Red Hat Training
A Red Hat training course is available for Red Hat Satellite
2.3.2. Configuring Red Hat Satellite with a Custom Server Certificate
katello-installer
comes with a default CA used both for the server ssl certificates as well as the client certificates used for authentication of the subservices. These certificates can be replaced with custom ones.
There are two instances wherein you can configure the Satellite Server to use a custom CA certificate:
- When
katello-installer
is run the first time - After
katello-installer
has already been run
Procedure 2.4. Setting a Custom Server Certificate while running katello-installer for the first time
- Run this command on the Red Hat Satellite Server:
katello-installer --certs-server-cert ~/path/to/server.crt\ --certs-server-cert-req ~/path/to/server.crt.req\ --certs-server-key ~/path/to/server.crt.key\ --certs-server-ca-cert ~/path/to/cacert.crt
Where:certs-server-cert
is the path to your certificate, signed by your certificate authority (or self signed)certs-server-cert-req
is the path to your certificate signing request file that was used to create the certificate.certs-server-key
the private key used to sign the certificatecerts-server-ca-cert
~/path/to/cacert.crt the path to the CA certificate on this system.
Procedure 2.5. Setting a Custom Server Certificate after running katello-installer
- The initial run of
katello-installer
uses the default CA for both server and client certificates. To enforce custom certificates deployment, set the--certs-update-server
parameter and the--certs-update-server-ca
parameter to update the CA certificate:katello-installer --certs-server-cert ~/path/to/server.crt\ --certs-server-cert-req ~/path/to/server.crt.req\ --certs-server-key ~/path/to/server.crt.key\ --certs-server-ca-cert ~/path/to/cacert.crt\ --certs-update-server --certs-update-server-ca
This will regenerate the katello-ca-consumer package and the server CA certificate. - After the server CA changes, install the new version of the consumer-ca-consumer package on the client systems:
rpm -Uvh http://katello.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Important
Use the same custom server certificate on both the Red Hat Satellite Server and the Red Hat Satellite Capsule Server to ensure that the trusted relationship between the two hosts is maintained.