Foreman CA smart proxy replacemtent - blocked by CA cert issues

Hello All,

I'm trying to replace the PuppetCA smart proxy on foreman.
Right now we have the existing smart proxies ( puppet, puppetcs , dns,
tftp, dhcp ) configured with certs signed by the old Puppetca cert.

I'm trying to add the new puppetca smart proxy before removing the old one
but I'm not able to with foreman throwing the error:

  • Unable to communicate with the proxy: ERF12-2530
    [ProxyAPI::ProxyException]: Unable to detect features
    ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
    server certificate B: certificate verif…) for proxy
  • Please check the proxy is configured and running on the host.

I am guessing this is because the new one has certs singed by itself ( the
new puppetca ) and the cert configured on foreman for 'ssl_ca_file' is the
cert from the old puppetca ( this is still present and used till we
complete the cutover on all the puppet clients )

Can I add more than one CA certificate to the foreman CA file
'ssl_ca_file'? Will this help me add a new smart proxy with certs signed by
the new CA ?