receive(:announce_system).with(
-              { token: "11112222", email: "test@test.com", url: "http://scc.example.net" },
+              { token: "11112222", email: "test@test.com", url: "http://scc.example.net",
+                verify_callback: anything },
               "test-5-x86_64"
             )
 
@@ -223,6 +234,29 @@
             expect(subject.email).to be_nil
           end
         end
+
+        context "if the registration server has self-signed certificate" do
+          before do
+            Agama::SSL::Errors.instance.ssl_error_code = Agama::SSL::ErrorCodes::SELF_SIGNED_CERT
+            Agama::SSL::Errors.instance.ssl_error_msg = "test error"
+            Agama::SSL::Errors.instance.ssl_failed_cert = Agama::SSL::Certificate.new("test")
+            # mock reset to avoid previous setup
+            allow(Agama::SSL::Errors.instance).to receive(:reset)
+
+            allow(SUSE::Connect::YaST).to receive(:activate_product).and_raise(OpenSSL::SSL::SSLError.new("test"))
+          end
+
+          it "opens question" do
+            expect(Agama::Question).to receive(:new)
+            q_client = double
+            expect(q_client).to receive(:ask).and_yield(q_client)
+            expect(q_client).to receive(:answer).and_return(:Abort)
+            expect(Agama::DBus::Clients::Questions).to receive(:new)
+              .and_return(q_client)
+
+            subject.register("11112222", email: "test@test.com")
+          end
+        end
       end
     end
   end
@@ -362,7 +396,7 @@
 
         it "deactivates the system" do
           expect(SUSE::Connect::YaST).to receive(:deactivate_system).with(
-            { token: "11112222", email: "test@test.com" }
+            { token: "11112222", email: "test@test.com", verify_callback: anything }
           )
 
           subject.deregister
diff --git a/service/test/agama/ssl/certificate_details_spec.rb b/service/test/agama/ssl/certificate_details_spec.rb
new file mode 100755
index 0000000000..c9f502dcf3
--- /dev/null
+++ b/service/test/agama/ssl/certificate_details_spec.rb
@@ -0,0 +1,64 @@
+#! /usr/bin/env rspec
+
+require_relative "../../test_helper"
+
+require "agama/ssl/certificate"
+require "agama/ssl/certificate_details"
+
+describe "Agama::SSL::CertificateDetails" do
+  subject do
+    Agama::SSL::CertificateDetails.new(
+      Agama::SSL::Certificate.load_file(File.join(FIXTURES_PATH, "test.pem"))
+    )
+  end
+
+  let(:identity) do
+    <<~IDENTITY
+      Common Name (CN): linux-1hyn
+      Organization (O): WebYaST
+      Organization Unit (OU): WebYaST
+    IDENTITY
+  end
+
+  let(:sha256sum) do
+    "2A:02:DA:EC:A9:FF:4C:B4:A6:C0:57:08:F6:1C:8B:B0:94:FA:" \
+      "F4:60:96:5E:18:48:CA:84:81:48:60:F3:CB:BF"
+  end
+  let(:sha1sum) { "A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9" }
+
+  describe ".#subject" do
+    it "returns textual summary of the certificate subject" do
+      expect(subject.subject).to eq(identity)
+    end
+  end
+
+  describe "#issuer" do
+    it "return textual summary of the certificate issuer" do
+      expect(subject.issuer).to eq(identity)
+    end
+  end
+
+  describe "#summary" do
+    it "returns textual summary of the whole certificate" do
+      # rubocop:disable Layout/TrailingWhitespace
+      expect(subject.summary).to eq(<<~CERT.chomp
+        Certificate:
+        Issued To
+        #{identity}
+        Issued By
+        #{identity}
+        SHA1 Fingerprint: 
+           #{sha1sum}
+        SHA256 Fingerprint: 
+           #{sha256sum}
+      CERT
+                                   )
+      # rubocop:enable Layout/TrailingWhitespace
+    end
+
+    it "can optionaly limit line lenght to fit terminal width" do
+      # the longest line still fits 80 chars wide terminal
+      expect(subject.summary(small_space: true).split("\n").map(&:size).max).to be < 80
+    end
+  end
+end
diff --git a/service/test/agama/ssl/certificate_spec.rb b/service/test/agama/ssl/certificate_spec.rb
new file mode 100755
index 0000000000..c51e6bebe8
--- /dev/null
+++ b/service/test/agama/ssl/certificate_spec.rb
@@ -0,0 +1,282 @@
+#! /usr/bin/env rspec
+
+require_relative "../../test_helper"
+
+require "agama/ssl/certificate"
+
+require "pathname"
+require "tmpdir"
+
+describe Agama::SSL::Certificate do
+  subject { Agama::SSL::Certificate.load_file(File.join(FIXTURES_PATH, "test.pem")) }
+  # use "openssl x509 -in test.pem -noout -serial -fingerprint" to get serial and SHA1
+  # use "openssl x509 -outform der -in test.pem -out test.der" and then
+  #   "sha224sum test.der" and "sha256sum test.der" to get SHA224 and SHA256
+  let(:serial) { "B8:AB:F1:73:E4:1F:10:4D" }
+  let(:sha1)   { "A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9" }
+  let(:sha256) do
+    "2A:02:DA:EC:A9:FF:4C:B4:A6:C0:57:08:F6:1C:8B:B0:94:FA:F4:60:96:5E:" \
+      "18:48:CA:84:81:48:60:F3:CB:BF"
+  end
+  let(:initial) { false }
+
+  before do
+    allow(Yast::Stage).to receive(:initial).and_return(initial)
+  end
+
+  describe ".load_file" do
+    it "loads SSL certificate from a file" do
+      expect(subject).to be_a(Agama::SSL::Certificate)
+    end
+  end
+
+  describe ".load" do
+    it "loads SSL certificate from data" do
+      expect(Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem")))).to \
+        be_a(Agama::SSL::Certificate)
+    end
+  end
+
+  xdescribe ".download" do
+    it "downloads a SSL certificate from server" do
+      expect(Agama::SSL::Downloader).to receive(:download)\
+        .and_return(File.read(File.join(FIXTURES_PATH, "test.pem")))
+
+      expect(Agama::SSL::Certificate.download("http://example.com/smt.crt")).to \
+        be_a(Agama::SSL::Certificate)
+    end
+  end
+
+  describe ".update_instsys_ca" do
+    CERT_NAME = "YaST_Team.pem".freeze
+    # Names are asigned by "trust" and related to certificate content
+    CERT_LINKS = ["8820a2e8.0", "8f13f82e.0"].freeze
+
+    let(:ca_dir) { Pathname.new(Dir.mktmpdir) }
+    let(:tmp_ca_dir) { File.join(FIXTURES_PATH, "anchors") }
+
+    before do
+      stub_const("Agama::SSL::Certificate::TMP_CA_CERTS_DIR", tmp_ca_dir.to_s)
+      stub_const("Agama::SSL::Certificate::CA_CERTS_DIR", ca_dir.to_s)
+      allow(Yast::Execute).to receive(:locally).and_call_original
+      allow(FileUtils).to receive(:rm_rf).and_call_original
+      ["openssl", "pem"].each do |d|
+        FileUtils.mkdir_p(File.join(tmp_ca_dir, d))
+        CERT_LINKS.each do |l|
+          FileUtils.ln_sf(File.join(tmp_ca_dir, d, CERT_NAME), File.join(tmp_ca_dir, d, l))
+        end
+      end
+    end
+
+    after do
+      FileUtils.rm_rf(ca_dir.to_s)
+      cert_links = Dir[File.join(tmp_ca_dir, "*")].select { |f| File.symlink?(f)}
+      FileUtils.rm(cert_links) unless cert_links.empty?
+    end
+
+    it "adds new certs under anchors to system CA certificates" do
+      expect(Yast::Execute).to receive(:locally).with("trust", "extract",
+        "--format=openssl-directory", "--filter=ca-anchors", "--overwrite",
+        File.join(tmp_ca_dir, "openssl"))
+        .and_return(true)
+      expect(Yast::Execute).to receive(:locally).with("trust", "extract",
+        "--format=pem-directory-hash", "--filter=ca-anchors", "--overwrite",
+        File.join(tmp_ca_dir, "pem"))
+        .and_return(true)
+      expect(FileUtils).to receive(:rm_rf).with(tmp_ca_dir)
+        .and_return(Dir[File.join(tmp_ca_dir, "*")])
+
+      expect(described_class.update_instsys_ca).to eq(true)
+
+      # Check that certificates and symlink exists
+      targets = ["pem", "openssl"].map { |d| File.join(ca_dir, d) }
+      targets.each do |subdir|
+        expect(File.file?(File.join(subdir, CERT_NAME))).to eq true
+        CERT_LINKS.each { |l| expect(File.symlink?(File.join(subdir, l))).to eq true }
+      end
+    end
+
+    context "when updating the system CA certificate fails" do
+      before do
+        allow(Cheetah).to receive(:run)
+        allow(FileUtils).to receive(:rm_rf)
+      end
+
+      it "returns false" do
+        expect(described_class.update_instsys_ca).to eq(false)
+      end
+    end
+  end
+
+  describe ".default_certificate_path" do
+    it "returns the path defined by INSTSYS_SERVER_CERT_FILE" do
+      expect(described_class.default_certificate_path)
+        .to eq(Agama::SSL::Certificate::INSTSYS_SERVER_CERT_FILE)
+    end
+  end
+
+  describe "#fingerprint" do
+    it "returns SHA1 fingerprint in HEX format" do
+      expect(subject.fingerprint(Agama::SSL::Fingerprint::SHA1).value).to eq(sha1)
+    end
+
+    it "returns SHA256 fingerprint in HEX format" do
+      expect(subject.fingerprint(Agama::SSL::Fingerprint::SHA256).value).to eq(sha256)
+    end
+
+    it "raises an exception when unsupported sum is requested" do
+      expect { subject.fingerprint("SHA224") }.to raise_error(/Unsupported checksum type/)
+    end
+  end
+
+  describe "#serial" do
+    it "returns serial number in HEX format" do
+      expect(subject.serial).to eq(serial)
+    end
+  end
+
+  describe "#issued_on" do
+    it "returns date of issue in human readable form" do
+      expect(subject.issued_on).to eq("2014-04-24")
+    end
+  end
+
+  describe "#expires_on" do
+    it "returns date of issue in human readable form" do
+      expect(subject.expires_on).to eq("2017-04-23")
+    end
+  end
+
+  context "current date in the past" do
+    before do
+      expect(Time).to receive(:now).and_return(Time.new(2010, 1, 1))
+    end
+
+    describe "#expired?" do
+      it "returns false" do
+        expect(subject.expired?).to eq(false)
+      end
+    end
+
+    describe "#valid_yet?" do
+      it "returns false" do
+        expect(subject.valid_yet?).to eq(false)
+      end
+    end
+  end
+
+  context "current date in the future" do
+    before do
+      expect(Time).to receive(:now).and_return(Time.new(2020, 1, 1))
+    end
+
+    describe "#expired?" do
+      it "returns true" do
+        expect(subject.expired?).to eq(true)
+      end
+    end
+
+    describe "#valid_yet?" do
+      it "returns true" do
+        expect(subject.valid_yet?).to eq(true)
+      end
+    end
+  end
+
+  context "current date in valid range" do
+    before do
+      expect(Time).to receive(:now).and_return(Time.new(2015, 1, 1))
+    end
+
+    describe "#expired?" do
+      it "returns false" do
+        expect(subject.expired?).to eq(false)
+      end
+    end
+
+    describe "#valid_yet?" do
+      it "returns true" do
+        expect(subject.valid_yet?).to eq(true)
+      end
+    end
+  end
+
+  describe "#subject_name" do
+    it "returns subject name" do
+      expect(subject.subject_name).to eq("linux-1hyn")
+    end
+  end
+
+  describe "#subject_organization" do
+    it "returns subject organization name" do
+      expect(subject.subject_organization).to eq("WebYaST")
+    end
+  end
+
+  describe "#subject_organization_unit" do
+    it "returns subject organization unit name" do
+      expect(subject.subject_organization_unit).to eq("WebYaST")
+    end
+  end
+
+  describe "#issuer_name" do
+    it "returns issuer name" do
+      expect(subject.issuer_name).to eq("linux-1hyn")
+    end
+  end
+
+  describe "#issuer_organization" do
+    it "returns issuer organization name" do
+      expect(subject.issuer_organization).to eq("WebYaST")
+    end
+  end
+
+  describe "#issuer_organization_unit" do
+    it "returns issuer organization unit name" do
+      expect(subject.issuer_organization_unit).to eq("WebYaST")
+    end
+  end
+
+  describe "#import_to_instsys" do
+    before do
+      allow(subject.x509_cert).to receive(:to_pem).and_return("CERTIFICATE")
+    end
+
+    it "copies the certificate to the default instsys path" do
+      allow(described_class).to receive(:update_instsys_ca)
+      expect(File).to receive(:write)
+        .with(described_class.default_certificate_path, "CERTIFICATE")
+
+      subject.import_to_instsys
+    end
+
+    context "when successfully updates system CA certificates" do
+      before do
+        allow(File).to receive(:write)
+        expect(described_class).to receive(:update_instsys_ca).and_return(true)
+      end
+
+      it "returns true" do
+        expect(subject.import_to_instsys).to eq(true)
+      end
+    end
+
+    context "when fails to update system CA certificates" do
+      before do
+        allow(File).to receive(:write)
+        expect(described_class).to receive(:update_instsys_ca).and_return(false)
+      end
+
+      it "returns false" do
+        expect(subject.import_to_instsys).to eq(false)
+      end
+    end
+  end
+
+  describe "#import" do
+    it "installs the certificate in the instsys" do
+      expect(subject).to receive(:import_to_instsys)
+      subject.import
+    end
+  end
+end
diff --git a/service/test/agama/ssl/fingerprint_spec.rb b/service/test/agama/ssl/fingerprint_spec.rb
new file mode 100755
index 0000000000..3fce51238d
--- /dev/null
+++ b/service/test/agama/ssl/fingerprint_spec.rb
@@ -0,0 +1,66 @@
+#! /usr/bin/env rspec
+
+require_relative "../../test_helper"
+
+require "agama/ssl/fingerprint"
+
+describe Agama::SSL::Fingerprint do
+  # checksum examples
+  let(:sha1)   { "A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9" }
+  let(:sha256) do
+    "2A:02:DA:EC:A9:FF:4C:B4:A6:C0:57:08:F6:1C:8B:B0:94:FA:F4:" \
+      "60:96:5E:18:48:CA:84:81:48:60:F3:CB:BF"
+  end
+
+  describe "== operator" do
+    it "returns true when comparing self" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      fp2 = fp1
+      expect(fp1).to eq(fp2)
+    end
+
+    it "returns true when comparing to the identical fingerprint" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      expect(fp1 == fp2).to eq(true)
+    end
+
+    it "returns false when sum type does not match" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA256, sha1)
+      expect(fp1 == fp2).to eq(false)
+    end
+
+    it "returns false when fingerprint value does not match" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha256)
+      expect(fp1 == fp2).to eq(false)
+    end
+
+    it "compares the fingerprints case insensitively" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1.downcase)
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1.upcase)
+      expect(fp1.value).to_not eq(fp2.value)
+      expect(fp1 == fp2).to eq(true)
+    end
+
+    it "compares the sum types case insensitively" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1.downcase, sha1)
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1.upcase, sha1)
+      expect(fp1.sum).to_not eq(fp2.sum)
+      expect(fp1 == fp2).to eq(true)
+    end
+
+    it "ignores optional colon separator in fingerprints" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1.tr(":", ""))
+      fp2 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      expect(fp1.value).to_not eq(fp2.value)
+      expect(fp1 == fp2).to eq(true)
+    end
+
+    it "returns false when compared to nil" do
+      fp1 = Agama::SSL::Fingerprint.new(Agama::SSL::Fingerprint::SHA1, sha1)
+      expect(fp1).to_not eq(nil)
+    end
+  end
+end
diff --git a/service/test/fixtures/anchors/openssl/8820a2e8.0 b/service/test/fixtures/anchors/openssl/8820a2e8.0
new file mode 120000
index 0000000000..46267d6c34
--- /dev/null
+++ b/service/test/fixtures/anchors/openssl/8820a2e8.0
@@ -0,0 +1 @@
+/checkout/service/test/fixtures/anchors/openssl/YaST_Team.pem
\ No newline at end of file
diff --git a/service/test/fixtures/anchors/openssl/8f13f82e.0 b/service/test/fixtures/anchors/openssl/8f13f82e.0
new file mode 120000
index 0000000000..46267d6c34
--- /dev/null
+++ b/service/test/fixtures/anchors/openssl/8f13f82e.0
@@ -0,0 +1 @@
+/checkout/service/test/fixtures/anchors/openssl/YaST_Team.pem
\ No newline at end of file
diff --git a/service/test/fixtures/anchors/openssl/YaST_Team.pem b/service/test/fixtures/anchors/openssl/YaST_Team.pem
new file mode 100644
index 0000000000..82de302854
--- /dev/null
+++ b/service/test/fixtures/anchors/openssl/YaST_Team.pem
@@ -0,0 +1,23 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIDvzCCAqegAwIBAgIJAJNA85YnEsdeMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV
+BAYTAkVTMRMwEQYDVQQIDApMYXMgUGFsbWFzMSMwIQYDVQQHDBpMYXMgUGFsbWFz
+IGRlIEdyYW4gQ2FuYXJpYTEZMBcGA1UECgwQU1VTRSBMSU5VWCwgR21iSDESMBAG
+A1UECwwJWWFTVCBUZWFtMB4XDTE2MDcyOTA3NDIyNloXDTE2MDgyODA3NDIyNlow
+djELMAkGA1UEBhMCRVMxEzARBgNVBAgMCkxhcyBQYWxtYXMxIzAhBgNVBAcMGkxh
+cyBQYWxtYXMgZGUgR3JhbiBDYW5hcmlhMRkwFwYDVQQKDBBTVVNFIExJTlVYLCBH
+bWJIMRIwEAYDVQQLDAlZYVNUIFRlYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC/1CmF0hSYw6lQhmR26fT4iW5mOueoRHkuCOqp5zFCB3b0/8kgNUQm
+/BXBrrBgYML9CvRXXNFsUj7BQuEE78eJBvcLnQdpoJZOjcZa5QC/cmzRbouDvfaV
+dIJGBhvG1QlExnmXf2eHArtwq3xIkjAUUuhiL2uhOsH5TV0USHrJK5mhcdHB1ZsF
+USW9joptWUC1LtcSt95X2B1PUn3UnSKVeU4V16w3Z/TRGjUxBl6iXnDVMNVXCMFN
+MTRMDnY1BYv++XXy9jhxXgX5wqQ99sRx3b6LSXeNAF1ek/6nuHyfj5qXhPigE7TX
+2nnVGQP9ZoDzfdQSU57TwamG/LdU5L6vAgMBAAGjUDBOMB0GA1UdDgQWBBRrNGbo
+10cn76hsFWokfWxEFvXWLTAfBgNVHSMEGDAWgBRrNGbo10cn76hsFWokfWxEFvXW
+LTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAGIGnaWbrIWdNvxZWI
+Gc/knvytBB7zwhk7zyijQMKiZY4LRqv/B4B1BSWmoYs/VBWYULLzMRcX1QttOVpr
+6zP/SdxSFmRTa8ZhrHWOfxHVS1Jp9IWe9s5xmt5tr34L+i2mGd6wTwUmaWZFqICO
+N6mhaOvpeMZEowdQWsoqklbXJrQ1COHm0ogpcODWDKwr2plJa29FMwecZEmfaZeX
+X6yUCim0ASV9Eh7rQi6iNLFyGnqAXtRnm83Sf/xKinIjHUFXvjjRvZS1wOSElSYS
+WjG2xs4u+6+lrCJ1H5ZgII8EFfxPf53e1f8zl058RVvAMA+SGYjN0fhl3KBcIJqu
+62cNMAsMCVlhU1QgVGVhbQ==
+-----END TRUSTED CERTIFICATE-----
diff --git a/service/test/fixtures/anchors/pem/8820a2e8.0 b/service/test/fixtures/anchors/pem/8820a2e8.0
new file mode 120000
index 0000000000..09151dc5e0
--- /dev/null
+++ b/service/test/fixtures/anchors/pem/8820a2e8.0
@@ -0,0 +1 @@
+/checkout/service/test/fixtures/anchors/pem/YaST_Team.pem
\ No newline at end of file
diff --git a/service/test/fixtures/anchors/pem/8f13f82e.0 b/service/test/fixtures/anchors/pem/8f13f82e.0
new file mode 120000
index 0000000000..09151dc5e0
--- /dev/null
+++ b/service/test/fixtures/anchors/pem/8f13f82e.0
@@ -0,0 +1 @@
+/checkout/service/test/fixtures/anchors/pem/YaST_Team.pem
\ No newline at end of file
diff --git a/service/test/fixtures/anchors/pem/YaST_Team.pem b/service/test/fixtures/anchors/pem/YaST_Team.pem
new file mode 100644
index 0000000000..c8cc9e1da0
--- /dev/null
+++ b/service/test/fixtures/anchors/pem/YaST_Team.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvzCCAqegAwIBAgIJAJNA85YnEsdeMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV
+BAYTAkVTMRMwEQYDVQQIDApMYXMgUGFsbWFzMSMwIQYDVQQHDBpMYXMgUGFsbWFz
+IGRlIEdyYW4gQ2FuYXJpYTEZMBcGA1UECgwQU1VTRSBMSU5VWCwgR21iSDESMBAG
+A1UECwwJWWFTVCBUZWFtMB4XDTE2MDcyOTA3NDIyNloXDTE2MDgyODA3NDIyNlow
+djELMAkGA1UEBhMCRVMxEzARBgNVBAgMCkxhcyBQYWxtYXMxIzAhBgNVBAcMGkxh
+cyBQYWxtYXMgZGUgR3JhbiBDYW5hcmlhMRkwFwYDVQQKDBBTVVNFIExJTlVYLCBH
+bWJIMRIwEAYDVQQLDAlZYVNUIFRlYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC/1CmF0hSYw6lQhmR26fT4iW5mOueoRHkuCOqp5zFCB3b0/8kgNUQm
+/BXBrrBgYML9CvRXXNFsUj7BQuEE78eJBvcLnQdpoJZOjcZa5QC/cmzRbouDvfaV
+dIJGBhvG1QlExnmXf2eHArtwq3xIkjAUUuhiL2uhOsH5TV0USHrJK5mhcdHB1ZsF
+USW9joptWUC1LtcSt95X2B1PUn3UnSKVeU4V16w3Z/TRGjUxBl6iXnDVMNVXCMFN
+MTRMDnY1BYv++XXy9jhxXgX5wqQ99sRx3b6LSXeNAF1ek/6nuHyfj5qXhPigE7TX
+2nnVGQP9ZoDzfdQSU57TwamG/LdU5L6vAgMBAAGjUDBOMB0GA1UdDgQWBBRrNGbo
+10cn76hsFWokfWxEFvXWLTAfBgNVHSMEGDAWgBRrNGbo10cn76hsFWokfWxEFvXW
+LTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAGIGnaWbrIWdNvxZWI
+Gc/knvytBB7zwhk7zyijQMKiZY4LRqv/B4B1BSWmoYs/VBWYULLzMRcX1QttOVpr
+6zP/SdxSFmRTa8ZhrHWOfxHVS1Jp9IWe9s5xmt5tr34L+i2mGd6wTwUmaWZFqICO
+N6mhaOvpeMZEowdQWsoqklbXJrQ1COHm0ogpcODWDKwr2plJa29FMwecZEmfaZeX
+X6yUCim0ASV9Eh7rQi6iNLFyGnqAXtRnm83Sf/xKinIjHUFXvjjRvZS1wOSElSYS
+WjG2xs4u+6+lrCJ1H5ZgII8EFfxPf53e1f8zl058RVvAMA+SGYjN0fhl3KBcIJqu
+62cN
+-----END CERTIFICATE-----
diff --git a/service/test/fixtures/test.pem b/service/test/fixtures/test.pem
new file mode 100644
index 0000000000..f1bd4e82c0
--- /dev/null
+++ b/service/test/fixtures/test.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLjCCAhYCCQC4q/Fz5B8QTTANBgkqhkiG9w0BAQUFADBZMRMwEQYDVQQDEwps
+aW51eC0xaHluMR4wHAYJKoZIhvcNAQkBFg9yb290QGxpbnV4LTFoeW4xEDAOBgNV
+BAoTB1dlYllhU1QxEDAOBgNVBAsTB1dlYllhU1QwHhcNMTQwNDI0MDgxNjMxWhcN
+MTcwNDIzMDgxNjMxWjBZMRMwEQYDVQQDEwpsaW51eC0xaHluMR4wHAYJKoZIhvcN
+AQkBFg9yb290QGxpbnV4LTFoeW4xEDAOBgNVBAoTB1dlYllhU1QxEDAOBgNVBAsT
+B1dlYllhU1QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsSh+SznSW
+2fqdJyn8iE/IaLFKnMUxViOxsVYhCAywVNqANUQagLVCBhhPXtyFenXAvnllmewl
+XQiD6O+xntWfqy14fZHZ7dg3kNQYjTKuCPdVWCkXrrMvne5of3xh/AJwU9fU9iCg
+PubY3fNlqPq+bMCf5LssgdqniQnUPkvX+WdojXAszYZACYPxt2fP3+btjtD1ueRr
+JW/pML864sQk11Mm2JT8ShWGSfn6o9qTzgROItv+Y5p2TWEoW6pp70cYpMOfHgrJ
+7a1ZexLKHhYqQdMFDzsJwafGGM4sbLXw26Elw+1x1nkzSjuToAGzGzjd3jPYmXhu
+dQlqE1VKaL9RAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACqRrWDJbnqq805gkF/E
+mpuZBvTvO6db/Nng5v8Ob1+j26U4hi8/vmn7hufG4Uv7CIsLkEdkqrC/r6Gjw43j
+iIfWF0mjN3OK0C919uA8N+cszvwc1XZVfIRkY7KAk5UQcYMMlrxii5WFJfLxFbZk
+NgeIEOKDdrQBaKuMCS9KKU5zuujzJ6wDEO2xlbt24Fes4M+ZDsFw7D0IK63R1Ol6
+wddW/Y0WoWWPO0KE5PGNC7Avg66y5QJDTpwtjqQTcl22xBAGWImw4iFG0kwDDLvu
+oaa/jexkWza+2CKAoN/vDMXmdRuxRY+61RcC0Xp1hDorZ5Cc4Qv0inFdC5pKto/p
+RNU=
+-----END CERTIFICATE-----

