3.11.2. Deploying a Custom SSL Certificate to Satellite Server

Use this procedure to configure your Satellite Server to use a custom SSL certificate signed by a Certificate Authority. The katello-certs-check command validates the input certificate files and returns the commands necessary to deploy a custom SSL certificate to Satellite Server.

Procedure

  1. Validate the custom SSL certificate input files. Note that for the katello-certs-check command to work correctly, Common Name (CN) in the certificate must match the FQDN of Satellite Server.

    # katello-certs-check \
    -c /root/satellite_cert/satellite_cert.pem \      1
    -k /root/satellite_cert/satellite_cert_key.pem \  2
    -b /root/satellite_cert/ca_cert_bundle.pem        3
    1
    Path to Satellite Server certificate file that is signed by a Certificate Authority.
    2
    Path to the private key that was used to sign Satellite Server certificate.
    3
    Path to the Certificate Authority bundle.

    If the command is successful, it returns two satellite-installer commands, one of which you must use to deploy a certificate to Satellite Server.

    Example output of katello-certs-check

    Validation succeeded.
    
    To install the Red Hat Satellite Server with the custom certificates, run:
    
      satellite-installer --scenario satellite \
        --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
        --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
        --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem"
    
    To update the certificates on a currently running Red Hat Satellite installation, run:
    
      satellite-installer --scenario satellite \
        --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
        --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
        --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
        --certs-update-server --certs-update-server-ca

  2. From the output of the katello-certs-check command, depending on your requirements, enter the satellite-installer command that installs a new Satellite with custom SSL certificates or updates certificates on a currently running Satellite.

    If you are unsure which command to run, you can verify that Satellite is installed by checking if the file /etc/foreman-installer/scenarios.d/.installed exists. If the file exists, run the second satellite-installer command that updates certificates.

    重要

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Satellite Server.

  3. On a computer with network access to Satellite Server, navigate to the following URL: https://satellite.example.com.
  4. In your browser, view the certificate details to verify the deployed certificate.