Suchen

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 14. Renewing the Custom SSL Certificate

download PDF

This chapter provides information on how to renew the custom SSL certificate on Satellite Server as well as on Capsule Server.

14.1. Renewing a Custom SSL Certificate on Satellite Server

Use this procedure to update your custom SSL certificate for Satellite Server.

Prerequisite

  • You must create a new Certificate Signing Request (CSR) and send it to the Certificate Authority to sign the certificate. Refer to the Configuring Satellite Server with a Custom SSL Certificate guide before creating a new CSR because the Server certificate must have X.509 v3 Key Usage and Extended Key Usage extensions with required values. In return, you will receive the Satellite Server certificate and CA bundle.

Procedure

  • Before deploying a renewed custom certificate on your Satellite Server, validate the custom SSL input files. Note that for the katello-certs-check command to work correctly, Common Name (CN) in the certificate must match the FQDN of Satellite Server:

    # katello-certs-check -t satellite \
    -b /root/satellite_cert/ca_cert_bundle.pem \
    -c /root/satellite_cert/satellite_cert.pem \
    -k /root/satellite_cert/satellite_cert_key.pem

    If the command is successful, it returns the following satellite-installer command. You can use this command to deploy the renewed CA certificates to Satellite Server:

    # satellite-installer --scenario satellite \
    --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
    --certs-server-key "/root/satellite_cert/satellite_key.pem" \
    --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
    --certs-update-server \
    --certs-update-server-ca
Important

Do not delete the certificate files after you deploy the certificate. They are required when upgrading Satellite Server.

Note

If a new consumer package katello-ca-consumer-latest.noarch.rpm is generated due to a different Certificate Signing Authority, all the clients registered to Satellite Server must be updated.

Verification

  1. Access the Satellite web UI from your local machine. For example, https://satellite.example.com.
  2. In your browser, view the certificate details to verify the deployed certificate.

14.2. Renewing a Custom SSL certificate on Capsule Server

Use this procedure to update your custom SSL certificate for Capsule Server. The satellite-installer command, which the capsule-certs-generate command returns, is unique to each Capsule Server. You cannot use the same command on more than one Capsule Server.

Prerequisite

  • You must create a new Certificate Signing Request and send it to the Certificate Authority to sign the certificate. Refer to the Configuring Satellite Server with a Custom SSL Certificate guide before creating a new CSR because the Satellite Server certificate must have X.509 v3 Key Usage and Extended Key Usage extensions with required values. In return, you will receive the Capsule Server certificate and CA bundle.

Procedure

  1. On your Satellite Server, validate the custom SSL certificate input files:

    # katello-certs-check -t capsule \
    -b /root/capsule_cert/ca_cert_bundle.pem \
    -c /root/capsule_cert/capsule_cert.pem \
    -k /root/capsule_cert/capsule_cert_key.pem
  2. On your Satellite Server, generate the certificate archive file for your Capsule Server:

    capsule-certs-generate --foreman-proxy-fqdn "capsule.example.com" \
    --certs-tar  "/root/My_Certificates/capsule.example.com-certs.tar" \
    --server-cert "/root/My_Certificates/capsule_cert.pem" \
    --server-key "/root/My_Certificates/capsule_cert_key.pem" \
    --server-ca-cert "/root/My_Certificates/ca_cert_bundle.pem" \
    --certs-update-server
  3. On your Satellite Server, copy the certificate archive file to your Capsule Server:

    # scp /root/My_Certificates/capsule.example.com-certs.tar user@capsule.example.com:

    You can move the copied file to the applicable path if required.

  4. Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.
  5. Deploy the certificate on your Capsule Server using the satellite-installer command returned by the capsule-certs-generate command:

    # satellite-installer --scenario capsule \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-foreman-base-url "https://satellite.example.com" \
    --certs-tar-file "/root/My_Certificates/capsule.example.com-certs.tar" \
    --certs-update-server
Important

Do not delete the certificate archive file on the Capsule Server after you deploy the certificate. They are required when upgrading Capsule Server.

Note

If a new consumer package katello-ca-consumer-latest.noarch.rpm is generated due to a different Certificate Signing Authority, all the clients registered to Capsule Server must be updated.

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.