From 72873ffde8944a49e97158498a05c85fe0cb6f77 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 16 Apr 2025 09:50:32 +0200
Subject: [PATCH 02/23] experiment with paragraphs

---
 service/lib/agama/registration.rb       | 12 +++++++++---
 service/test/agama/registration_test.rb |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index 61404d004e..ad7e843505 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -323,7 +323,7 @@ def catch_registration_errors(&block)
           SSL::Errors.instance.ssl_failed_cert.import
           retry
         end
-        false
+        raise e
       end
     end
 
@@ -335,12 +335,18 @@ def handle_ssl_error(_error, certificate_imported)
 
       puts "cert #{cert} code #{error_code}"
       if cert && SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
-        message = format(
-          _("Secure Connection Error for %{url}: %{error}. Certificate details %{details}."),
+        error_msg = format(
+          _("Secure Connection Error for %{url}: %{error}."),
           url:     registration_url || "https://scc.suse.com",
           error:   SSL::ErrorCodes::OPENSSL_ERROR_MESSAGES[error_code],
+        )
+        cert_details = format(
+          _("Certificate details %{details}."),
           details: SSL::CertificateDetails.new(cert).summary
         )
+
+        message = "<p>#{error_msg}</p><p>#{cert_details}</p>"
+
         question = Agama::Question.new(
           qclass:         "registration.certificate",
           text:           message,
diff --git a/service/test/agama/registration_test.rb b/service/test/agama/registration_test.rb
index 52edf6c21d..4ef8854c8d 100644
--- a/service/test/agama/registration_test.rb
+++ b/service/test/agama/registration_test.rb
@@ -239,7 +239,7 @@
           before do
             Agama::SSL::Errors.instance.ssl_error_code = Agama::SSL::ErrorCodes::SELF_SIGNED_CERT
             Agama::SSL::Errors.instance.ssl_error_msg = "test error"
-            Agama::SSL::Errors.instance.ssl_failed_cert = Agama::SSL::Certificate.new("test")
+            Agama::SSL::Errors.instance.ssl_failed_cert = Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem")))
             # mock reset to avoid previous setup
             allow(Agama::SSL::Errors.instance).to receive(:reset)
 

From abf9ff09faf8e700ee18d9a8b481d5c92e61d7eb Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 16 Apr 2025 13:25:36 +0200
Subject: [PATCH 03/23] add fingerprint storage and use it in registration

---
 service/lib/agama/registration.rb       | 10 +++++++-
 service/lib/agama/ssl/certificate.rb    |  4 +++
 service/lib/agama/ssl/storage.rb        | 16 ++++++++++++
 service/test/agama/registration_test.rb | 33 ++++++++++++++++++++++---
 4 files changed, 58 insertions(+), 5 deletions(-)
 create mode 100644 service/lib/agama/ssl/storage.rb

diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index ad7e843505..85091f822a 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -32,6 +32,7 @@
 require "agama/ssl/certificate"
 require "agama/ssl/certificate_details"
 require "agama/ssl/errors"
+require "agama/ssl/storage"
 
 Yast.import "Arch"
 Yast.import "Pkg"
@@ -318,6 +319,7 @@ def catch_registration_errors(&block)
       rescue OpenSSL::SSL::SSLError => e
         @logger.error "OpenSSL error: #{e}"
         should_retry = handle_ssl_error(e, certificate_imported)
+        puts "handle ssl error #{should_retry}"
         if should_retry
           certificate_imported = true
           SSL::Errors.instance.ssl_failed_cert.import
@@ -333,7 +335,13 @@ def handle_ssl_error(_error, certificate_imported)
       cert = SSL::Errors.instance.ssl_failed_cert
       error_code = SSL::Errors.instance.ssl_error_code
 
