My foreman server certificate has
CN = forman.example.com
X509v3 Subject Alternative Name= DNS:forman.example.com, DNS:forman1.example.com, DNS:forman2.example.com, DNS:proxy1.example.com, DNS:proxy2.example.com
Question:
Since proxy server names are already mentioned in the foreman server cert as ‘alternative names(SAN)’, Can I use the same foreman certificate and keys to generate certificate for proxies using below command.
foreman-proxy-certs-generate --foreman-proxy
Sorry, but you neither mention the foreman version you are using nor if it is a simple foreman server or a foreman/katello server. You don’t mention the foreman-installer command you have used to set up those custom certificates on the foreman or katello server. So basically, no one really knows how you have set this up exactly and thus it’s really hard to give advice…
Can I use the same foreman certificates and key (Marked in bold in foreman installer command below) to generate certificate for proxies using below command.
foreman-proxy-certs-generate
Required details:
foreman 3.5 with ketello 4.7.
Foreman installer command I used for foreman installation:
Thank you for quick response.
Please find my responses inline.
You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
→ Already considered this.
Current certificate on foreman server is /root/foreman_cert/satellite_cadence_com_cert.pem
and foreman server is working without issue.
You cannot use the same certificate for both Foreman server and Smart Proxy server.
→ This where I am getting confused. AS I mentioned earlier, I have mentioned both foreman servers and Proxy servers hostnames as ‘alternative names(SAN)’ in same certificate and intend to use it on both Foreman server and proxy server.
Theoretically, it should work but Is that allowed in foreman?
What errors should I expect?
The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.
→ Considered this point too.
I don’t know what’s unclear: it’s not supported. It is specifically mentioned in the docs. I guess it’s there for a reason. Maybe one of the developers can give a simple reason for this.
You could try, but you are on your own if you do so. If there are certificate related problems in the future, you’ll have to handle those yourself. And you should never forget to mention it in any future question here, because obviously, the general assumption would be that you have different certificates for each server/proxy.
I guess it could work in principal. I just don’t see the advantage except higher risks in the case of a compromised key. If the key on the proxy is compromised, so is it on all your foreman servers/proxy then.
I generally don’t have a problem with specific certificates for each individual foreman server/proxy…