3.11. Configuring Satellite Server with a Custom SSL Certificate
By default, Red Hat Satellite uses a self-signed SSL certificate to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. If you cannot use a Satellite self-signed certificate, you can configure Satellite Server to use an SSL certificate signed by an external Certificate Authority.
To configure your Satellite Server with a custom certificate, complete the following procedures:
- 「Creating a Custom SSL Certificate for Satellite Server」
- 「Deploying a Custom SSL Certificate to Satellite Server」
- 「Deploying a Custom SSL Certificate to Hosts」
- If you have external Capsule Servers registered to Satellite Server, you must configure them with custom SSL certificates. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server. For more information, see Configuring Capsule Server with a Custom SSL Certificate in Installing Capsule Server.
3.11.1. Creating a Custom SSL Certificate for Satellite Server
Use this procedure to create a custom SSL certificate for Satellite Server. If you already have a custom SSL certificate for Satellite Server, skip this procedure.
When you configure Satellite Server with custom certificates, note the following considerations:
- You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
- You cannot use the same certificate for both Satellite Server and Capsule Server.
- The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
Procedure
To store all the source certificate files, create a directory that is accessible only to the
rootuser.# mkdir /root/satellite_cert
Create a private key with which to sign the Certificate Signing Request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Satellite Server, skip this step.
# openssl genrsa -out
/root/satellite_cert/satellite_cert_key.pem4096Create the
/root/satellite_cert/openssl.cnfconfiguration file for the Certificate Signing Request (CSR) and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ] 1 C = Country Name (2 letter code) ST = State or Province Name (full name) L = Locality Name (eg, city) O = Organization Name (eg, company) OU = The division of your organization handling the certificate CN = satellite.example.com 2 [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ alt_names ] DNS.1 = satellite.example.com 3
- 1
- In the
[ req_distinguished_name ]section, enter information about your organization. - 2
- Set the certificate’s Common Name
CNto match the fully qualified domain name (FQDN) of your Satellite Server. To confirm a FQDN, on that Satellite Server, enter thehostname -fcommand. This is required to ensure that thekatello-certs-checkcommand validates the certificate correctly. - 3
- Set the Subject Alternative Name (SAN)
DNS.1to match the fully qualified domain name (FQDN) of your server.
Generate the Certificate Signing Request (CSR):
# openssl req -new \ -key /root/satellite_cert/satellite_cert_key.pem \ 1 -config /root/satellite_cert/openssl.cnf \ 2 -out /root/satellite_cert/satellite_cert_csr.pem 3
Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.