-      puts "cert #{cert} code #{error_code}"
+      if cert
+        SSL::Storage.instance.fingerprints.each do |fp|
+          # import certificate if it match predefined fingerprint
+          return true if cert.match_fingerprint?(fp)
+        end
+      end
+
       if cert && SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
         error_msg = format(
           _("Secure Connection Error for %{url}: %{error}."),
diff --git a/service/lib/agama/ssl/certificate.rb b/service/lib/agama/ssl/certificate.rb
index 80a2907a40..54ce6883d5 100644
--- a/service/lib/agama/ssl/certificate.rb
+++ b/service/lib/agama/ssl/certificate.rb
@@ -160,6 +160,10 @@ def issuer_organization_unit
         find_issuer_attribute("OU")
       end
 
+      def match_fingerprint?(fp)
+        fp == fingerprint(fp.sum)
+      end
+
       def fingerprint(sum)
         case sum.upcase
         when Fingerprint::SHA1
diff --git a/service/lib/agama/ssl/storage.rb b/service/lib/agama/ssl/storage.rb
new file mode 100644
index 0000000000..5cc9082371
--- /dev/null
+++ b/service/lib/agama/ssl/storage.rb
@@ -0,0 +1,16 @@
+require "singleton"
+
+module Agama
+  module SSL
+    class Storage
+      include Singleton
+
+      # @return [Array<Agama::SSL::fingerprint>]
+      attr_reader :fingerprints
+
+      def initialize
+        @fingerprints = []
+      end
+    end
+  end
+end
diff --git a/service/test/agama/registration_test.rb b/service/test/agama/registration_test.rb
index 4ef8854c8d..52a8a5f6ab 100644
--- a/service/test/agama/registration_test.rb
+++ b/service/test/agama/registration_test.rb
@@ -236,14 +236,37 @@
         end
 
         context "if the registration server has self-signed certificate" do
+          let (:certificate) { Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem"))) }
           before do
             Agama::SSL::Errors.instance.ssl_error_code = Agama::SSL::ErrorCodes::SELF_SIGNED_CERT
             Agama::SSL::Errors.instance.ssl_error_msg = "test error"
-            Agama::SSL::Errors.instance.ssl_failed_cert = Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem")))
-            # mock reset to avoid previous setup
+            Agama::SSL::Errors.instance.ssl_failed_cert = certificate
+            # mock reset to avoid deleting of previous setup
             allow(Agama::SSL::Errors.instance).to receive(:reset)
 
-            allow(SUSE::Connect::YaST).to receive(:activate_product).and_raise(OpenSSL::SSL::SSLError.new("test"))
+            @called = 0
+            allow(SUSE::Connect::YaST).to receive(:activate_product) do
+              @called += 1
+              raise(OpenSSL::SSL::SSLError.new("test")) if @called == 1
+
+              service
+            end
+          end
+
+          context "and certificate fingerprint is in storage" do
+            before do
+              Agama::SSL::Storage.instance.fingerprints.replace([certificate.send(:sha256_fingerprint)])
+            end
+
+            it "tries to import certificate" do
+              expect(certificate).to receive(:import)
+
+              subject.register("11112222", email: "test@test.com")
+            end
+
+            after do
+              Agama::SSL::Storage.instance.fingerprints.clear
+            end
           end
 
           it "opens question" do
@@ -254,7 +277,9 @@
             expect(Agama::DBus::Clients::Questions).to receive(:new)
               .and_return(q_client)
 
-            subject.register("11112222", email: "test@test.com")
+            expect { subject.register("11112222", email: "test@test.com") }.to(
+              raise_error(OpenSSL::SSL::SSLError)
+            )
           end
         end
       end

From 65ceb8d1599a4e07a092edb2c841623974a2570c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Iv=C3=A1n=20L=C3=B3pez=20Gonz=C3=A1lez?=
 <jlopez@suse.com>
Date: Wed, 16 Apr 2025 14:41:45 +0100
Subject: [PATCH 04/23] service: add data to certificate question

---
 service/lib/agama/registration.rb | 57 ++++++++++++++-----------------
 1 file changed, 25 insertions(+), 32 deletions(-)

diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index 85091f822a..e28f64455e 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -333,42 +333,35 @@ def handle_ssl_error(_error, certificate_imported)
       return false if certificate_imported
 
       cert = SSL::Errors.instance.ssl_failed_cert
-      error_code = SSL::Errors.instance.ssl_error_code
-
-      if cert
-        SSL::Storage.instance.fingerprints.each do |fp|
-          # import certificate if it match predefined fingerprint
-          return true if cert.match_fingerprint?(fp)
-        end
-      end
-
-      if cert && SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
-        error_msg = format(
-          _("Secure Connection Error for %{url}: %{error}."),
-          url:     registration_url || "https://scc.suse.com",
-          error:   SSL::ErrorCodes::OPENSSL_ERROR_MESSAGES[error_code],
-        )
-        cert_details = format(
-          _("Certificate details %{details}."),
-          details: SSL::CertificateDetails.new(cert).summary
-        )
+      return false unless cert
 
-        message = "<p>#{error_msg}</p><p>#{cert_details}</p>"
+      # Import certificate if it matches predefined fingerprint.
+      return true if SSL::Storage.instance.fingerprints.any? { |f| cert.match_fingerprint?(f) }
 
-        question = Agama::Question.new(
-          qclass:         "registration.certificate",
-          text:           message,
-          options:        [:Import, :Abort],
-          default_option: :Abort
-        )
+      error_code = SSL::Errors.instance.ssl_error_code
+      return false unless SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
+
+      details = SSL::CertificateDetails.new(cert)
+
+      question = Agama::Question.new(
+        qclass:         "registration.certificate",
+        text:           _("Secure connection error. Import certificate?"),
+        options:        [:Import, :Abort],
+        default_option: :Abort,
+        data: {
+          url: registration_url || "https://scc.suse.com",
+          error: SSL::ErrorCodes::OPENSSL_ERROR_MESSAGES[error_code],
+          subject: details.subject,
+          issuer: details.issuer,
+          summary: details.summary,
+          fingerprints: SSL::Storage.instance.fingerprints
+        }
+      )
 
-        questions_client = Agama::DBus::Clients::Questions.new(logger: @logger)
-        questions_client.ask(question) do |question_client|
-          return question_client.answer == :Import
-        end
+      questions_client = Agama::DBus::Clients::Questions.new(logger: @logger)
+      questions_client.ask(question) do |question_client|
+        return question_client.answer == :Import
       end
-
-      false
     end
 
     # Returns the URL of the registration server

From 5946bbb04818a6a203df1b7e49a49b961faa4383 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 16 Apr 2025 21:35:56 +0200
Subject: [PATCH 05/23] allow registration url be redefined and also add ssl
 fingerprints

---
 service/lib/agama/dbus/software/manager.rb | 20 ++++++++++++++++++++
 service/lib/agama/dbus/software/product.rb | 11 +++++++++++
 service/lib/agama/registration.rb          |  8 +++++++-
 3 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/service/lib/agama/dbus/software/manager.rb b/service/lib/agama/dbus/software/manager.rb
index 9ef26becf7..9f638940e4 100644
--- a/service/lib/agama/dbus/software/manager.rb
+++ b/service/lib/agama/dbus/software/manager.rb
@@ -162,8 +162,28 @@ def locale=(locale)
           end
         end
 
+        def ssl_fingerprints
+          ssl_storage.fingerprints.map { |f| [f.sum, f.value] }
+        end
+
+        def ssl_fingerprints=(new_fps)
+          fps = new_fps.map { |f| SSL::Fingerprint.new(f[0], f[1]) }
+          ssl_storage.fingerprints.replace(fps)
+        end
+
+        SECURITY_INTERFACE = "org.opensuse.Agama.Security"
+        private_constant :SECURITY_INTERFACE
+
+        dbus_interface SOFTWARE_INTERFACE do
+          # List of SSL fingerprints serialized into type and its value
+          dbus_accessor :ssl_fingerprints, "a(ss)"
+        end
+
       private
 
+        def ssl_storage
+          SSL::Storage.instance
+        end
         # @return [Agama::Software]
         attr_reader :backend
 
diff --git a/service/lib/agama/dbus/software/product.rb b/service/lib/agama/dbus/software/product.rb
index b44eb5cb7e..4c5c27f6fd 100644
--- a/service/lib/agama/dbus/software/product.rb
+++ b/service/lib/agama/dbus/software/product.rb
@@ -136,6 +136,15 @@ def email
           backend.registration.email || ""
         end
 
+        def url
+          backend.registration.registration_url || ""
+        end
+
+        def url=(url)
+          # dbus has problem with nils, so empty string is only for dbus nil
+          backend.registration.registration_url = url.empty? ? nil : url
+        end
+
         # list of already registered addons
         #
         # @return [Array<Array<String>>] each list contains three items: addon id, version and
@@ -294,6 +303,8 @@ def deregister
 
           dbus_reader(:email, "s")
 
+          dbus_accessor(:url, "s")
+
           dbus_reader(:registered_addons, "a(sss)")
 
           dbus_reader(:available_addons, "aa{sv}")
diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index e28f64455e..c507ea1965 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -67,6 +67,11 @@ class Registration
     # @return [Array<RegisteredAddon>]
     attr_reader :registered_addons
 
+    # Overwriten default registration URL
+    #
+    # @return [String, nil]
+    attr_accessor :registration_url
+
     # @param software_manager [Agama::Software::Manager]
     # @param logger [Logger]
     def initialize(software_manager, logger)
@@ -75,6 +80,7 @@ def initialize(software_manager, logger)
       @services = []
       @credentials_files = []
       @registered_addons = []
+      @registration_url = registration_url_from_cmdline
     end
 
     # Registers the selected product.
@@ -369,7 +375,7 @@ def handle_ssl_error(_error, certificate_imported)
     # At this point, it just checks the kernel's command-line.
     #
     # @return [String, nil]
-    def registration_url
+    def registration_url_from_cmdline
       cmdline_args = CmdlineArgs.read
       cmdline_args.data["register_url"]
     end

From 930f816d700fb1428d5c72e8bc4fd9239c2cfb36 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 17 Apr 2025 10:24:37 +0200
Subject: [PATCH 06/23] update dbus doc and fix typo

---
 doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml | 1 +
 doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml         | 3 +++
 doc/dbus/org.opensuse.Agama.Software1.doc.xml             | 3 +++
 doc/dbus/org.opensuse.Agama1.Registration.doc.xml         | 4 ++++
 service/lib/agama/dbus/software/manager.rb                | 2 +-
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml b/doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml
index 7bd3ab733f..360c277ef0 100644
--- a/doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml
+++ b/doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml
@@ -48,6 +48,7 @@
     </method>
     <property type="s" name="RegCode" access="read"/>
     <property type="s" name="Email" access="read"/>
+    <property type="s" name="Url" access="readwrite"/>
     <property type="u" name="Requirement" access="read"/>
   </interface>
 </node>
diff --git a/doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml b/doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml
index b2c21475f8..965d06450c 100644
--- a/doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml
+++ b/doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml
@@ -82,4 +82,7 @@
     <property type="aa{sv}" name="All" access="read"/>
     <property type="u" name="Current" access="read"/>
   </interface>
+  <interface name="org.opensuse.Agama.Security">
+    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
+  </interface>
 </node>
diff --git a/doc/dbus/org.opensuse.Agama.Software1.doc.xml b/doc/dbus/org.opensuse.Agama.Software1.doc.xml
index 0080f876ff..aab14669af 100644
--- a/doc/dbus/org.opensuse.Agama.Software1.doc.xml
+++ b/doc/dbus/org.opensuse.Agama.Software1.doc.xml
@@ -98,4 +98,7 @@
     </method>
     <property type="a{sy}" name="SelectedPatterns" access="read"/>
   </interface>
+  <interface name="org.opensuse.Agama.Security">
+    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
+  </interface>
 </node>
diff --git a/doc/dbus/org.opensuse.Agama1.Registration.doc.xml b/doc/dbus/org.opensuse.Agama1.Registration.doc.xml
index fa510b0eaa..750c11ee7d 100644
--- a/doc/dbus/org.opensuse.Agama1.Registration.doc.xml
+++ b/doc/dbus/org.opensuse.Agama1.Registration.doc.xml
@@ -63,6 +63,10 @@
       Email used for the registration. Empty if the current product is not registered yet.
       -->
     <property type="s" name="Email" access="read"/>
+    <!--
+      URL used to register against. Empty means use default
+      -->
+    <property type="s" name="Url" access="readwrite"/>
     <!--
       Indicates the registration requirement of the currently selected product.
 
diff --git a/service/lib/agama/dbus/software/manager.rb b/service/lib/agama/dbus/software/manager.rb
index 9f638940e4..6556f8ce8e 100644
--- a/service/lib/agama/dbus/software/manager.rb
+++ b/service/lib/agama/dbus/software/manager.rb
@@ -174,7 +174,7 @@ def ssl_fingerprints=(new_fps)
         SECURITY_INTERFACE = "org.opensuse.Agama.Security"
         private_constant :SECURITY_INTERFACE
 
-        dbus_interface SOFTWARE_INTERFACE do
+        dbus_interface SECURITY_INTERFACE do
           # List of SSL fingerprints serialized into type and its value
           dbus_accessor :ssl_fingerprints, "a(ss)"
         end

From a57e4749f36e5b46d1f338f008cae57f65acbc79 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 17 Apr 2025 13:45:46 +0200
Subject: [PATCH 07/23] add proxies for security

---
 rust/agama-lib/src/lib.rs              |  1 +
 rust/agama-lib/src/product/proxies.rs  |  6 ++++++
 rust/agama-lib/src/security.rs         |  1 +
 rust/agama-lib/src/security/proxies.rs | 14 ++++++++++++++
 4 files changed, 22 insertions(+)
 create mode 100644 rust/agama-lib/src/security.rs
 create mode 100644 rust/agama-lib/src/security/proxies.rs

diff --git a/rust/agama-lib/src/lib.rs b/rust/agama-lib/src/lib.rs
index f03de2318e..7c2089b91b 100644
--- a/rust/agama-lib/src/lib.rs
+++ b/rust/agama-lib/src/lib.rs
@@ -69,6 +69,7 @@ pub use store::Store;
 pub mod openapi;
 pub mod questions;
 pub mod scripts;
+pub mod security;
 pub mod utils;
 
 use crate::error::ServiceError;
diff --git a/rust/agama-lib/src/product/proxies.rs b/rust/agama-lib/src/product/proxies.rs
index d351684ecc..8c33c75482 100644
--- a/rust/agama-lib/src/product/proxies.rs
+++ b/rust/agama-lib/src/product/proxies.rs
@@ -72,6 +72,12 @@ pub trait Registration {
     #[zbus(property)]
     fn reg_code(&self) -> zbus::Result<String>;
 
