Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Configuring Capsule Servers with custom SSL certificates for load balancing

You can configure one or more Capsule Servers that use custom SSL certificates for load balancing. To do this, configure and install certificates on each Capsule Server you want to use for load balancing.

If you use Puppet in your Satellite deployment, the configuration steps are different. See Chapter 6, Configuring Capsule Servers with custom SSL certificates for load balancing (with Puppet).

4.1. Prerequisites
Copy link

On each Capsule Server you want to configure for load balancing, create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN).

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user: 

    # mkdir /root/capsule_cert
    Copy to Clipboard Toggle word wrap

  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
    Copy to Clipboard Toggle word wrap

  3. Create the /root/capsule_cert/openssl.cnf configuration file for the CSR and include the following content: 

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ]
commonName = capsule.example.com
    1 
    

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
    2 
    
DNS.1 = loadbalancer.example.com
DNS.2 = capsule.example.com
    Copy to Clipboard Toggle word wrap
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.

    For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section: 

    [req_distinguished_name]
CN = capsule.example.com
countryName = My_Country_Name
    1 
    
stateOrProvinceName = My_State_Or_Province_Name
    2 
    
localityName = My_Locality_Name
    3 
    
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name
    4
    Copy to Clipboard Toggle word wrap
    1
    Two letter code
    2
    Full name
    3
    Full name (example: New York)
    4
    Division responsible for the certificate (example: IT department)

  5. Generate CSR: 

    # openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \
    1 
    
-config /root/capsule_cert/openssl.cnf \
    2 
    
-out /root/capsule_cert/capsule_cert_csr.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Path to the private key
    2
    Path to the configuration file
    3
    Path to the CSR to generate

  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

  7. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server.

  8. On Satellite Server, validate Capsule Server certificate input files: 

    # katello-certs-check \
-c /root/capsule_cert/capsule_cert.pem \
    1 
    
-k /root/capsule_cert/capsule_cert_key.pem \
    2 
    
-b /root/capsule_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t capsule option to the katello-certs-check command.

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

On each Capsule Server you want to configure for load balancing, install Katello certificates.

Procedure

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates: 

    # capsule-certs-generate \
--certs-tar /root/capsule_cert/capsule.tar \
--foreman-proxy-cname loadbalancer.example.com \
--foreman-proxy-fqdn capsule.example.com \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--server-cert /root/capsule_cert/capsule.pem \
--server-key /root/capsule_cert/capsule.pem
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server: 

    # scp /root/capsule.example.com-certs.tar root@capsule.example.com:capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-script
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, enter the satellite-installer command: 

    # satellite-installer --scenario capsule \
--certs-cname "loadbalancer.example.com" \
--certs-tar-file "capsule.example.com-certs.tar" \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com"
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top