Alternate method to use Custom CA Certificates with Satellite/Capsule signed by 2 different CA authorities

Using Custom CA Certs signed by two different CA Authorities with Red Hat Satellite/Capsule

NOTE: You can bypass the material here if you are using self-signed certificates. This is for Custom SSL certificates that are the result of a csr request to a CA Authority.

This is a Discussion, not a Red Hat Solution.

Environment

• Red Hat Satellite 6.9.x
• Red Hat Capsule 6.9.x (please make these versions between Satellite and Capsule match exactly when you build them)
• Custom non-self-signed CA certs that are not signed by the same CA Authority
• If for some reason, like us, you decide not to use this functional Red Hat Solution at https://access.redhat.com/solutions/3989601

Issue

• Sometimes you have no choice but to use non-self-signed CA Certs for your Satellite and Capsule that are signed by two different CA Authorities

Resolution

Disclaimer #1: The links were correct and worked at the date this was originally posted. Things change over time.

Disclaimer #2: This is not a Red Hat solution, it is a discussion by a customer who found this procedure to work in their environment. They highly recommend using VMware instances of Satellite/Capsule and have VMware snapshots created and to test this in non-production environments first, and to refer to this Solution by Red Hat. There is zero warranty for the material in this following discussion.

• Create the csr request for your Satellite first and submit to your CA

• Create the csr request for your Capsule second and submit to your CA
  This is mentioned later - We found we could take the bundle file output from the openssl command (mentioned below) and take the resulting files and put the two files into one as the bundle and this worked for us in our environment.

• Acquire both Custom CA certs and use the below openssl command to take the two files for your bundle and put then together as described below.

• This procedure uses Custom (non-self-signed) CA Certificates from a CA Authority, one for your Satellite, one for your Capsule server.
• make a backup of these files you acquired in return from the CA authority.
• This discussion deviates from the Red Hat solution mentioned above.

This is important, take the bundle file from Satellite and Capsule, and put them together

• In the Satellite document above, Paragraph 4.12.2, we used our own custom bundle file, and used it for both the Satellite and Capsule
• Prior to running "katello-certs-check" we did this:
• Run this command on the satellite server against the satellite bundle file received from your CA authority from your csr request for your satellite. It may end with "p7b", but make sure it is the bundle file. Validate that you are using the right file.

# run this on your satellite server with the bundle file you received from your CA Authority
openssl pkcs7 -print_certs -in NAME_OF_SATELLITE_CA_BUNDLE_FILE_NOT_IN_CAPS.p7b -out satellite_cer.pem

• Run this command on the capsule server against the capsule bundle file received from your CA authority from your csr request for your capsule. It may end with "p7b" but make sure it is the bundle file. Validate that you are using the right file.

# run this on your capsule server with the bundle file you received from your CA Authority
openssl pkcs7 -print_certs -in NAME_OF_CAPSULE_CA_BUNDLE_FILE_NOT_IN_CAPS.p7b -out capsule_cer.pem

• Take the satellite file named "satellite_cer.pem" you have above and run this command. The intent is to cat the satellite and capsule file together, doing the satellite file first:
• Note the ">>" below is important, It will append the 2nd file into this. This will result in both files being put into one, first the satellite file above, second, the capsule file after the satellite file.

cat satellite_cer.pem > sat_cap_bundle_cer.pem
cat capsule_cer.pem >> sat_cap_bundle_cer.pem

From this point on, use the Red Hat documentation starting at paragraph 4.12.2 for Satellite (link above) documentation first, then do the capsule. When it calls for the bundle file, use the "sat_cap_bundle.cer" file instead.

katello-certs-check \
-c /root/satellite_cert/satellite_cert.pem \      
-k /root/satellite_cert/satellite_cert_key.pem \  
-b /root/satellite_cert/sat_cap_bundle_cer.pem

This will generate additional commands and please carefully follow the documentation in the Red Hat Documentation.

Important Note: ** The Capsule **DID NOT APPEAR IN THE SATELLITE WEB UI until we successfully ingested the Custom CA certs that are not-self-signed!!! The Red Hat documentation for the Capsule in paragraph 2.7 step 14 says to go to the Satellite UI and first determine if you can "see" the capsule there. We could not see the additional capsule server we created UNTIL AFTER we took care of the Custom non-self signed CA certs, and it was only after we did this that the Satellite would "see" the capsule in the Web UI

I'll be happy to discuss in the comments below.

The only place we deviated in the instructions was to take the two bundle files for the satellite and capsule, put them into one file (described above), and then we followed the instructions in the Red Hat Satellite and Capsule instructions near verbatim (again, we could only "see" the capsule in the Satellite web UI after we properly ingested the certificates for both the Satellite and Capsule.

PLEASE MAKE CAREFUL NOTE when reading the instructions for Satellite and Capsule. There are times in the Capsule instructions that it will say to run commands on the Satellite - KEEP A CAREFUL WATCH FOR THAT. This seems obvious, but it can be easily missed. At one point, you must copy files from the capsule to the satellite and back.

Regards,
RJ