+    /// Url property
+    #[zbus(property)]
+    fn url(&self) -> zbus::Result<String>;
+    #[zbus(property)]
+    fn set_url(&self, value: &str) -> zbus::Result<()>;
+
     /// registered addons property, list of tuples (name, version, reg_code))
     #[zbus(property)]
     fn registered_addons(&self) -> zbus::Result<Vec<(String, String, String)>>;
diff --git a/rust/agama-lib/src/security.rs b/rust/agama-lib/src/security.rs
new file mode 100644
index 0000000000..b0db8eafb7
--- /dev/null
+++ b/rust/agama-lib/src/security.rs
@@ -0,0 +1 @@
+pub mod proxies;
diff --git a/rust/agama-lib/src/security/proxies.rs b/rust/agama-lib/src/security/proxies.rs
new file mode 100644
index 0000000000..c7b865de30
--- /dev/null
+++ b/rust/agama-lib/src/security/proxies.rs
@@ -0,0 +1,14 @@
+use zbus::proxy;
+#[proxy(
+    interface = "org.opensuse.Agama.Security",
+    default_service = "org.opensuse.Agama.Software1",
+    default_path = "/org/opensuse/Agama/Software1",
+    assume_defaults = true
+)]
+trait Security {
+    /// SslFingerprints property
+    #[zbus(property)]
+    fn ssl_fingerprints(&self) -> zbus::Result<Vec<(String, String)>>;
+    #[zbus(property)]
+    fn set_ssl_fingerprints(&self, value: &[(&str, &str)]) -> zbus::Result<()>;
+}

From 7b65d88595c0390fc434e08de0c7132d3e01df1a Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 17 Apr 2025 23:34:40 +0200
Subject: [PATCH 08/23] Add registration url to rust part

---
 rust/agama-lib/src/product/client.rs          | 10 +++++++++
 rust/agama-lib/src/product/http_client.rs     |  6 +++++
 rust/agama-lib/src/product/settings.rs        |  2 ++
 rust/agama-lib/src/product/store.rs           |  6 +++++
 .../src/software/model/registration.rs        |  2 ++
 rust/agama-server/src/software/web.rs         | 22 +++++++++++++++++++
 6 files changed, 48 insertions(+)

diff --git a/rust/agama-lib/src/product/client.rs b/rust/agama-lib/src/product/client.rs
index 74844f67fb..5cb00fc1f3 100644
--- a/rust/agama-lib/src/product/client.rs
+++ b/rust/agama-lib/src/product/client.rs
@@ -126,6 +126,16 @@ impl<'a> ProductClient<'a> {
         Ok(self.registration_proxy.email().await?)
     }
 
+    /// url of registration server
+    pub async fn registration_url(&self) -> Result<String, ServiceError> {
+        Ok(self.registration_proxy.url().await?)
+    }
+
+    /// set registration url
+    pub async fn set_registration_url(&self, url: &str) -> Result<(), ServiceError> {
+        Ok(self.registration_proxy.set_url(url).await?)
+    }
+
     /// list of already registered addons
     pub async fn registered_addons(&self) -> Result<Vec<AddonParams>, ServiceError> {
         let addons: Vec<AddonParams> = self
diff --git a/rust/agama-lib/src/product/http_client.rs b/rust/agama-lib/src/product/http_client.rs
index 783e48c4f8..5d6b3935cb 100644
--- a/rust/agama-lib/src/product/http_client.rs
+++ b/rust/agama-lib/src/product/http_client.rs
@@ -68,6 +68,12 @@ impl ProductHTTPClient {
         self.client.get("/software/registration").await
     }
 
+    pub async fn set_registration_url(&self, url: &String) -> Result<(), ServiceError> {
+        self.client
+            .put_void("/software/registration/url", url)
+            .await
+    }
+
     // get list of registered addons
     pub async fn get_registered_addons(&self) -> Result<Vec<AddonSettings>, ServiceError> {
         self.client
diff --git a/rust/agama-lib/src/product/settings.rs b/rust/agama-lib/src/product/settings.rs
index c0eed23eac..0d47b909d1 100644
--- a/rust/agama-lib/src/product/settings.rs
+++ b/rust/agama-lib/src/product/settings.rs
@@ -47,5 +47,7 @@ pub struct ProductSettings {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub registration_email: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
+    pub registration_url: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub addons: Option<Vec<AddonSettings>>,
 }
diff --git a/rust/agama-lib/src/product/store.rs b/rust/agama-lib/src/product/store.rs
index 8bc2719b36..a257b2d61f 100644
--- a/rust/agama-lib/src/product/store.rs
+++ b/rust/agama-lib/src/product/store.rs
@@ -60,6 +60,7 @@ impl ProductStore {
             id: Some(product),
             registration_code: Self::non_empty_string(registration_info.key),
             registration_email: Self::non_empty_string(registration_info.email),
+            registration_url: Self::non_empty_string(registration_info.url),
             addons,
         })
     }
@@ -74,6 +75,9 @@ impl ProductStore {
                 probe = true;
             }
         }
+        if let Some(url) = &settings.registration_url {
+            self.product_client.set_registration_url(url).await?;
+        }
         if let Some(reg_code) = &settings.registration_code {
             let email = settings.registration_email.as_deref().unwrap_or("");
             self.product_client.register(reg_code, email).await?;
@@ -155,6 +159,7 @@ mod test {
             id: Some("Tumbleweed".to_owned()),
             registration_code: None,
             registration_email: None,
+            registration_url: None,
             addons: None,
         };
         // main assertion
@@ -204,6 +209,7 @@ mod test {
             id: Some("Tumbleweed".to_owned()),
             registration_code: None,
             registration_email: None,
+            registration_url: None,
             addons: None,
         };
 
diff --git a/rust/agama-lib/src/software/model/registration.rs b/rust/agama-lib/src/software/model/registration.rs
index 3673cecbb5..27dfa81de3 100644
--- a/rust/agama-lib/src/software/model/registration.rs
+++ b/rust/agama-lib/src/software/model/registration.rs
@@ -73,6 +73,8 @@ pub struct RegistrationInfo {
     pub key: String,
     /// Registration email. Empty value mean email not used or not registered.
     pub email: String,
+    /// Registration url. Empty value mean that de default value is used.
+    pub url: String,
 }
 
 #[derive(Clone, Serialize, Deserialize, utoipa::ToSchema)]
diff --git a/rust/agama-server/src/software/web.rs b/rust/agama-server/src/software/web.rs
index 5d0e8f37a9..08e2ce54cb 100644
--- a/rust/agama-server/src/software/web.rs
+++ b/rust/agama-server/src/software/web.rs
@@ -213,6 +213,7 @@ pub async fn software_service(dbus: zbus::Connection) -> Result<Router, ServiceE
             "/registration",
             get(get_registration).post(register).delete(deregister),
         )
+        .route("/registration/url", put(set_reg_url))
         .route("/registration/addons/register", post(register_addon))
         .route(
             "/registration/addons/registered",
@@ -285,10 +286,31 @@ async fn get_registration(
     let result = RegistrationInfo {
         key: state.product.registration_code().await?,
         email: state.product.email().await?,
+        url: state.product.registration_url().await?,
     };
     Ok(Json(result))
 }
 
+/// sets registration server url
+///
+/// * `state`: service state.
+#[utoipa::path(
+    put,
+    path = "/registration/url",
+    context_path = "/api/software",
+    responses(
+        (status = 200, description = "registration server set"),
+        (status = 400, description = "The D-Bus service could not perform the action")
+    )
+)]
+async fn set_reg_url(
+    State(state): State<SoftwareState<'_>>,
+    Json(config): Json<String>,
+) -> Result<(), Error> {
+    state.product.set_registration_url(&config).await?;
+    Ok(())
+}
+
 /// Register product
 ///
 /// * `state`: service state.

From 6901bae7f5d9fd6d5dd7b7c6ec228c2e260323bf Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Sat, 19 Apr 2025 21:26:40 +0200
Subject: [PATCH 09/23] implement for security in rust part that communicate
 with dbus

---
 rust/agama-lib/src/error.rs            |  2 +
 rust/agama-lib/src/security.rs         |  4 +-
 rust/agama-lib/src/security/client.rs  | 53 ++++++++++++++++++++++
 rust/agama-lib/src/security/model.rs   | 61 ++++++++++++++++++++++++++
 rust/agama-lib/src/security/proxies.rs |  2 +-
 5 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 rust/agama-lib/src/security/client.rs
 create mode 100644 rust/agama-lib/src/security/model.rs

diff --git a/rust/agama-lib/src/error.rs b/rust/agama-lib/src/error.rs
index f02aafb1a0..c99c24170d 100644
--- a/rust/agama-lib/src/error.rs
+++ b/rust/agama-lib/src/error.rs
@@ -73,6 +73,8 @@ pub enum ServiceError {
     // FIXME reroute the error to a better place
     #[error("Profile error: {0}")]
     Profile(#[from] ProfileError),
+    #[error("Unsupported SSL Fingeprint algorithm '#{0}'.")]
+    UnsupportedSSLFingerprintAlgorithm(String),
 }
 
 #[derive(Error, Debug)]
diff --git a/rust/agama-lib/src/security.rs b/rust/agama-lib/src/security.rs
index b0db8eafb7..798a0e3c3d 100644
--- a/rust/agama-lib/src/security.rs
+++ b/rust/agama-lib/src/security.rs
@@ -1 +1,3 @@
-pub mod proxies;
+pub mod client;
+pub mod model;
+pub mod proxies;
\ No newline at end of file
diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
new file mode 100644
index 0000000000..1706ff0937
--- /dev/null
+++ b/rust/agama-lib/src/security/client.rs
@@ -0,0 +1,53 @@
+// Copyright (c) [2025] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use zbus::Connection;
+
+use crate::error::ServiceError;
+
+use super::{model::SSLFingerprint, proxies::SecurityProxy};
+
+/// D-Bus client for the security service
+#[derive(Clone)]
+pub struct SecurityClient<'a> {
+    security_proxy: SecurityProxy<'a>,
+}
+
+impl<'a> SecurityClient<'a> {
+    pub async fn new(connection: Connection) -> Result<Self, ServiceError> {
+        Ok(Self {
+            security_proxy: SecurityProxy::new(&connection).await?,
+        })
+    }
+
+    pub async fn get_ssl_fingerprints(&self) -> Result<Vec<SSLFingerprint>, ServiceError> {
+        let dbus_list = self.security_proxy.ssl_fingerprints().await?;
+        dbus_list.into_iter().map( |(alg, value)| Ok(SSLFingerprint {
+            value,
+            algorithm: alg.try_into()?,
+        })).collect()
+    }
+
+    pub async fn set_ssl_fingerprints(&self, list: &Vec<SSLFingerprint>) -> Result<(), ServiceError> {
+        let dbus_list: Vec<(&str, &str)> = list.into_iter().map(|s| (s.algorithm.to_str(), s.value.as_str())).collect();
+        self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;
+        Ok(())
+    }
+}
diff --git a/rust/agama-lib/src/security/model.rs b/rust/agama-lib/src/security/model.rs
new file mode 100644
index 0000000000..86a42e0270
--- /dev/null
+++ b/rust/agama-lib/src/security/model.rs
@@ -0,0 +1,61 @@
+// Copyright (c) [2025] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use serde::{Serialize,Deserialize};
+
+#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
+pub enum SSLFingerprintAlgorithm {
+    SHA1,
+    SHA256,
+}
+
+impl TryFrom<String> for SSLFingerprintAlgorithm {
+    type Error = crate::ServiceError;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        match value.to_uppercase().as_str() {
+            "SHA1" => Ok(Self::SHA1),
+            "SHA256" => Ok(Self::SHA256),
+            _ => Err(crate::error::ServiceError::UnsupportedSSLFingerprintAlgorithm(value))
+        }
+    }
+}
+
+impl SSLFingerprintAlgorithm {
+    pub fn to_str(&self) -> &'static str {
+        match self {
+            SSLFingerprintAlgorithm::SHA1 => "SHA1",
+            SSLFingerprintAlgorithm::SHA256 => "SHA256",
+        }
+    }
+}
+
+impl Default for SSLFingerprintAlgorithm {
+    fn default() -> Self {
+        Self::SHA256
+    }
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
+pub struct SSLFingerprint {
+    pub value: String,
+    #[serde(default)]
+    pub algorithm: SSLFingerprintAlgorithm,
+}
diff --git a/rust/agama-lib/src/security/proxies.rs b/rust/agama-lib/src/security/proxies.rs
index c7b865de30..acf35c5513 100644
--- a/rust/agama-lib/src/security/proxies.rs
+++ b/rust/agama-lib/src/security/proxies.rs
@@ -5,7 +5,7 @@ use zbus::proxy;
     default_path = "/org/opensuse/Agama/Software1",
     assume_defaults = true
 )]
-trait Security {
+pub trait Security {
     /// SslFingerprints property
     #[zbus(property)]
     fn ssl_fingerprints(&self) -> zbus::Result<Vec<(String, String)>>;

From 48e599197aebe153da43e951143a850707274417 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Iv=C3=A1n=20L=C3=B3pez=20Gonz=C3=A1lez?=
 <jlopez@suse.com>
Date: Tue, 22 Apr 2025 14:25:50 +0100
Subject: [PATCH 10/23] service: fix registration certificate question

---
 service/lib/agama/registration.rb | 49 ++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/service/lib/agama/registration.rb b/service/lib/agama/registration.rb
index c507ea1965..c83567177a 100644
--- a/service/lib/agama/registration.rb
+++ b/service/lib/agama/registration.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-# Copyright (c) [2023] SUSE LLC
+# Copyright (c) [2023-2025] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -30,8 +30,8 @@
 require "agama/errors"
 require "agama/registered_addon"
 require "agama/ssl/certificate"
-require "agama/ssl/certificate_details"
 require "agama/ssl/errors"
+require "agama/ssl/fingerprint"
 require "agama/ssl/storage"
 
 Yast.import "Arch"
@@ -335,6 +335,7 @@ def catch_registration_errors(&block)
       end
     end
 
+    # @return [Boolean]
     def handle_ssl_error(_error, certificate_imported)
       return false if certificate_imported
 
@@ -347,27 +348,35 @@ def handle_ssl_error(_error, certificate_imported)
       error_code = SSL::Errors.instance.ssl_error_code
       return false unless SSL::ErrorCodes::IMPORT_ERROR_CODES.include?(error_code)
 
-      details = SSL::CertificateDetails.new(cert)
+      question = certificate_question(cert)
+      questions_client = Agama::DBus::Clients::Questions.new(logger: @logger)
+      questions_client.ask(question) { |c| c.answer == :trust }
+    end
 
-      question = Agama::Question.new(
-        qclass:         "registration.certificate",
-        text:           _("Secure connection error. Import certificate?"),
-        options:        [:Import, :Abort],
-        default_option: :Abort,
-        data: {
-          url: registration_url || "https://scc.suse.com",
-          error: SSL::ErrorCodes::OPENSSL_ERROR_MESSAGES[error_code],
-          subject: details.subject,
-          issuer: details.issuer,
-          summary: details.summary,
-          fingerprints: SSL::Storage.instance.fingerprints
-        }
+    # @param certificate [Agama::SSL::Certificate]
+    # @return [Agama::Question]
+    def certificate_question(certificate)
+      question_data = {
+        "url"                => registration_url || "https://scc.suse.com",
+        "issuer_name"        => certificate.issuer_name,
+        "issue_date"         => certificate.issued_on,
+        "expiration_date"    => certificate.expires_on,
+        "sha1_fingerprint"   => certificate.fingerprint(SSL::Fingerprint::SHA1).value,
+        "sha256_fingerprint" => certificate.fingerprint(SSL::Fingerprint::SHA256).value
+      }.filter { |_, v| !v.nil? }
+
+      question_text = _(
+        "Trying to import a self signed certificate. Do you want to trust it and register the " \
+        "product?"
       )
 
-      questions_client = Agama::DBus::Clients::Questions.new(logger: @logger)
-      questions_client.ask(question) do |question_client|
-        return question_client.answer == :Import
-      end
+      Agama::Question.new(
+        qclass:         "registration.certificate",
+        text:           question_text,
+        options:        [:trust, :reject],
+        default_option: :reject,
+        data:           question_data
+      )
     end
 
     # Returns the URL of the registration server

From 4cb3cf9e579b6180c4e704be44da1efbfbaa9472 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Iv=C3=A1n=20L=C3=B3pez=20Gonz=C3=A1lez?=
 <jlopez@suse.com>
Date: Tue, 22 Apr 2025 14:27:24 +0100
Subject: [PATCH 11/23] web: add question for registration certificate

---
 web/src/components/questions/Questions.tsx    |   8 +-
 .../RegistrationCertificateQuestion.test.tsx  |  64 +++++++++++
 .../RegistrationCertificateQuestion.tsx       | 104 ++++++++++++++++++
 3 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 web/src/components/questions/RegistrationCertificateQuestion.test.tsx
 create mode 100644 web/src/components/questions/RegistrationCertificateQuestion.tsx

diff --git a/web/src/components/questions/Questions.tsx b/web/src/components/questions/Questions.tsx
index 28636e2f73..23de4c56de 100644
--- a/web/src/components/questions/Questions.tsx
+++ b/web/src/components/questions/Questions.tsx
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) [2022-2024] SUSE LLC
+ * Copyright (c) [2022-2025] SUSE LLC
  *
  * All Rights Reserved.
  *
@@ -26,6 +26,7 @@ import QuestionWithPassword from "~/components/questions/QuestionWithPassword";
 import LuksActivationQuestion from "~/components/questions/LuksActivationQuestion";
 import PackageErrorQuestion from "~/components/questions/PackageErrorQuestion";
 import UnsupportedAutoYaST from "~/components/questions/UnsupportedAutoYaST";
+import RegistrationCertificateQuestion from "~/components/questions/RegistrationCertificateQuestion";
 import { useQuestions, useQuestionsConfig, useQuestionsChanges } from "~/queries/questions";
 import { AnswerCallback, QuestionType } from "~/types/questions";
 
@@ -64,5 +65,10 @@ export default function Questions(): React.ReactNode {
     QuestionComponent = PackageErrorQuestion;
   }
 
+  // special popup for self signed registration certificate
+  if (currentQuestion.class === "registration.certificate") {
+    QuestionComponent = RegistrationCertificateQuestion;
+  }
+
   return <QuestionComponent question={currentQuestion} answerCallback={answerQuestion} />;
 }
diff --git a/web/src/components/questions/RegistrationCertificateQuestion.test.tsx b/web/src/components/questions/RegistrationCertificateQuestion.test.tsx
new file mode 100644
index 0000000000..1342e54540
--- /dev/null
+++ b/web/src/components/questions/RegistrationCertificateQuestion.test.tsx
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) [2025] SUSE LLC
+ *
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, contact SUSE LLC.
+ *
+ * To contact SUSE LLC about this file by physical or electronic mail, you may
+ * find current contact information at www.suse.com.
+ */
+
+import React from "react";
+import { screen } from "@testing-library/react";
+import { plainRender } from "~/test-utils";
+import { Question } from "~/types/questions";
+import RegistrationCertificateQuestion from "~/components/questions/RegistrationCertificateQuestion";
+
+const question: Question = {
+  id: 1,
+  text: "Trust certificate?",
+  options: ["yes", "no"],
+  defaultOption: "yes",
+  data: {
+    url: "https://test.com",
+    issuer_name: "test",
+    issue_date: "01-01-2025",
+    expiration_date: "01-01-2030",
+    sha1_fingerprint: "AA:BB:CC",
+    sha256_fingerprint: "11:22:33:44:55",
+  },
+};
+
+const answerFn = jest.fn();
+
+const renderQuestion = () =>
+  plainRender(<RegistrationCertificateQuestion question={question} answerCallback={answerFn} />);
+
+it("renders the question text", async () => {
+  renderQuestion();
+
+  await screen.findByText(question.text);
+});
+
+it("renders the certificate data", async () => {
+  renderQuestion();
+
+  await screen.findByText(question.data.url);
+  await screen.findByText(question.data.issuer_name);
+  await screen.findByText(question.data.issue_date);
+  await screen.findByText(question.data.expiration_date);
+  await screen.findByText(question.data.sha1_fingerprint);
+  await screen.findByText(question.data.sha256_fingerprint);
+});
diff --git a/web/src/components/questions/RegistrationCertificateQuestion.tsx b/web/src/components/questions/RegistrationCertificateQuestion.tsx
new file mode 100644
index 0000000000..0d736e4839
--- /dev/null
+++ b/web/src/components/questions/RegistrationCertificateQuestion.tsx
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) [2025] SUSE LLC
+ *
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, contact SUSE LLC.
+ *
+ * To contact SUSE LLC about this file by physical or electronic mail, you may
+ * find current contact information at www.suse.com.
+ */
+
+import React from "react";
+import spacingStyles from "@patternfly/react-styles/css/utilities/Spacing/spacing";
+import {
+  Content,
+  DescriptionList,
+  DescriptionListDescription,
+  DescriptionListGroup,
+  DescriptionListTerm,
+  Stack,
+  StackItem,
+} from "@patternfly/react-core";
+import { Popup } from "~/components/core";
+import { AnswerCallback, Question } from "~/types/questions";
+import QuestionActions from "~/components/questions/QuestionActions";
+import { _ } from "~/i18n";
+
+type QuestionDataProps = {
+  label: string;
+  value?: string;
+};
+
+function QuestionData({ label, value }: QuestionDataProps): React.ReactNode | null {
+  if (!value) return null;
+
+  return (
+    <DescriptionListGroup>
+      <DescriptionListTerm>{label}</DescriptionListTerm>
+      <DescriptionListDescription>{value}</DescriptionListDescription>
+    </DescriptionListGroup>
+  );
+}
+
+/**
+ * Component to ask for trusting a self signed certificate.
+ *
+ * @param question - the question to be answered
+ * @param answerCallback - the callback to be triggered on answer
+ */
+export default function RegistrationCertificateQuestion({
+  question,
+  answerCallback,
+}: {
+  question: Question;
+  answerCallback: AnswerCallback;
+}): React.ReactNode {
+  const actionCallback = (option: string) => {
+    question.answer = option;
+    answerCallback(question);
+  };
+
+  return (
+    <Popup isOpen title={_("Registration certificate")}>
+      <Stack hasGutter>
+        <StackItem>
+          <Content component="p" isEditorial>
+            {question.text}
+          </Content>
+        </StackItem>
+        <StackItem>
+          <DescriptionList isHorizontal isCompact className={spacingStyles.mxLg}>
+            <QuestionData label={_("URL")} value={question.data.url} />
+            <QuestionData label={_("Issuer")} value={question.data.issuer_name} />
+            <QuestionData label={_("Issue date")} value={question.data.issue_date} />
+            <QuestionData label={_("Expiration date")} value={question.data.expiration_date} />
+            <QuestionData label={_("SHA1 fingerprint")} value={question.data.sha1_fingerprint} />
+            <QuestionData
+              label={_("SHA256 fingerprint")}
+              value={question.data.sha256_fingerprint}
+            />
+          </DescriptionList>
+        </StackItem>
+      </Stack>
+      <Popup.Actions>
+        <QuestionActions
+          actions={question.options}
+          defaultAction={question.defaultOption}
+          actionCallback={actionCallback}
+        />
+      </Popup.Actions>
+    </Popup>
+  );
+}

From 90d795d25086f133287b1ebfcc32b138a6f63f7a Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Tue, 22 Apr 2025 22:51:54 +0200
Subject: [PATCH 12/23] add web part of security

---
 rust/agama-lib/share/profile.schema.json   | 39 ++++++++++
 rust/agama-lib/src/install_settings.rs     |  4 +
 rust/agama-lib/src/security.rs             |  5 +-
 rust/agama-lib/src/security/client.rs      | 23 ++++--
 rust/agama-lib/src/security/http_client.rs | 46 +++++++++++
 rust/agama-lib/src/security/model.rs       |  6 +-
 rust/agama-lib/src/security/settings.rs    | 44 +++++++++++
 rust/agama-lib/src/security/store.rs       | 59 ++++++++++++++
 rust/agama-lib/src/software/store.rs       |  2 +-
 rust/agama-lib/src/store.rs                |  9 +++
 rust/agama-server/src/lib.rs               |  1 +
 rust/agama-server/src/security.rs          | 22 ++++++
 rust/agama-server/src/security/web.rs      | 89 ++++++++++++++++++++++
 rust/agama-server/src/web.rs               |  2 +
 14 files changed, 340 insertions(+), 11 deletions(-)
 create mode 100644 rust/agama-lib/src/security/http_client.rs
 create mode 100644 rust/agama-lib/src/security/settings.rs
 create mode 100644 rust/agama-lib/src/security/store.rs
 create mode 100644 rust/agama-server/src/security.rs
 create mode 100644 rust/agama-server/src/security/web.rs

diff --git a/rust/agama-lib/share/profile.schema.json b/rust/agama-lib/share/profile.schema.json
index 0f71b2d6d3..9e105f309f 100644
--- a/rust/agama-lib/share/profile.schema.json
+++ b/rust/agama-lib/share/profile.schema.json
@@ -98,6 +98,41 @@
         }
       }
     },
+    "security": {
+      "title": "Security settings",
+      "type": "object",
+      "properties": {
+        "sslFingerprints": {
+          "title": "List of SSL fingerprints to accept if unknown certificate appears",
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "fingerprint": {
+                "title": "SSL fingerprint value",
+                "type": "string",
+                "examples": ["A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9"] 
+              },
+              "algorithm": {
+                "title": "SSL fingerprint algorithm used to compute it",
+                "type": "string",
+                "enum": ["SHA1", "SHA256"],
+                "examples": ["SHA1"] 
+              }
+
+            }
+          }
+        },
+        "packages": {
+          "title": "List of packages to install",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "examples": ["vim"]
+          }
+        }
+      }
+    },
     "software": {
       "title": "Software settings",
       "type": "object",
@@ -139,6 +174,10 @@
         "registrationEmail": {
           "title": "Product registration email",
           "type": "string"
+        },
+        "registrationUrl": {
+          "title": "Specific registration server url",
+          "type": "string"
         }
       }
     },
diff --git a/rust/agama-lib/src/install_settings.rs b/rust/agama-lib/src/install_settings.rs
index fd487b7a3e..ea1124272f 100644
--- a/rust/agama-lib/src/install_settings.rs
+++ b/rust/agama-lib/src/install_settings.rs
@@ -24,6 +24,7 @@
 use crate::bootloader::model::BootloaderSettings;
 use crate::files::model::UserFile;
 use crate::hostname::model::HostnameSettings;
+use crate::security::settings::SecuritySettings;
 use crate::{
     localization::LocalizationSettings, network::NetworkSettings, product::ProductSettings,
     scripts::ScriptsConfig, software::SoftwareSettings, users::UserSettings,
@@ -57,6 +58,9 @@ pub struct InstallSettings {
     pub user: Option<UserSettings>,
     #[serde(default)]
     #[serde(skip_serializing_if = "Option::is_none")]
+    pub security: Option<SecuritySettings>,
+    #[serde(default)]
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub software: Option<SoftwareSettings>,
     #[serde(default)]
     pub product: Option<ProductSettings>,
diff --git a/rust/agama-lib/src/security.rs b/rust/agama-lib/src/security.rs
index 798a0e3c3d..521d6d88bc 100644
--- a/rust/agama-lib/src/security.rs
+++ b/rust/agama-lib/src/security.rs
@@ -1,3 +1,6 @@
 pub mod client;
+pub mod http_client;
 pub mod model;
-pub mod proxies;
\ No newline at end of file
+pub mod proxies;
+pub mod settings;
+pub mod store;
diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
index 1706ff0937..ec9559320b 100644
--- a/rust/agama-lib/src/security/client.rs
+++ b/rust/agama-lib/src/security/client.rs
@@ -39,14 +39,25 @@ impl<'a> SecurityClient<'a> {
 
     pub async fn get_ssl_fingerprints(&self) -> Result<Vec<SSLFingerprint>, ServiceError> {
         let dbus_list = self.security_proxy.ssl_fingerprints().await?;
-        dbus_list.into_iter().map( |(alg, value)| Ok(SSLFingerprint {
-            value,
-            algorithm: alg.try_into()?,
-        })).collect()
+        dbus_list
+            .into_iter()
+            .map(|(alg, value)| {
+                Ok(SSLFingerprint {
+                    fingerprint: value,
+                    algorithm: alg.try_into()?,
+                })
+            })
+            .collect()
     }
 
-    pub async fn set_ssl_fingerprints(&self, list: &Vec<SSLFingerprint>) -> Result<(), ServiceError> {
-        let dbus_list: Vec<(&str, &str)> = list.into_iter().map(|s| (s.algorithm.to_str(), s.value.as_str())).collect();
+    pub async fn set_ssl_fingerprints(
+        &self,
+        list: &Vec<SSLFingerprint>,
+    ) -> Result<(), ServiceError> {
+        let dbus_list: Vec<(&str, &str)> = list
+            .into_iter()
+            .map(|s| (s.algorithm.to_str(), s.fingerprint.as_str()))
+            .collect();
         self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;
         Ok(())
     }
diff --git a/rust/agama-lib/src/security/http_client.rs b/rust/agama-lib/src/security/http_client.rs
new file mode 100644
index 0000000000..7e3195b3af
--- /dev/null
+++ b/rust/agama-lib/src/security/http_client.rs
@@ -0,0 +1,46 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use crate::{base_http_client::BaseHTTPClient, error::ServiceError};
+
+use super::model::SSLFingerprint;
+
+pub struct SecurityHTTPClient {
+    client: BaseHTTPClient,
+}
+
+impl SecurityHTTPClient {
+    pub fn new(base: BaseHTTPClient) -> Self {
+        Self { client: base }
+    }
+
+    pub async fn get_ssl_fingerprints(&self) -> Result<Vec<SSLFingerprint>, ServiceError> {
+        self.client.get("/security/ssl_fingerprints").await
+    }
+
+    pub async fn set_ssl_fingerprints(
+        &self,
+        fps: &Vec<SSLFingerprint>,
+    ) -> Result<(), ServiceError> {
+        self.client
+            .put_void("/security/ssl_fingerprints", fps)
+            .await
+    }
+}
diff --git a/rust/agama-lib/src/security/model.rs b/rust/agama-lib/src/security/model.rs
index 86a42e0270..e53cec6d62 100644
--- a/rust/agama-lib/src/security/model.rs
+++ b/rust/agama-lib/src/security/model.rs
@@ -18,7 +18,7 @@
 // To contact SUSE LLC about this file by physical or electronic mail, you may
 // find current contact information at www.suse.com.
 
