Custom IPA Issued Certificates in Foreman Katello 3.10/3.11

I currently have foreman/katello running with FreeIPA without any issues,
what i ended up doing is essentially generating the certificates how i need them first, before the installation of foreman, although you could retroactively do this too.

Currently my process is to do the following, it handles generating certificates with the required extended key usage.

1. 1. Join server to FreeIPA

   ```
   sudo ipa-client-install --mkhomedir --force-join --server=id01.example.com --domain example.com --hostname foreman.example.com  --password '<one-time-pass>'
   ```
   

2. On FreeIPA create a foreman service, (OPTIONAL)
   Identity => Services => "add +" foreman-core/foreman.example.com@EXAMPLE.COM

3. Generate the certificates for foreman to use, note it includes the extended key usage required.

   sudo ipa-getcert request \
   -f /etc/pki/tls/certs/foreman.crt \
   -k /etc/pki/tls/private/foreman.key \
   -F /etc/pki/tls/certs/idx.bundle.pem \
   -K foreman-core/foreman.example.com \
   -D foreman.example.com \
   -u digitalSignature \
   -u nonRepudiation \
   -u keyEncipherment \
   -u dataEncipherment \
   -U id-kp-serverAuth \
   -U id-kp-clientAuth \
   -U id-kp-codeSigning \
   -U id-kp-emailProtection
   

if you don’t want to use your own foreman service in FreeIPA then run the following, it uses the default HTTP service that should already be setup in FreeIPA.

sudo ipa-getcert request \
-f /etc/pki/tls/certs/foreman.crt \
-k /etc/pki/tls/private/foreman.key \
-F /etc/pki/tls/certs/idx.bundle.pem \
-K HTTP/foreman.example.com \
-D foreman.example.com \
-u digitalSignature \
-u nonRepudiation \
-u keyEncipherment \
-u dataEncipherment \
-U id-kp-serverAuth \
-U id-kp-clientAuth \
-U id-kp-codeSigning \
-U id-kp-emailProtection

this will request the required certificate from FreeIPA.

4. validate the certificates with katello-certs-check

sudo katello-certs-check \
-c /etc/pki/tls/certs/foreman.crt \
-k /etc/pki/tls/private/foreman.key \
-b /etc/pki/tls/certs/idx.bundle.pem

5. then proceed with the installation ensuring you have the following flags set in the foreman-installer

   --foreman-server-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
   --foreman-server-ssl-key "/etc/pki/tls/private/foreman.key" \
   --foreman-server-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
   --foreman-server-ssl-chain "/etc/pki/tls/certs/idx.bundle.pem" \
   --foreman-ipa-authentication=true \
   

Hope this helps.