Katello Server certificates

My company issues a root-ca pem to all servers in our environment. If I was to have the Katello server use that, would I ever need to install a certificate on Katello clients?

Inversely, can I sign the Katello certificate with our root-ca?

I’m looking for a way to eliminate installing the certificate on any servers and just have our client installs be the package install straight into the activation key registration.

Are there any guides for this or best practice for such a scenario?

Thanks a lot!

We recently published some information on using custom certs with Katello[1] that you might find useful! You should be able to do the things you mentioned and it will require installing a new katello-ca-consumer RPM on your clients as it distributes the cert. The new RPM will be generated by the installer when following the docs.

[1] Foreman :: Plugin Manuals


Thanks - will give it a look and report back if I have any questions!

Hi Jonathon,

Thanks much for the doc. I was pulled away from this project for the last week so I did not get much done with this (sorry for the week-long delay), but I did have a question as I revisit and think about this again.

During our server builds, our root ca is pushed to each server (in /etc/pki/ca-trust/source/anchors/).

When I installed Katello (in production) it generated its own certificate on the server, with instructions to install the cert rpm that drops our file into /usr/bin/katello-rhsm-consumer.

It seems like I can have Katello server use our root-ca for server-> client but I’d still need to regenerate it on the server with the options in the doc provided and then still push to the clients? Even though it will already be there from a build script?

I guess what I’m trying to achieve is eliminating the step in my client deployment process of needing to push out an rpm that contains my Katello server certificate if I already have a common company-wide root ca across all servers.

Sorry, just trying to fully understand. I am a bit rusty on CA and certificate signing so I’m going to make sure I’m crystal clear on that process on the side :slight_smile: