Red Hat Summit2.6.2. Configuring Capsule Server with a Custom SSL Certificate
If you configure Satellite Server to use a custom SSL certificate, you must also configure each of your external Capsule Servers with a distinct custom SSL certificate.
To configure your Capsule Server with a custom certificate, complete the following procedures on each Capsule Server:
2.6.2.1. Creating a Custom SSL Certificate for Capsule Server
On Satellite Server, create a custom certificate for your Capsule Server. If you already have a custom SSL certificate for Capsule Server, skip this procedure.
When you configure Capsule Server with custom certificates, note the following considerations:
- You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
- You cannot use the same certificate for both Satellite Server and Capsule Server.
- The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
Procedure
To create a custom SSL certificate, complete the following steps:
To store all the source certificate files, create a directory that is accessible only to the
rootuser.# mkdir /root/capsule_certCreate a private key with which to sign the Certificate Signing Request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Capsule Server, skip this step.
# openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096Create the
/root/capsule_cert/openssl.cnfconfiguration file for the Certificate Signing Request (CSR) and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ]1 C = Country Name (2 letter code) ST = State or Province Name (full name) L = Locality Name (eg, city) O = Organization Name (eg, company) OU = The division of your organization handling the certificate CN = capsule.example.com2 [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ alt_names ] DNS.1 = capsule.example.com3 - 1
- In the
[ req_distinguished_name ]section, enter information about your organization. - 2
- Set the certificate’s Common Name
CNto match the fully qualified domain name (FQDN) of your Capsule Server or a wildcard value*. To confirm a FQDN, on that Capsule Server, enter thehostname -fcommand. This is required to ensure that thekatello-certs-checkcommand validates the certificate correctly. If you set a wildcard value, you must add the-t capsuleoption when you use thekatello-certs-checkcommand. - 3
- Set the Subject Alternative Name (SAN)
DNS.1to match the fully qualified domain name (FQDN) of your server.
Generate the Certificate Signing Request (CSR):
# openssl req -new \ -key /root/capsule_cert/capsule_cert_key.pem \1 -config /root/capsule_cert/openssl.cnf \2 -out /root/capsule_cert/capsule_cert_csr.pem3 Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}