3.11. Configuring Satellite Server with a Custom SSL Certificate

By default, Red Hat Satellite uses a self-signed SSL certificate to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. If you cannot use a Satellite self-signed certificate, you can configure Satellite Server to use an SSL certificate signed by an external Certificate Authority.

To configure your Satellite Server with a custom certificate, complete the following procedures:

  1. 「Creating a Custom SSL Certificate for Satellite Server」
  2. 「Deploying a Custom SSL Certificate to Satellite Server」
  3. 「Deploying a Custom SSL Certificate to Hosts」
  4. If you have external Capsule Servers registered to Satellite Server, you must configure them with custom SSL certificates. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server. For more information, see Configuring Capsule Server with a Custom SSL Certificate in Installing Capsule Server.

3.11.1. Creating a Custom SSL Certificate for Satellite Server

Use this procedure to create a custom SSL certificate for Satellite Server. If you already have a custom SSL certificate for Satellite Server, skip this procedure.

When you configure Satellite Server with custom certificates, note the following considerations:

  • You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
  • You cannot use the same certificate for both Satellite Server and Capsule Server.
  • The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user.

    # mkdir /root/satellite_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Satellite Server, skip this step.

    # openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096
  3. Create the /root/satellite_cert/openssl.cnf configuration file for the Certificate Signing Request (CSR) and include the following content:

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    x509_extensions = usr_cert
    prompt = no
    
    [ req_distinguished_name ] 1
    C  = Country Name (2 letter code)
    ST = State or Province Name (full name)
    L  = Locality Name (eg, city)
    O  = Organization Name (eg, company)
    OU = The division of your organization handling the certificate
    CN = satellite.example.com 2
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
    subjectAltName = @alt_names
    
    [ usr_cert ]
    basicConstraints=CA:FALSE
    nsCertType = client, server, email
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
    nsComment = "OpenSSL Generated Certificate"
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    [ alt_names ]
    DNS.1 = satellite.example.com 3
    1
    In the [ req_distinguished_name ] section, enter information about your organization.
    2
    Set the certificate’s Common Name CN to match the fully qualified domain name (FQDN) of your Satellite Server. To confirm a FQDN, on that Satellite Server, enter the hostname -f command. This is required to ensure that the katello-certs-check command validates the certificate correctly.
    3
    Set the Subject Alternative Name (SAN) DNS.1 to match the fully qualified domain name (FQDN) of your server.
  4. Generate the Certificate Signing Request (CSR):

    # openssl req -new \
    -key /root/satellite_cert/satellite_cert_key.pem \ 1
    -config /root/satellite_cert/openssl.cnf \ 2
    -out /root/satellite_cert/satellite_cert_csr.pem 3
    1
    Path to the private key.
    2
    Path to the configuration file.
    3
    Path to the CSR to generate.
  5. Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.