How to use custom SSL certificates with Katello?

Hello everyone,

We’re currently pointing our Katello install to and I have the wildcard SSL cert. If I wanted to get HTTPS on just the web admin UI is it just an apache configuration change? I was reading online that it might be a bit harder than that.

Actually it looks like this should do the trick. Can anyone confirm?

To update the certificates on a currently running Katello installation, run:
foreman-installer --scenario katello \
–certs-server-cert “$(readlink -f $CERT_FILE)” \
–certs-server-key “$(readlink -f $KEY_FILE)” \
–certs-server-ca-cert “$(readlink -f $CA_BUNDLE_FILE)” \
–certs-update-server --certs-update-server-ca

1 Like


did you try this, and did it work ?

Went through the process myself. I would suggest you first check the certificate you want to install, upload them to the foreman server (certificate, private key and issuing CA):

and run this command

katello-certs-check -t foreman -c wildcard.crt -k wildcard.key -b issuing-ca.crt

It should reply with all green messages indicating the certificate does match the host name and can be validated by the CA.

It will at the end print a command to run in order to apply the certificate to your Foreman/Katello install (if it is an existing install, the command for a new install is different):

foreman-installer --scenario katello \
                  --certs-server-cert "/root/wildcard.crt" \
                  --certs-server-key "/root/wildcard.key" \
                  --certs-server-ca-cert "/root/issuing-ca.crt" \
                  --certs-update-server --certs-update-server-ca

Also remember, if you plan to add any smart proxies later or already have some running, you need to do the certificate check command again on the foreman server, like this:

katello-certs-check -t foreman-proxy -c wildcard.crt -k wildcard.key -b issuing-ca.crt

It will come back with a different command to execute again on the foreman server (example for an existing smart proxy):

  foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
                               --certs-tar  "~/$FOREMAN_PROXY-certs.tar" \
                               --server-cert "/root/wildcard.crt" \
                               --server-key "/root/wildcard.key" \
                               --server-ca-cert "/root/issuing-ca.crt" \

Replace $FOREMAN_PROXY with the fully qualified DNS name of your smart proxy and check the /root/ssl-build directory and remove any directory with the $FOREMAN_PROXY already in there before you run this command (current bug in Katello 3.17).
Then follow the instructions printed by the foreman-proxy-certs-generate command.

If your issuing CA is actually a sub-ca or even a chain of multiple sub-ca’s, make sure to concatenate them all together in the issuing-ca.crt file, starting with the lowest level CA first.

1 Like