Step-by-Step Guide: Configuring Custom SSL Certificates for Red Hat Satellite and Capsule

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Capsule 6

Issue

  • When configuring Red Hat Satellite with custom SSL certificates, administrators may encounter issues related to SSL certificate generation and installation, including errors in certificate signing requests (CSR) or mismatches in certificate configurations.

Resolution

  • To successfully create and install custom SSL certificates for Red Hat Satellite, follow these steps:

    • Create a directory to store your certificate files:

       # mkdir /root/satellite_cert

    • Generate a Private Key: Use the following command to generate a 4096-bit private key.

       # This command generates a private key
   openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096

    • Create and Edit the OpenSSL Configuration File: Create and edit /root/satellite_cert/openssl.cnf with the following content:

            [ req ]
      req_extensions = v3_req
      distinguished_name = req_distinguished_name
      prompt = no

      [req_distinguished_name]
      CN = satellite.example.com
      countryName = My_Country_Name
      stateOrProvinceName = My_State_Or_Province_Name
      localityName = My_Locality_Name
      organizationName = My_Organization_Or_Company_Name
      organizationalUnitName = My_Organizational_Unit_Name

      [ v3_req ]
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
      subjectAltName = @alt_names

      [ alt_names ]
      DNS.1 = satellite.example.com

    • Generate the CSR:

       # openssl req -new -key /root/satellite_cert/satellite_cert_key.pem -config /root/satellite_cert/openssl.cnf -out /root/satellite_cert/satellite_cert_csr.pem

    • Submit the CSR to the Certificate Authority (CA): Follow your CA’s submission process to obtain a signed certificate and CA bundle. Use the following command to view the CSR:

       # openssl req -in /root/satellite_cert/satellite_cert_csr.pem -noout -text

    • Merge CA Certificates into a Single PEM File: If provided as separate files, merge root and intermediate CA certificates into a single PEM file.

       # Assuming rootCA.pem and intermediateCA.pem are your certificates
   cat rootCA.pem intermediateCA.pem > /root/satellite_cert/merged_ca_bundle.pem

    • Verify the CA Bundle:

       # openssl verify -CAfile /root/satellite_cert/merged_ca_bundle.pem /root/satellite_cert/satellite_cert.pem

  • For more details, refer to the official Red Hat documentation on SSL certificate configuration: Satellite installation document

Root Cause

  • Issues in SSL certificate configuration can arise from not adhering to specific Red Hat Satellite requirements, such as mismatched Common Names (CN), missing Subject Alternative Names (SAN), or incorrect key usage settings. Common issues include:

    • Mismatched CN values
    • Missing SAN entries
    • Improper chaining or exclusion of intermediate certificates in the CA bundle, leading to trust issues on client machines.

Diagnostic Steps

  • Ensure that all SSL certificates meet the specified requirements: Use the below command to verify.

     # Check the details of the certificate
   openssl x509 -in /root/satellite_cert/satellite_cert.pem -text -noout

  • Review OpenSSL Configuration: Validate the openssl.cnf file for correctness in fields like CN and SAN.

  • Examine CSR Output: After generating the CSR, check for any errors or warnings:

     # Display the CSR to ensure it has the correct information
   openssl req -in /root/satellite_cert/satellite_cert_csr.pem -noout -text

  • Verify Signed Certificates: Once received from the CA, use OpenSSL to verify the integrity and validity of the signed certificates:

     # Verify the server certificate against the CA bundle
   openssl verify -CAfile /root/satellite_cert/merged_ca_bundle.pem /root/satellite_cert/satellite_cert.pem
SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.