Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

2.6.2.2. Deploying a Custom SSL Certificate to Capsule Server

Use this procedure to configure your Capsule Server with a custom SSL certificate signed by a Certificate Authority. The satellite-installer command, which the capsule-certs-generate command returns, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.

Prerequisites

Before configuring Capsule Server with a custom server certificate, ensure that your Satellite and Capsules meet the following conditions:

Procedure

To configure your Capsule Server with a custom SSL certificate, complete the following steps:

  1. On Satellite Server, validate the custom SSL certificate input files: 

    # katello-certs-check \
-c /root/capsule_cert/capsule_cert.pem \
    1 
    
-k /root/capsule_cert/capsule_cert_key.pem \
    2 
    
-b /root/capsule_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Path to the Capsule Server certificate file that is signed by a Certificate Authority.
    2
    Path to the private key that was used to sign the Capsule Server certificate.
    3
    Path to the Certificate Authority bundle.

    If you set a wildcard value * for the certificate’s Common Name CN = in the /root/capsule_cert/openssl.cnf configuration file, you must add the -t capsule option to the katello-certs-check command.

    If the command is successful, it returns two capsule-certs-generate commands, one of which you must use to generate the certificate archive file for your Capsule Server.

    Example output of katello-certs-check

    Validation succeeded.

To use them inside a NEW $CAPSULE, run this command:

capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
    --certs-tar  "~/$CAPSULE-certs.tar" \
    --server-cert "/root/capsule_cert/capsule_cert.pem" \
    --server-key "/root/capsule_cert/capsule_cert_key.pem" \
    --server-ca-cert "/root/capsule_cert/ca_cert_bundle.pem" \

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

  capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
    --certs-tar  "~/$CAPSULE-certs.tar" \
    --server-cert "/root/capsule_cert/capsule_cert.pem" \
    --server-key "/root/capsule_cert/capsule_cert_key.pem" \
    --server-ca-cert "/root/capsule_cert/ca_cert_bundle.pem" \
    --certs-update-server
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, from the output of the katello-certs-check command, depending on your requirements, enter the capsule-certs-generate command that generates a certificate for a new or existing Capsule.

    In this command, change $CAPSULE to the FQDN of your Capsule Server.

  3. Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

    Example output of capsule-certs-generate

    output omitted
satellite-installer \
--scenario capsule \
--certs-tar-file                              "/root/capsule_certs.tar"\
--foreman-proxy-content-parent-fqdn           "satellite.example.com"\
--foreman-proxy-register-in-foreman           "true"\
--foreman-proxy-foreman-base-url              "https://satellite.example.com"\
--foreman-proxy-trusted-hosts                 "satellite.example.com"\
--foreman-proxy-trusted-hosts                 "capsule.example.com"\
--foreman-proxy-oauth-consumer-key            "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f"\
--foreman-proxy-oauth-consumer-secret         "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"\
--puppet-server-foreman-url                   "https://satellite.example.com"
    Copy to Clipboard Toggle word wrap

  4. On Satellite Server, copy the certificate archive file to your Capsule Server: 

    # scp /root/capsule_cert/capsule.example.com-certs.tar \
root@capsule.example.com:/root/capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

    When network connections or ports to Satellite are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    重要

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.

トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat