2.3.2. Configuring Red Hat Satellite with a Custom Server Certificate

katello-installer comes with a default CA used both for the server ssl certificates as well as the client certificates used for authentication of the subservices. These certificates can be replaced with custom ones.
There are two instances wherein you can configure the Satellite Server to use a custom CA certificate:
  1. When katello-installer is run the first time
  2. After katello-installer has already been run

Procedure 2.4. Setting a Custom Server Certificate while running katello-installer for the first time

  • Run this command on the Red Hat Satellite Server:
    katello-installer --certs-server-cert ~/path/to/server.crt\
                      --certs-server-cert-req ~/path/to/server.crt.req\
                      --certs-server-key ~/path/to/server.crt.key\
                      --certs-server-ca-cert ~/path/to/cacert.crt
    • certs-server-cert is the path to your certificate, signed by your certificate authority (or self signed)
    • certs-server-cert-req is the path to your certificate signing request file that was used to create the certificate.
    • certs-server-key the private key used to sign the certificate
    • certs-server-ca-cert ~/path/to/cacert.crt the path to the CA certificate on this system.

Procedure 2.5. Setting a Custom Server Certificate after running katello-installer

  1. The initial run of katello-installer uses the default CA for both server and client certificates. To enforce custom certificates deployment, set the --certs-update-server parameter and the --certs-update-server-ca parameter to update the CA certificate:
    katello-installer --certs-server-cert ~/path/to/server.crt\ --certs-server-cert-req ~/path/to/server.crt.req\ --certs-server-key ~/path/to/server.crt.key\ --certs-server-ca-cert ~/path/to/cacert.crt\ --certs-update-server --certs-update-server-ca
    This will regenerate the katello-ca-consumer package and the server CA certificate.
  2. After the server CA changes, install the new version of the consumer-ca-consumer package on the client systems:
    rpm -Uvh http://katello.example.com/pub/katello-ca-consumer-latest.noarch.rpm


Use the same custom server certificate on both the Red Hat Satellite Server and the Red Hat Satellite Capsule Server to ensure that the trusted relationship between the two hosts is maintained.