2.6.2. Configuring Capsule Server with a Custom SSL Certificate

If you configure Satellite Server to use a custom SSL certificate, you must also configure each of your external Capsule Servers with a distinct custom SSL certificate.

To configure your Capsule Server with a custom certificate, complete the following procedures on each Capsule Server:

2.6.2.1. Creating a Custom SSL Certificate for Capsule Server
リンクのコピー

On Satellite Server, create a custom certificate for your Capsule Server. If you already have a custom SSL certificate for Capsule Server, skip this procedure.

When you configure Capsule Server with custom certificates, note the following considerations:

You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
You cannot use the same certificate for both Satellite Server and Capsule Server.
The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

Procedure

To create a custom SSL certificate, complete the following steps:

To store all the source certificate files, create a directory that is accessible only to the root user.
```
mkdir /root/capsule_cert
```
```
# mkdir /root/capsule_cert
```
Copy to Clipboard Toggle word wrap
Create a private key with which to sign the Certificate Signing Request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Capsule Server, skip this step.
```
openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
```
```
# openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
```
Copy to Clipboard Toggle word wrap

Create the /root/capsule_cert/openssl.cnf configuration file for the Certificate Signing Request (CSR) and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ] 
C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
OU = The division of your organization handling the certificate
CN = capsule.example.com 

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = capsule.example.com

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ]


C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
OU = The division of your organization handling the certificate
CN = capsule.example.com



[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = capsule.example.com

Copy to Clipboard

Toggle word wrap

1: In the [ req_distinguished_name ] section, enter information about your organization.
2: Set the certificate’s Common Name CN to match the fully qualified domain name (FQDN) of your Capsule Server or a wildcard value *. To confirm a FQDN, on that Capsule Server, enter the hostname -f command. This is required to ensure that the katello-certs-check command validates the certificate correctly. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.
3: Set the Subject Alternative Name (SAN) DNS.1 to match the fully qualified domain name (FQDN) of your server.

Generate the Certificate Signing Request (CSR):

openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \
-config /root/capsule_cert/openssl.cnf \
-out /root/capsule_cert/capsule_cert_csr.pem

# openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \


-config /root/capsule_cert/openssl.cnf \


-out /root/capsule_cert/capsule_cert_csr.pem

Copy to Clipboard

Toggle word wrap

1: Path to the private key.
2: Path to the configuration file.
3: Path to the CSR to generate.

Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

2.6.2. Configuring Capsule Server with a Custom SSL Certificate

2.6.2.1. Creating a Custom SSL Certificate for Capsule Server
リンクのコピー

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.6.2. Configuring Capsule Server with a Custom SSL Certificate

2.6.2.1. Creating a Custom SSL Certificate for Capsule Serverリンクのコピーリンクがクリップボードにコピーされました!

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.6.2.1. Creating a Custom SSL Certificate for Capsule Server
リンクのコピー