-use serde::{Serialize,Deserialize};
+use serde::{Deserialize, Serialize};
 
 #[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
 pub enum SSLFingerprintAlgorithm {
@@ -33,7 +33,7 @@ impl TryFrom<String> for SSLFingerprintAlgorithm {
         match value.to_uppercase().as_str() {
             "SHA1" => Ok(Self::SHA1),
             "SHA256" => Ok(Self::SHA256),
-            _ => Err(crate::error::ServiceError::UnsupportedSSLFingerprintAlgorithm(value))
+            _ => Err(crate::error::ServiceError::UnsupportedSSLFingerprintAlgorithm(value)),
         }
     }
 }
@@ -55,7 +55,7 @@ impl Default for SSLFingerprintAlgorithm {
 
 #[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
 pub struct SSLFingerprint {
-    pub value: String,
+    pub fingerprint: String,
     #[serde(default)]
     pub algorithm: SSLFingerprintAlgorithm,
 }
diff --git a/rust/agama-lib/src/security/settings.rs b/rust/agama-lib/src/security/settings.rs
new file mode 100644
index 0000000000..dd2e36ed76
--- /dev/null
+++ b/rust/agama-lib/src/security/settings.rs
@@ -0,0 +1,44 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+//! Representation of the software settings
+
+use serde::{Deserialize, Serialize};
+
+use super::model::SSLFingerprint;
+
+/// Software settings for installation
+#[derive(Debug, Default, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct SecuritySettings {
+    /// List of user selected patterns to install.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ssl_fingerprints: Option<Vec<SSLFingerprint>>,
+}
+
+impl SecuritySettings {
+    pub fn to_option(self) -> Option<Self> {
+        if self.ssl_fingerprints.is_none() {
+            None
+        } else {
+            Some(self)
+        }
+    }
+}
diff --git a/rust/agama-lib/src/security/store.rs b/rust/agama-lib/src/security/store.rs
new file mode 100644
index 0000000000..1845c744b1
--- /dev/null
+++ b/rust/agama-lib/src/security/store.rs
@@ -0,0 +1,59 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+//! Implements the store for the security settings.
+
+use crate::{base_http_client::BaseHTTPClient, error::ServiceError};
+
+use super::{http_client::SecurityHTTPClient, settings::SecuritySettings};
+
+/// Loads and stores the security settings from/to the http API.
+pub struct SecurityStore {
+    security_client: SecurityHTTPClient,
+}
+
+impl SecurityStore {
+    pub fn new(client: BaseHTTPClient) -> Result<SecurityStore, ServiceError> {
+        Ok(Self {
+            security_client: SecurityHTTPClient::new(client),
+        })
+    }
+
+    pub async fn load(&self) -> Result<SecuritySettings, ServiceError> {
+        let fingerprints = self.security_client.get_ssl_fingerprints().await?;
+        let opt_fps = if fingerprints.is_empty() {
+            None
+        } else {
+            Some(fingerprints)
+        };
+        Ok(SecuritySettings {
+            ssl_fingerprints: opt_fps,
+        })
+    }
+
+    pub async fn store(&self, settings: &SecuritySettings) -> Result<(), ServiceError> {
+        if let Some(fingerprints) = &settings.ssl_fingerprints {
+            self.security_client
+                .set_ssl_fingerprints(fingerprints)
+                .await?
+        }
+        Ok(())
+    }
+}
diff --git a/rust/agama-lib/src/software/store.rs b/rust/agama-lib/src/software/store.rs
index a47c4a1a82..9c362ac63c 100644
--- a/rust/agama-lib/src/software/store.rs
+++ b/rust/agama-lib/src/software/store.rs
@@ -27,7 +27,7 @@ use super::{SoftwareHTTPClient, SoftwareSettings};
 use crate::base_http_client::BaseHTTPClient;
 use crate::error::ServiceError;
 
-/// Loads and stores the software settings from/to the D-Bus service.
+/// Loads and stores the software settings from/to the HTTP API.
 pub struct SoftwareStore {
     software_client: SoftwareHTTPClient,
 }
diff --git a/rust/agama-lib/src/store.rs b/rust/agama-lib/src/store.rs
index ba0c69f878..ed4cd611c4 100644
--- a/rust/agama-lib/src/store.rs
+++ b/rust/agama-lib/src/store.rs
@@ -29,6 +29,7 @@ use crate::hostname::store::HostnameStore;
 use crate::install_settings::InstallSettings;
 use crate::manager::{InstallationPhase, ManagerHTTPClient};
 use crate::scripts::{ScriptsClient, ScriptsGroup};
+use crate::security::store::SecurityStore;
 use crate::storage::http_client::ISCSIHTTPClient;
 use crate::{
     localization::LocalizationStore, network::NetworkStore, product::ProductStore,
@@ -48,6 +49,7 @@ pub struct Store {
     users: UsersStore,
     network: NetworkStore,
     product: ProductStore,
+    security: SecurityStore,
     software: SoftwareStore,
     storage: StorageStore,
     localization: LocalizationStore,
@@ -67,6 +69,7 @@ impl Store {
             users: UsersStore::new(http_client.clone())?,
             network: NetworkStore::new(http_client.clone()).await?,
             product: ProductStore::new(http_client.clone())?,
+            security: SecurityStore::new(http_client.clone())?,
             software: SoftwareStore::new(http_client.clone())?,
             storage: StorageStore::new(http_client.clone())?,
             scripts: ScriptsStore::new(http_client.clone()),
@@ -83,6 +86,7 @@ impl Store {
             files: self.files.load().await?,
             hostname: Some(self.hostname.load().await?),
             network: Some(self.network.load().await?),
+            security: self.security.load().await?.to_option(),
             software: self.software.load().await?.to_option(),
             user: Some(self.users.load().await?),
             product: Some(self.product.load().await?),
@@ -128,6 +132,11 @@ impl Store {
         if let Some(network) = &settings.network {
             self.network.store(network).await?;
         }
+        // security has to be done before product to allow registration against
+        // self-signed RMT
+        if let Some(security) = &settings.security {
+            self.security.store(security).await?;
+        }
         // order is important here as network can be critical for connection
         // to registration server and selecting product is important for rest
         if let Some(product) = &settings.product {
diff --git a/rust/agama-server/src/lib.rs b/rust/agama-server/src/lib.rs
index 4db2a270a9..bf7a8c5889 100644
--- a/rust/agama-server/src/lib.rs
+++ b/rust/agama-server/src/lib.rs
@@ -31,6 +31,7 @@ pub mod network;
 pub mod profile;
 pub mod questions;
 pub mod scripts;
+pub mod security;
 pub mod software;
 pub mod storage;
 pub mod users;
diff --git a/rust/agama-server/src/security.rs b/rust/agama-server/src/security.rs
new file mode 100644
index 0000000000..1d420ec269
--- /dev/null
+++ b/rust/agama-server/src/security.rs
@@ -0,0 +1,22 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+pub mod web;
+pub use web::security_service;
diff --git a/rust/agama-server/src/security/web.rs b/rust/agama-server/src/security/web.rs
new file mode 100644
index 0000000000..24ee81d254
--- /dev/null
+++ b/rust/agama-server/src/security/web.rs
@@ -0,0 +1,89 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+//! This module implements the web API for the software service.
+//!
+//! The module offers two public functions:
+//!
+//! * `security_service` which returns the Axum service.
+
+use crate::error::Error;
+use agama_lib::{
+    error::ServiceError,
+    security::{client::SecurityClient, model::SSLFingerprint},
+};
+use axum::{extract::State, routing::get, Json, Router};
+
+#[derive(Clone)]
+struct SecurityState<'a> {
+    client: SecurityClient<'a>,
+}
+
+/// Sets up and returns the axum service for the software module.
+pub async fn security_service(dbus: zbus::Connection) -> Result<Router, ServiceError> {
+    let client = SecurityClient::new(dbus.clone()).await?;
+    let state = SecurityState { client };
+    let router = Router::new()
+        .route(
+            "/ssl_fingerprints",
+            get(get_fingerprints).put(set_fingerprints),
+        )
+        .with_state(state);
+    Ok(router)
+}
+
+/// Returns the list of defined ssl fingerprints.
+///
+/// * `state`: service state.
+#[utoipa::path(
+    get,
+    path = "/ssl_fingerprints",
+    context_path = "/api/security",
+    responses(
+        (status = 200, description = "List of known ssl fingerprints", body = Vec<SSLFingerprint>),
+        (status = 400, description = "The D-Bus service could not perform the action")
+    )
+)]
+async fn get_fingerprints(
+    State(state): State<SecurityState<'_>>,
+) -> Result<Json<Vec<SSLFingerprint>>, Error> {
+    let products = state.client.get_ssl_fingerprints().await?;
+    Ok(Json(products))
+}
+
+/// Sets the list of SSL fingerprints.
+///
+/// * `state`: service state.
+#[utoipa::path(
+    put,
+    path = "/ssl_fingerprints",
+    context_path = "/api/security",
+    responses(
+        (status = 200, description = "fingerprints set properly"),
+        (status = 400, description = "The D-Bus service could not perform the action")
+    )
+)]
+async fn set_fingerprints(
+    State(state): State<SecurityState<'_>>,
+    Json(fingerprints): Json<Vec<SSLFingerprint>>,
+) -> Result<(), Error> {
+    state.client.set_ssl_fingerprints(&fingerprints).await?;
+    Ok(())
+}
diff --git a/rust/agama-server/src/web.rs b/rust/agama-server/src/web.rs
index 6aa499a8ab..6e8f83cca2 100644
--- a/rust/agama-server/src/web.rs
+++ b/rust/agama-server/src/web.rs
@@ -35,6 +35,7 @@ use crate::{
     profile::web::profile_service,
     questions::web::{questions_service, questions_stream},
     scripts::web::scripts_service,
+    security::security_service,
     software::web::{software_service, software_streams},
     storage::web::{iscsi::iscsi_service, storage_service, storage_streams},
     users::web::{users_service, users_streams},
@@ -81,6 +82,7 @@ where
     let router = MainServiceBuilder::new(events.clone(), web_ui_dir)
         .add_service("/l10n", l10n_service(dbus.clone(), events.clone()).await?)
         .add_service("/manager", manager_service(dbus.clone()).await?)
+        .add_service("/security", security_service(dbus.clone()).await?)
         .add_service("/software", software_service(dbus.clone()).await?)
         .add_service("/storage", storage_service(dbus.clone()).await?)
         .add_service("/iscsi", iscsi_service(dbus.clone()).await?)

From d8c0b16788647c5421b3a303ad94eae2388b58e0 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 13:21:36 +0200
Subject: [PATCH 13/23] rename key in profile

---
 rust/agama-lib/share/profile.schema.json | 20 ++++++--------------
 rust/agama-lib/src/security/settings.rs  |  6 ++++--
 rust/agama-lib/src/security/store.rs     |  4 ++--
 3 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/rust/agama-lib/share/profile.schema.json b/rust/agama-lib/share/profile.schema.json
index 9e105f309f..b10b2c3f8a 100644
--- a/rust/agama-lib/share/profile.schema.json
+++ b/rust/agama-lib/share/profile.schema.json
@@ -102,33 +102,25 @@
       "title": "Security settings",
       "type": "object",
       "properties": {
-        "sslFingerprints": {
-          "title": "List of SSL fingerprints to accept if unknown certificate appears",
+        "sslCertificates": {
+          "title": "List of SSL certificates to add to system",
           "type": "array",
           "items": {
             "type": "object",
             "properties": {
               "fingerprint": {
-                "title": "SSL fingerprint value",
+                "title": "fingerprint of ssl certificate",
                 "type": "string",
                 "examples": ["A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9"] 
               },
               "algorithm": {
-                "title": "SSL fingerprint algorithm used to compute it",
+                "title": "fingerprint algorithm used to compute it",
                 "type": "string",
                 "enum": ["SHA1", "SHA256"],
                 "examples": ["SHA1"] 
               }
-
-            }
-          }
-        },
-        "packages": {
-          "title": "List of packages to install",
-          "type": "array",
-          "items": {
-            "type": "string",
-            "examples": ["vim"]
+            },
+            "required": ["fingerprint", "algorithm"]
           }
         }
       }
diff --git a/rust/agama-lib/src/security/settings.rs b/rust/agama-lib/src/security/settings.rs
index dd2e36ed76..67fa4e163d 100644
--- a/rust/agama-lib/src/security/settings.rs
+++ b/rust/agama-lib/src/security/settings.rs
@@ -30,12 +30,14 @@ use super::model::SSLFingerprint;
 pub struct SecuritySettings {
     /// List of user selected patterns to install.
     #[serde(skip_serializing_if = "Option::is_none")]
-    pub ssl_fingerprints: Option<Vec<SSLFingerprint>>,
+    // when we add support for remote URL here it should be vector of SSL
+    // certificates which will include flatten fingerprint
+    pub ssl_certificates: Option<Vec<SSLFingerprint>>,
 }
 
 impl SecuritySettings {
     pub fn to_option(self) -> Option<Self> {
-        if self.ssl_fingerprints.is_none() {
+        if self.ssl_certificates.is_none() {
             None
         } else {
             Some(self)
diff --git a/rust/agama-lib/src/security/store.rs b/rust/agama-lib/src/security/store.rs
index 1845c744b1..9e5a6c385e 100644
--- a/rust/agama-lib/src/security/store.rs
+++ b/rust/agama-lib/src/security/store.rs
@@ -44,12 +44,12 @@ impl SecurityStore {
             Some(fingerprints)
         };
         Ok(SecuritySettings {
-            ssl_fingerprints: opt_fps,
+            ssl_certificates: opt_fps,
         })
     }
 
     pub async fn store(&self, settings: &SecuritySettings) -> Result<(), ServiceError> {
-        if let Some(fingerprints) = &settings.ssl_fingerprints {
+        if let Some(fingerprints) = &settings.ssl_certificates {
             self.security_client
                 .set_ssl_fingerprints(fingerprints)
                 .await?

