How to generate a new internal CA for my Satellite server

Solution Verified - Updated

Environment

Red Hat Satellite 6.15+

Issue

I want to replace the current internal CA used by my Satellite by a new one.

Some common reasons for wanting/needing to replace the internal CA:

  • current CA was generated with SHA1 signing algorithm
  • current CA is too weak (1024bit, for example)

Resolution

  1. Ensure you have a snapshot of your Satellite before starting this procedure

  2. Rename the ssl-build directory (a new one will be created)

mv /root/ssl-build /root/ssl-build-old-$(date +%s)
  1. Run satellite-installer with the options below:
satellite-installer --reset-certs-regenerate
satellite-maintain service restart
  1. Check that the CA was changed (observe the dates, signature algorithm and public-key size)
openssl x509 -noout -text -in /root/ssl-build/katello-default-ca.crt|grep -e 'Signature Algorithm:' -e 'Not After' -e  'Not Before' -e 'Public-Key:'
  1. Force the update of the new CertGuard's CA on Pulp:
foreman-rake console << EORAKE
satellite = SmartProxy.pulp_primary
ForemanTasks.sync_task(Actions::Pulp3::ContentGuard::Refresh, satellite)
EORAKE

Note: Run this step only if you have a standalone Satellite (no external Capsules).If you have external Capsules, skip this step.

  1. If you have capsules, you need to generate new capsule certificates and redeploy the tarball.

    • Step 6.1: Refresh Content Guard for all Smart Proxies: After Capsule certificates redeployment, run the following command on Satellite:
foreman-rake console << EORAKE
SmartProxy.all.each do |smart_proxy|
  ForemanTasks.sync_task(Actions::Pulp3::ContentGuard::Refresh, smart_proxy)
end
EORAKE

This refreshes repository access rules on:

  • Satellite
  • All external Capsules
  1. Update or re-register clients. Chose between update (7.1) or re-register (7.2). Don't do both.
  • 7.1 - Update the identity of all your clients. You need to run the commands below in all Satellite clients. You can use REX do make this step easier.
subscription-manager identity --regenerate --force --username  <username> --password <password>
subscription-manager refresh --force || subscription-manager refresh

Note: that a username/password of a user on Satellite is needed to this step. Maybe consider creating a temporary user that will be removed after the procedure (or at least set a temporary password).

  • 7.2 - Re-register. You can also use REX do make this step easier.
subscription-manager clean
<register again using your preferred method>
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.