Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 14. Renewing certificates
You can renew the CA certificate on Satellite Server or the custom SSL certificate on Satellite Server as well as on Capsule Server.
14.1. Planning for self-signed CA certificate renewal
If you need to update the Certification Authority (CA) certificate on your Satellite Server, add the new CA certificate and use a temporary dual CA certificate file to retain the HTTPS connections to your Satellite Server during the renewal.
Procedure
- Add the new SSL certificate to the CA certificate file on Satellite Server and keep the old SSL certificate.
- Renew the certificates on Satellite Server and any Capsule Servers.
- Deploy the dual CA certificate on hosts.
- Remove the old certificate from the CA certificates file on Satellite Server, so the CA certificate file contains only the new SSL certificate.
- Renew the certificates on Satellite Server and any Capsule Servers.
- Deploy the new CA certificate on hosts.
Additional resources
- Refreshing the self-signed CA certificate on hosts in Managing hosts
14.2. Renewing a custom SSL certificate on Satellite Server
Use this procedure to update your custom SSL certificate for Satellite Server.
Prerequisites
-
You must create a new Certificate Signing Request (CSR) and send it to the Certificate Authority to sign the certificate. Refer to the Configuring Satellite Server with a Custom SSL Certificate guide before creating a new CSR because the Server certificate must have X.509 v3
Key Usage
andExtended Key Usage
extensions with required values. In return, you will receive the Satellite Server certificate and CA bundle.
Procedure
Before deploying a renewed custom certificate on your Satellite Server, validate the custom SSL input files. Note that for the
katello-certs-check
command to work correctly, Common Name (CN) in the certificate must match the FQDN of Satellite Server:# katello-certs-check -t satellite \ -b /root/satellite_cert/ca_cert_bundle.pem \ -c /root/satellite_cert/satellite_cert.pem \ -k /root/satellite_cert/satellite_cert_key.pem
If the command is successful, it returns the following
satellite-installer
command. You can use this command to deploy the renewed CA certificates to Satellite Server:# satellite-installer --scenario satellite \ --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \ --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \ --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \ --certs-update-server \ --certs-update-server-ca
Do not delete the certificate files after you deploy the certificate. They are required when upgrading Satellite Server.
Verification
-
Access the Satellite web UI from your local machine. For example,
https://satellite.example.com
. - In your browser, view the certificate details to verify the deployed certificate.
Next steps
- If you have changed the CA certificate on Satellite Server, refresh the CA certificate on your hosts. For more information, see Refreshing the self-signed CA certificate on hosts in Managing hosts.
14.3. Renewing a custom SSL certificate on Capsule Server
Use this procedure to update your custom SSL certificate for Capsule Server. The satellite-installer
command, which the capsule-certs-generate
command returns, is unique to each Capsule Server. You cannot use the same command on more than one Capsule Server.
Prerequisites
-
You must create a new Certificate Signing Request and send it to the Certificate Authority to sign the certificate. Refer to the Configuring Satellite Server with a Custom SSL Certificate guide before creating a new CSR because the Satellite Server certificate must have X.509 v3
Key Usage
andExtended Key Usage
extensions with required values. In return, you will receive the Capsule Server certificate and CA bundle.
Procedure
On your Satellite Server, validate the custom SSL certificate input files:
# katello-certs-check -t capsule \ -b /root/capsule_cert/ca_cert_bundle.pem \ -c /root/capsule_cert/capsule_cert.pem \ -k /root/capsule_cert/capsule_cert_key.pem
On your Satellite Server, generate the certificate archive file for your Capsule Server:
# capsule-certs-generate \ --certs-tar "/root/My_Certificates/capsule.example.com-certs.tar" \ --certs-update-server \ --foreman-proxy-fqdn "capsule.example.com" \ --server-ca-cert "/root/My_Certificates/ca_cert_bundle.pem" \ --server-cert "/root/My_Certificates/capsule_cert.pem" \ --server-key "/root/My_Certificates/capsule_cert_key.pem"
On your Satellite Server, copy the certificate archive file to your Capsule Server:
# scp /root/My_Certificates/capsule.example.com-certs.tar user@capsule.example.com:
You can move the copied file to the applicable path if required.
-
Retain a copy of the
satellite-installer
command that thecapsule-certs-generate
command returns for deploying the certificate to your Capsule Server. Deploy the certificate on your Capsule Server using the
satellite-installer
command returned by thecapsule-certs-generate
command:# satellite-installer --scenario capsule \ --certs-tar-file "/root/My_Certificates/capsule.example.com-certs.tar" \ --certs-update-server \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-register-in-foreman "true"
Do not delete the certificate archive file on the Capsule Server after you deploy the certificate. They are required when upgrading Capsule Server.
Next steps
- If you have changed the CA certificate on Satellite Server, refresh the CA certificate on your hosts. For more information, see Refreshing the self-signed CA certificate on hosts in Managing hosts.