From 9354cebbaa6c5ccb9c45d432c2ca7f26b1cfdefb Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 13:37:26 +0200
Subject: [PATCH 14/23] apply clippy suggestion

---
 rust/agama-lib/src/security/client.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
index ec9559320b..3f1f226c5b 100644
--- a/rust/agama-lib/src/security/client.rs
+++ b/rust/agama-lib/src/security/client.rs
@@ -30,7 +30,7 @@ pub struct SecurityClient<'a> {
     security_proxy: SecurityProxy<'a>,
 }
 
-impl<'a> SecurityClient<'a> {
+impl SecurityClient<'_> {
     pub async fn new(connection: Connection) -> Result<Self, ServiceError> {
         Ok(Self {
             security_proxy: SecurityProxy::new(&connection).await?,
@@ -55,7 +55,7 @@ impl<'a> SecurityClient<'a> {
         list: &Vec<SSLFingerprint>,
     ) -> Result<(), ServiceError> {
         let dbus_list: Vec<(&str, &str)> = list
-            .into_iter()
+            .iter()
             .map(|s| (s.algorithm.to_str(), s.fingerprint.as_str()))
             .collect();
         self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;

From f1b0180bc63969740a404d0d8f2becc7272e4b9a Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 13:50:56 +0200
Subject: [PATCH 15/23] make rubocop happy

---
 service/lib/agama/ssl/certificate.rb          | 18 +++++++-------
 service/lib/agama/ssl/certificate_details.rb  | 24 +++++++------------
 service/lib/agama/ssl/errors.rb               |  5 +++-
 service/lib/agama/ssl/fingerprint.rb          |  7 ++++--
 service/lib/agama/ssl/storage.rb              |  3 +++
 service/test/agama/registration_test.rb       |  9 ++++---
 .../agama/ssl/certificate_details_spec.rb     |  1 +
 service/test/agama/ssl/certificate_spec.rb    |  5 ++--
 service/test/agama/ssl/fingerprint_spec.rb    |  1 +
 9 files changed, 42 insertions(+), 31 deletions(-)

diff --git a/service/lib/agama/ssl/certificate.rb b/service/lib/agama/ssl/certificate.rb
index 54ce6883d5..274d0dd4f9 100644
--- a/service/lib/agama/ssl/certificate.rb
+++ b/service/lib/agama/ssl/certificate.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "openssl"
 require "suse/connect"
 require "yast2/execute"
@@ -14,10 +16,10 @@ class Certificate
       Yast.import "Installation"
 
       # Path to the registration certificate in the instsys
-      INSTSYS_CERT_DIR = "/etc/pki/trust/anchors".freeze
+      INSTSYS_CERT_DIR = "/etc/pki/trust/anchors"
       INSTSYS_SERVER_CERT_FILE = File.join(INSTSYS_CERT_DIR, "registration_server.pem").freeze
       # Path to system CA certificates
-      CA_CERTS_DIR = "/var/lib/ca-certificates".freeze
+      CA_CERTS_DIR = "/var/lib/ca-certificates"
 
       # all used certificate paths, this is used during upgrade to import
       # the old certificate into the inst-sys, put the older paths at the end
@@ -64,12 +66,12 @@ def self.load(data)
 
       def self.download(url, insecure: false)
         # TODO
-        #result = Downloader.download(url, insecure: insecure)
-        #load(result)
+        # result = Downloader.download(url, insecure: insecure)
+        # load(result)
       end
 
       # Path to temporal CA certificates (to be used only in instsys)
-      TMP_CA_CERTS_DIR = "/var/lib/YaST2/ca-certificates".freeze
+      TMP_CA_CERTS_DIR = "/var/lib/YaST2/ca-certificates"
 
       # Update instys CA certificates
       #
@@ -160,8 +162,8 @@ def issuer_organization_unit
         find_issuer_attribute("OU")
       end
 
-      def match_fingerprint?(fp)
-        fp == fingerprint(fp.sum)
+      def match_fingerprint?(fingerp)
+        fingerp == fingerprint(fingerp.sum)
       end
 
       def fingerprint(sum)
@@ -215,7 +217,7 @@ def log_details
         require "registration/ssl_certificate_details"
         # log also the dates
         log.info("#{CertificateDetails.new(self).summary}\n" \
-          "Issued on: #{issued_on}\nExpires on: #{expires_on}")
+                 "Issued on: #{issued_on}\nExpires on: #{expires_on}")
 
         # log a warning for expired certificate
         expires = x509_cert.not_after.localtime
diff --git a/service/lib/agama/ssl/certificate_details.rb b/service/lib/agama/ssl/certificate_details.rb
index 25c130ad9c..10c42c7d39 100644
--- a/service/lib/agama/ssl/certificate_details.rb
+++ b/service/lib/agama/ssl/certificate_details.rb
@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 require "agama/ssl/fingerprint"
 
 module Agama
-  # class handling SSL certificate
   module SSL
+    # class handling SSL certificate details
     class CertificateDetails
       include Yast::I18n
 
@@ -24,36 +26,28 @@ def issuer
           certificate.issuer_organization_unit)
       end
 
-      def summary(small_space: false)
+      def summary
         summary = _("Certificate:") + "\n" + _("Issued To") + "\n" + subject +
           "\n" + _("Issued By") + "\n" + issuer + "\n" + _("SHA1 Fingerprint: ") +
           "\n" + INDENT + certificate.fingerprint(Fingerprint::SHA1).value + "\n" +
           _("SHA256 Fingerprint: ") + "\n"
 
         sha256 = certificate.fingerprint(Fingerprint::SHA256).value
-        summary += if small_space
-          # split the long SHA256 digest to two lines in small text mode UI
-          INDENT + sha256[0..59] + "\n" + INDENT + sha256[60..-1]
-        else
-          INDENT + sha256
-        end
-
-        summary
+        summary += INDENT + sha256
       end
 
     private
 
       attr_reader :certificate
 
-      def identity_details(cn, o, ou)
+      def identity_details(cname, org, orgu)
         # label followed by the SSL certificate identification
-        _("Common Name (CN): ") + (cn || "") + "\n" +
+        _("Common Name (CN): ") + (cname || "") + "\n" +
           # label followed by the SSL certificate identification
-          _("Organization (O): ") + (o || "") + "\n" +
+          _("Organization (O): ") + (org || "") + "\n" +
           # label followed by the SSL certificate identification
-          _("Organization Unit (OU): ") + (ou || "") + "\n"
+          _("Organization Unit (OU): ") + (orgu || "") + "\n"
       end
     end
   end
 end
-
diff --git a/service/lib/agama/ssl/errors.rb b/service/lib/agama/ssl/errors.rb
index ac47ffe4ba..06b539fcd7 100644
--- a/service/lib/agama/ssl/errors.rb
+++ b/service/lib/agama/ssl/errors.rb
@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 require "yast"
 
 module Agama
   module SSL
     # remember the details about SSL verification failure
     # the attributes are read from the SSL error context
-    class Errors < Struct.new(:ssl_error_code, :ssl_error_msg, :ssl_failed_cert)
+    Errors = Struct.new(:ssl_error_code, :ssl_error_msg, :ssl_failed_cert) do
       include Singleton
 
       def reset
@@ -14,6 +16,7 @@ def reset
       end
     end
 
+    # handles SSL error codes
     module ErrorCodes
       extend Yast::I18n
       textdomain "registration"
diff --git a/service/lib/agama/ssl/fingerprint.rb b/service/lib/agama/ssl/fingerprint.rb
index 1b3080e9fa..481880ea2d 100644
--- a/service/lib/agama/ssl/fingerprint.rb
+++ b/service/lib/agama/ssl/fingerprint.rb
@@ -1,10 +1,13 @@
+# frozen_string_literal: true
+
 module Agama
   module SSL
+    # Represents SSL fingerprint
     class Fingerprint
       attr_reader :sum, :value
 
-      SHA1 = "SHA1".freeze
-      SHA256 = "SHA256".freeze
+      SHA1 = "SHA1"
+      SHA256 = "SHA256"
 
       def initialize(sum, value)
         @sum = sum
diff --git a/service/lib/agama/ssl/storage.rb b/service/lib/agama/ssl/storage.rb
index 5cc9082371..cb6bce593b 100644
--- a/service/lib/agama/ssl/storage.rb
+++ b/service/lib/agama/ssl/storage.rb
@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 require "singleton"
 
 module Agama
   module SSL
+    # Holds SSL related configuration
     class Storage
       include Singleton
 
diff --git a/service/test/agama/registration_test.rb b/service/test/agama/registration_test.rb
index 52a8a5f6ab..1ff82db492 100644
--- a/service/test/agama/registration_test.rb
+++ b/service/test/agama/registration_test.rb
@@ -236,7 +236,9 @@
         end
 
         context "if the registration server has self-signed certificate" do
-          let (:certificate) { Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem"))) }
+          let(:certificate) do
+            Agama::SSL::Certificate.load(File.read(File.join(FIXTURES_PATH, "test.pem")))
+          end
           before do
             Agama::SSL::Errors.instance.ssl_error_code = Agama::SSL::ErrorCodes::SELF_SIGNED_CERT
             Agama::SSL::Errors.instance.ssl_error_msg = "test error"
@@ -247,7 +249,7 @@
             @called = 0
             allow(SUSE::Connect::YaST).to receive(:activate_product) do
               @called += 1
-              raise(OpenSSL::SSL::SSLError.new("test")) if @called == 1
+              raise OpenSSL::SSL::SSLError, "test" if @called == 1
 
               service
             end
@@ -255,7 +257,8 @@
 
           context "and certificate fingerprint is in storage" do
             before do
-              Agama::SSL::Storage.instance.fingerprints.replace([certificate.send(:sha256_fingerprint)])
+              Agama::SSL::Storage.instance.fingerprints
+                .replace([certificate.send(:sha256_fingerprint)])
             end
 
             it "tries to import certificate" do
diff --git a/service/test/agama/ssl/certificate_details_spec.rb b/service/test/agama/ssl/certificate_details_spec.rb
index c9f502dcf3..77508bd778 100755
--- a/service/test/agama/ssl/certificate_details_spec.rb
+++ b/service/test/agama/ssl/certificate_details_spec.rb
@@ -1,4 +1,5 @@
 #! /usr/bin/env rspec
+# frozen_string_literal: true
 
 require_relative "../../test_helper"
 
diff --git a/service/test/agama/ssl/certificate_spec.rb b/service/test/agama/ssl/certificate_spec.rb
index c51e6bebe8..b03372284b 100755
--- a/service/test/agama/ssl/certificate_spec.rb
+++ b/service/test/agama/ssl/certificate_spec.rb
@@ -1,4 +1,5 @@
 #! /usr/bin/env rspec
+# frozen_string_literal: true
 
 require_relative "../../test_helper"
 
@@ -48,7 +49,7 @@
   end
 
   describe ".update_instsys_ca" do
-    CERT_NAME = "YaST_Team.pem".freeze
+    CERT_NAME = "YaST_Team.pem"
     # Names are asigned by "trust" and related to certificate content
     CERT_LINKS = ["8820a2e8.0", "8f13f82e.0"].freeze
 
@@ -70,7 +71,7 @@
 
     after do
       FileUtils.rm_rf(ca_dir.to_s)
-      cert_links = Dir[File.join(tmp_ca_dir, "*")].select { |f| File.symlink?(f)}
+      cert_links = Dir[File.join(tmp_ca_dir, "*")].select { |f| File.symlink?(f) }
       FileUtils.rm(cert_links) unless cert_links.empty?
     end
 
diff --git a/service/test/agama/ssl/fingerprint_spec.rb b/service/test/agama/ssl/fingerprint_spec.rb
index 3fce51238d..471a94d390 100755
--- a/service/test/agama/ssl/fingerprint_spec.rb
+++ b/service/test/agama/ssl/fingerprint_spec.rb
@@ -1,4 +1,5 @@
 #! /usr/bin/env rspec
+# frozen_string_literal: true
 
 require_relative "../../test_helper"
 

From 6d0d98a787fdea6bfa40e73f7659b7a37f7cd613 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 13:55:35 +0200
Subject: [PATCH 16/23] fix rust unit test

---
 rust/agama-lib/src/product/store.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rust/agama-lib/src/product/store.rs b/rust/agama-lib/src/product/store.rs
index 9f4b9c98ae..1c1a4c6fa4 100644
--- a/rust/agama-lib/src/product/store.rs
+++ b/rust/agama-lib/src/product/store.rs
@@ -150,7 +150,8 @@ mod test {
                 .body(
                     r#"{
                     "key": "",
-                    "email": ""
+                    "email": "",
+                    "url": ""
                 }"#,
                 );
         });

From 64ba35815541bb8208e76f055a1352bfefaf3f42 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 14:55:53 +0200
Subject: [PATCH 17/23] adjust dbus doc to make ci happy

---
 doc/dbus/bus/org.opensuse.Agama.Security.bus.xml | 1 +
 doc/dbus/org.opensuse.Agama.Security.doc.xml     | 8 ++++++++
 doc/dbus/org.opensuse.Agama.Software1.doc.xml    | 3 ---
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 120000 doc/dbus/bus/org.opensuse.Agama.Security.bus.xml
 create mode 100644 doc/dbus/org.opensuse.Agama.Security.doc.xml

diff --git a/doc/dbus/bus/org.opensuse.Agama.Security.bus.xml b/doc/dbus/bus/org.opensuse.Agama.Security.bus.xml
new file mode 120000
index 0000000000..d0feb248d1
--- /dev/null
+++ b/doc/dbus/bus/org.opensuse.Agama.Security.bus.xml
@@ -0,0 +1 @@
+org.opensuse.Agama.Software1.bus.xml
\ No newline at end of file
diff --git a/doc/dbus/org.opensuse.Agama.Security.doc.xml b/doc/dbus/org.opensuse.Agama.Security.doc.xml
new file mode 100644
index 0000000000..6b183e682b
--- /dev/null
+++ b/doc/dbus/org.opensuse.Agama.Security.doc.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<node name="/org/opensuse/Agama/Software1">
+  <node name="Product"></node>
+  <node name="Proposal"></node>
+  <interface name="org.opensuse.Agama.Security">
+    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
+  </interface>
+</node>
diff --git a/doc/dbus/org.opensuse.Agama.Software1.doc.xml b/doc/dbus/org.opensuse.Agama.Software1.doc.xml
index aab14669af..0080f876ff 100644
--- a/doc/dbus/org.opensuse.Agama.Software1.doc.xml
+++ b/doc/dbus/org.opensuse.Agama.Software1.doc.xml
@@ -98,7 +98,4 @@
     </method>
     <property type="a{sy}" name="SelectedPatterns" access="read"/>
   </interface>
-  <interface name="org.opensuse.Agama.Security">
-    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
-  </interface>
 </node>

