Is it supported to move from the default self signed certificate for the Satellite Server to a private, company signed certificate?

Environment

• Red Hat Satellite 6

Issue

• Is it permissible to transition from the default self-signed certificate for the Red Hat Satellite Server to a privately signed certificate from the company?
• Can we replace the default self-signed certificate used by the Red Hat Satellite Server with a privately signed certificate from our company?

Resolution

• The provided steps detail the process of deploying a custom SSL certificate to a Red Hat Satellite Server.

• To secure communication within your Red Hat Satellite infrastructure, follow these steps to obtain a signed certificate from a Certificate Authority (CA):

1. Private Key Generation:

   • Begin by creating a private key that will be used to sign the Certificate Signing Request (CSR). This key plays a crucial role in the certificate generation process.

2. CSR Creation:

   • Refer to the Red Hat Satellite installation document for specific guidelines on generating a Certificate Signing Request (CSR) tailored to the requirements of your Satellite infrastructure.

3. Certificate Authority (CA) Submission:

   • Submit the generated CSR to the designated Certificate Authority (CA). It is essential to choose a CA that can sign certificates for both the Satellite Server and Capsule Server.

4. Providing Request Details:

   • While submitting the certificate request, specify the desired lifespan for the certificate. This lifespan determines the duration for which the certificate will remain valid.
   • Be sure to confirm with the CA the preferred method for submitting the certificate request, as different CAs may have distinct submission procedures.

5. Receiving CA Response:

   • Following the submission, anticipate receiving two separate files from the CA:
   • CA Bundle: This bundle contains the Certificate Authority's public key and additional certificates needed for the certificate chain.
   • Signed Certificate: The signed certificate, attested by the CA, which can be applied to the Satellite Server and Capsule Server.

• Procedure for Deploying a Custom SSL Certificate to Satellite Server:

1. Certificate File Validation:
   - Utilize the katello-certs-check command to validate custom SSL certificate files.
   - Ensure that the Common Name (CN) in the certificate matches the Satellite Server's FQDN.

    # katello-certs-check \
      -c /root/satellite_cert/satellite_cert.pem \
      -k /root/satellite_cert/satellite_cert_key.pem \
      -b /root/satellite_cert/ca_cert_bundle.pem
   

2. Sample Output:

   • Upon success, the command provides two satellite-installer commands for installation or update.

3. Commands for Deployment:
   - Choose the appropriate satellite-installer command based on your needs:
   - To install a new Satellite with custom SSL certificates:

       satellite-installer --scenario satellite \
         --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
         --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
         --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem"
   

   • For updating certificates on a running Satellite:

       satellite-installer --scenario satellite \
         --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
         --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
         --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
         --certs-update-server --certs-update-server-ca
   

4. Essential Notes:
   - Avoid storing SSL certificates or bundles in /tmp or /var/tmp.
   - Refrain from modifying /root/ssl-build.
   - The certificate archive file is crucial for future upgrades using satellite-installer.

5. Verification Process:
   - Confirm the installation's success by checking for the existence of /etc/foreman-installer/scenarios.d/.installed.

6. Certificate Validation:
   - Access the Satellite Server through a browser using its FQDN (e.g., https://satellite.example.com).
   - Verify the details of the deployed certificate in your browser.

• It is supported; however, it is important to note that implementing this change will necessitate deploying the new consumer package to all connected clients.

• Refer to more details on the topic at How to use a certificate from a third party Certificate Authority (CA) with Red Hat Satellite or Red Hat Satellite Capsule.

• For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Diagnostic Steps

• To check the Custom (a.k.a. Third party) SSL certificates Location and path from configuration:

    # cat /etc/foreman-installer/scenarios.d/satellite-answers.yaml |grep -iE 'server_key|server_cert_req|server_ca_cert|server_cert'  
  

• To check the installed Custom aka Third-party SSL certificates information on the satellite server :

    # openssl crl2pkcs7 -nocrl -certfile /etc/pki/katello/certs/katello-apache.crt  | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS)'
  
    # openssl crl2pkcs7 -nocrl -certfile  /etc/foreman-proxy/foreman_ssl_ca.pem  | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS)'
  
    # openssl crl2pkcs7 -nocrl -certfile  /etc/foreman-proxy/ssl_cert.pem  | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS)'
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.