From 9214f64a7abf18449040376c7c0a83485d5ac804 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 18:12:59 +0200
Subject: [PATCH 18/23] Apply suggestions from code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Imobach González Sosa <igonzalezsosa@suse.com>
---
 rust/agama-lib/share/profile.schema.json          | 4 ++--
 rust/agama-lib/src/product/client.rs              | 2 +-
 rust/agama-lib/src/security/http_client.rs        | 2 +-
 rust/agama-lib/src/security/settings.rs           | 2 +-
 rust/agama-lib/src/security/store.rs              | 4 ++--
 rust/agama-lib/src/software/model/registration.rs | 2 +-
 rust/agama-server/src/security/web.rs             | 2 +-
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/rust/agama-lib/share/profile.schema.json b/rust/agama-lib/share/profile.schema.json
index b10b2c3f8a..dad02a0fc4 100644
--- a/rust/agama-lib/share/profile.schema.json
+++ b/rust/agama-lib/share/profile.schema.json
@@ -114,7 +114,7 @@
                 "examples": ["A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9"] 
               },
               "algorithm": {
-                "title": "fingerprint algorithm used to compute it",
+                "title": "Fingerprint algorithm used to compute it",
                 "type": "string",
                 "enum": ["SHA1", "SHA256"],
                 "examples": ["SHA1"] 
@@ -168,7 +168,7 @@
           "type": "string"
         },
         "registrationUrl": {
-          "title": "Specific registration server url",
+          "title": "URL of the registration server",
           "type": "string"
         }
       }
diff --git a/rust/agama-lib/src/product/client.rs b/rust/agama-lib/src/product/client.rs
index 5cb00fc1f3..a69f827043 100644
--- a/rust/agama-lib/src/product/client.rs
+++ b/rust/agama-lib/src/product/client.rs
@@ -126,7 +126,7 @@ impl<'a> ProductClient<'a> {
         Ok(self.registration_proxy.email().await?)
     }
 
-    /// url of registration server
+    /// URL of the registration server
     pub async fn registration_url(&self) -> Result<String, ServiceError> {
         Ok(self.registration_proxy.url().await?)
     }
diff --git a/rust/agama-lib/src/security/http_client.rs b/rust/agama-lib/src/security/http_client.rs
index 7e3195b3af..35a9b920d0 100644
--- a/rust/agama-lib/src/security/http_client.rs
+++ b/rust/agama-lib/src/security/http_client.rs
@@ -1,4 +1,4 @@
-// Copyright (c) [2024] SUSE LLC
+// Copyright (c) [2025] SUSE LLC
 //
 // All Rights Reserved.
 //
diff --git a/rust/agama-lib/src/security/settings.rs b/rust/agama-lib/src/security/settings.rs
index 67fa4e163d..c67209c6b0 100644
--- a/rust/agama-lib/src/security/settings.rs
+++ b/rust/agama-lib/src/security/settings.rs
@@ -24,7 +24,7 @@ use serde::{Deserialize, Serialize};
 
 use super::model::SSLFingerprint;
 
-/// Software settings for installation
+/// Security settings for installation
 #[derive(Debug, Default, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SecuritySettings {
diff --git a/rust/agama-lib/src/security/store.rs b/rust/agama-lib/src/security/store.rs
index 9e5a6c385e..b77c1e6acf 100644
--- a/rust/agama-lib/src/security/store.rs
+++ b/rust/agama-lib/src/security/store.rs
@@ -1,4 +1,4 @@
-// Copyright (c) [2024] SUSE LLC
+// Copyright (c) [2025] SUSE LLC
 //
 // All Rights Reserved.
 //
@@ -24,7 +24,7 @@ use crate::{base_http_client::BaseHTTPClient, error::ServiceError};
 
 use super::{http_client::SecurityHTTPClient, settings::SecuritySettings};
 
-/// Loads and stores the security settings from/to the http API.
+/// Loads and stores the security settings from/to the HTTP API.
 pub struct SecurityStore {
     security_client: SecurityHTTPClient,
 }
diff --git a/rust/agama-lib/src/software/model/registration.rs b/rust/agama-lib/src/software/model/registration.rs
index 27dfa81de3..ae0fc68fb2 100644
--- a/rust/agama-lib/src/software/model/registration.rs
+++ b/rust/agama-lib/src/software/model/registration.rs
@@ -73,7 +73,7 @@ pub struct RegistrationInfo {
     pub key: String,
     /// Registration email. Empty value mean email not used or not registered.
     pub email: String,
-    /// Registration url. Empty value mean that de default value is used.
+    /// Registration URL. Empty value mean that de default value is used.
     pub url: String,
 }
 
diff --git a/rust/agama-server/src/security/web.rs b/rust/agama-server/src/security/web.rs
index 24ee81d254..e18b1dcda4 100644
--- a/rust/agama-server/src/security/web.rs
+++ b/rust/agama-server/src/security/web.rs
@@ -76,7 +76,7 @@ async fn get_fingerprints(
     path = "/ssl_fingerprints",
     context_path = "/api/security",
     responses(
-        (status = 200, description = "fingerprints set properly"),
+        (status = 200, description = "SSL fingerprints were set properly."),
         (status = 400, description = "The D-Bus service could not perform the action")
     )
 )]

From caa3559284065f8ca4c022c584a4ff72737bfb58 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Wed, 23 Apr 2025 21:16:31 +0200
Subject: [PATCH 19/23] changes from code review

---
 rust/Cargo.lock                       |  8 ++--
 rust/agama-lib/Cargo.toml             |  2 +-
 rust/agama-lib/src/security/client.rs |  6 ++-
 rust/agama-lib/src/security/model.rs  | 54 +++++++++++++--------------
 4 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/rust/Cargo.lock b/rust/Cargo.lock
index 6be6d96e5e..4eb1f5bf74 100644
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -3574,18 +3574,18 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
 [[package]]
 name = "strum"
-version = "0.26.3"
+version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
+checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32"
 dependencies = [
  "strum_macros",
 ]
 
 [[package]]
 name = "strum_macros"
-version = "0.26.4"
+version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be"
+checksum = "c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8"
 dependencies = [
  "heck",
  "proc-macro2",
diff --git a/rust/agama-lib/Cargo.toml b/rust/agama-lib/Cargo.toml
index ac545fb0ba..90efb95bf0 100644
--- a/rust/agama-lib/Cargo.toml
+++ b/rust/agama-lib/Cargo.toml
@@ -33,7 +33,7 @@ chrono = { version = "0.4.38", default-features = false, features = [
     "clock",
 ] }
 home = "0.5.9"
-strum = { version = "0.26.3", features = ["derive"] }
+strum = { version = "0.27.1", features = ["derive"] }
 fs_extra = "1.3.0"
 serde_with = "3.12.0"
 regex = "1.11.1"
diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
index 3f1f226c5b..dcdc4d3d54 100644
--- a/rust/agama-lib/src/security/client.rs
+++ b/rust/agama-lib/src/security/client.rs
@@ -18,6 +18,8 @@
 // To contact SUSE LLC about this file by physical or electronic mail, you may
 // find current contact information at www.suse.com.
 
+use std::str::FromStr;
+
 use zbus::Connection;
 
 use crate::error::ServiceError;
@@ -44,7 +46,7 @@ impl SecurityClient<'_> {
             .map(|(alg, value)| {
                 Ok(SSLFingerprint {
                     fingerprint: value,
-                    algorithm: alg.try_into()?,
+                    algorithm: super::model::SSLFingerprintAlgorithm::from_str(&alg)?,
                 })
             })
             .collect()
@@ -56,7 +58,7 @@ impl SecurityClient<'_> {
     ) -> Result<(), ServiceError> {
         let dbus_list: Vec<(&str, &str)> = list
             .iter()
-            .map(|s| (s.algorithm.to_str(), s.fingerprint.as_str()))
+            .map(|s| (s.algorithm.clone().into(), s.fingerprint.as_str()))
             .collect();
         self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;
         Ok(())
diff --git a/rust/agama-lib/src/security/model.rs b/rust/agama-lib/src/security/model.rs
index e53cec6d62..d9c341515f 100644
--- a/rust/agama-lib/src/security/model.rs
+++ b/rust/agama-lib/src/security/model.rs
@@ -20,42 +20,40 @@
 
 use serde::{Deserialize, Serialize};
 
-#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
+use crate::error::ServiceError;
+
+#[derive(
+    Default,
+    Clone,
+    Debug,
+    strum::IntoStaticStr,
+    strum::EnumString,
+    Serialize,
+    Deserialize,
+    utoipa::ToSchema,
+)]
+#[strum(ascii_case_insensitive)]
+#[strum(
+  parse_err_fn = alg_not_found_err,
+  parse_err_ty = ServiceError,
+)]
 pub enum SSLFingerprintAlgorithm {
     SHA1,
+    #[default]
     SHA256,
 }
 
-impl TryFrom<String> for SSLFingerprintAlgorithm {
-    type Error = crate::ServiceError;
-
-    fn try_from(value: String) -> Result<Self, Self::Error> {
-        match value.to_uppercase().as_str() {
-            "SHA1" => Ok(Self::SHA1),
-            "SHA256" => Ok(Self::SHA256),
-            _ => Err(crate::error::ServiceError::UnsupportedSSLFingerprintAlgorithm(value)),
-        }
-    }
-}
-
-impl SSLFingerprintAlgorithm {
-    pub fn to_str(&self) -> &'static str {
-        match self {
-            SSLFingerprintAlgorithm::SHA1 => "SHA1",
-            SSLFingerprintAlgorithm::SHA256 => "SHA256",
-        }
-    }
-}
-
-impl Default for SSLFingerprintAlgorithm {
-    fn default() -> Self {
-        Self::SHA256
-    }
-}
-
 #[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
 pub struct SSLFingerprint {
+    /// The string value for SSL certificate fingerprint.
+    /// Example value is "F6:7A:ED:BB:BC:94:CF:55:9D:B3:BA:74:7A:87:05:EF:67:4E:C2:DB"
     pub fingerprint: String,
+    /// Algorithm used to compute SSL certificate fingerprint.
+    /// Supported options are "SHA1" and "SHA256"
     #[serde(default)]
     pub algorithm: SSLFingerprintAlgorithm,
 }
+
+fn alg_not_found_err(s: &str) -> ServiceError {
+    ServiceError::UnsupportedSSLFingerprintAlgorithm(s.to_string())
+}

From 6696dee709ba3493d89fbe118bef86129d2afde6 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 24 Apr 2025 09:11:11 +0200
Subject: [PATCH 20/23] changes from review

---
 rust/agama-lib/src/security/client.rs | 6 +++---
 rust/agama-lib/src/security/model.rs  | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
index dcdc4d3d54..3a355c2f58 100644
--- a/rust/agama-lib/src/security/client.rs
+++ b/rust/agama-lib/src/security/client.rs
@@ -24,7 +24,7 @@ use zbus::Connection;
 
 use crate::error::ServiceError;
 
-use super::{model::SSLFingerprint, proxies::SecurityProxy};
+use super::{model::{SSLFingerprint, SSLFingerprintAlgorithm}, proxies::SecurityProxy};
 
 /// D-Bus client for the security service
 #[derive(Clone)]
@@ -46,7 +46,7 @@ impl SecurityClient<'_> {
             .map(|(alg, value)| {
                 Ok(SSLFingerprint {
                     fingerprint: value,
-                    algorithm: super::model::SSLFingerprintAlgorithm::from_str(&alg)?,
+                    algorithm: SSLFingerprintAlgorithm::from_str(&alg)?,
                 })
             })
             .collect()
@@ -58,7 +58,7 @@ impl SecurityClient<'_> {
     ) -> Result<(), ServiceError> {
         let dbus_list: Vec<(&str, &str)> = list
             .iter()
-            .map(|s| (s.algorithm.clone().into(), s.fingerprint.as_str()))
+            .map(|s| (s.algorithm.into(), s.fingerprint.as_str()))
             .collect();
         self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;
         Ok(())
diff --git a/rust/agama-lib/src/security/model.rs b/rust/agama-lib/src/security/model.rs
index d9c341515f..1c9dec9c0f 100644
--- a/rust/agama-lib/src/security/model.rs
+++ b/rust/agama-lib/src/security/model.rs
@@ -25,6 +25,7 @@ use crate::error::ServiceError;
 #[derive(
     Default,
     Clone,
+    Copy,
     Debug,
     strum::IntoStaticStr,
     strum::EnumString,

From 22a03c99c6e03e78c9df8a089a43cae205e4e99e Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 24 Apr 2025 13:24:55 +0200
Subject: [PATCH 21/23] cargo fmt

---
 rust/agama-lib/src/security/client.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rust/agama-lib/src/security/client.rs b/rust/agama-lib/src/security/client.rs
index 3a355c2f58..442d8b5913 100644
--- a/rust/agama-lib/src/security/client.rs
+++ b/rust/agama-lib/src/security/client.rs
@@ -24,7 +24,10 @@ use zbus::Connection;
 
 use crate::error::ServiceError;
 
-use super::{model::{SSLFingerprint, SSLFingerprintAlgorithm}, proxies::SecurityProxy};
+use super::{
+    model::{SSLFingerprint, SSLFingerprintAlgorithm},
+    proxies::SecurityProxy,
+};
 
 /// D-Bus client for the security service
 #[derive(Clone)]

From 6eb69ae4f312dea547c3c38b9093ced0bb646036 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 24 Apr 2025 16:13:55 +0200
Subject: [PATCH 22/23] changes

---
 rust/package/agama.changes                 | 10 ++++++++++
 service/package/rubygem-agama-yast.changes |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/rust/package/agama.changes b/rust/package/agama.changes
index cd0bea2705..8df2d78696 100644
--- a/rust/package/agama.changes
+++ b/rust/package/agama.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Apr 24 14:13:19 UTC 2025 - Josef Reidinger <jreidinger@suse.com>
+
+- Allow to specify in agama profile SSL certificate fingerprint
+  to handle self-signed certificates used for non default
+  registration server
+- Allow to specify registration server URL via agama profile
+  gh#agama-project/agama#2270
+
+
 -------------------------------------------------------------------
 Tue Apr 22 14:14:52 UTC 2025 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
 
diff --git a/service/package/rubygem-agama-yast.changes b/service/package/rubygem-agama-yast.changes
index 317319054f..9c2b988bb4 100644
--- a/service/package/rubygem-agama-yast.changes
+++ b/service/package/rubygem-agama-yast.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Apr 24 14:10:46 UTC 2025 - Josef Reidinger <jreidinger@suse.com>
+
+- Allow to specify SSL certificate fingerprint to handle self-signed
+  certificates used for non default registration server
+- Allow to specify registration server URL via API
+  gh#agama-project/agama#2270
+
 -------------------------------------------------------------------
 Tue Apr 22 14:14:52 UTC 2025 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
 

From 2fa3f3d759700878f0e4d6101481943151b900d8 Mon Sep 17 00:00:00 2001
From: Josef Reidinger <jreidinger@suse.cz>
Date: Thu, 24 Apr 2025 16:20:30 +0200
Subject: [PATCH 23/23] Apply suggestions from code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Imobach González Sosa <igonzalezsosa@suse.com>
---
 rust/package/agama.changes | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rust/package/agama.changes b/rust/package/agama.changes
index 8df2d78696..305a68939a 100644
--- a/rust/package/agama.changes
+++ b/rust/package/agama.changes
@@ -1,10 +1,10 @@
 -------------------------------------------------------------------
 Thu Apr 24 14:13:19 UTC 2025 - Josef Reidinger <jreidinger@suse.com>
 
-- Allow to specify in agama profile SSL certificate fingerprint
+- Allow to specify in Agama profile SSL certificate fingerprint
   to handle self-signed certificates used for non default
   registration server
-- Allow to specify registration server URL via agama profile
+- Allow to specify registration server URL via Agama profile
   gh#agama-project/agama#2270