[Katello] Setting Up New SSL Certificates

Hello, quick question!

I have an already existing Katello server that is using the self-signed certificates that were generated upon installation.

Since then, I’ve been using Foreman and Katello to provisioning, patch, and maintain production systems. However, I now need to setup a new CA signed SSL certificate.

So I obtained my certs from DigiCert, uploaded them to my Foreman server, and used the “katello-certs-check” to validate them:

# katello-certs-check -c /etc/pki/tls/certs/mycert.crt -k /etc/pki/tls/private/mycert.key -b /etc/pki/tls/certs/TrustedRoot.crt
Checking server certificate encoding:

Checking expiration of certificate:

Checking expiration of CA bundle:

Checking if server certificate has CA:TRUE flag

Checking for private key passphrase:

Checking to see if the private key matches the certificate:

Checking CA bundle against the certificate file:

Checking CA bundle size:

Checking Subject Alt Name on certificate

Checking Key Usage extension on certificate for Key Encipherment

Validation succeeded

To install the Katello server with the custom certificates, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/mycert.crt" \
                      --certs-server-key "/etc/pki/tls/private/mycert.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/TrustedRoot.crt"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/mycert.crt" \
                      --certs-server-key "/etc/pki/tls/private/mycert.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/TrustedRoot.crt" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy

Awesome! Looks like we’re good to go. And it even gave me the command to run to update certificates on a currently running Katello installation (you guys think of everything!).

However, I am being extra cautious as this system is being used in production… Is there anything I should be worried about before running this? Can I seriously break anything? Is it easy to revert? Could this effect communication between Foreman/Katello and the hosts it is managing?

Note I am not running a SmartProxy on any of the hosts which Katello manages (though I believe the Katello system its self is a SmartProxy?).

Any tips/tricks would be greatly appreciated! If you need any additional details about my environment, just lemme know.


Of course, this can break stuff, basically any communication since users and managed machines use the same web server to talk with Foreman. You can try running the installer with --noop to see what all would change. We store every installer run log in /var/log/foreman-installer so you can investigate the changes later too. To rever, you could probably rerun the installer with previous cert values.

If you succeed with this command, could you please let us know? We could convert this post to the guide for others :slight_smile:

Yes, by default we deploy one Smart Proxy alongside with the Foreman(+Katello) host.

Actually there’s already a guide which I guess you’ve followed.

Got here via google and found Marek’s ‘a guide’ link broken - thought I’d share some corrected URLs for future web/forum searchers - looks like between foreman v3.0 and 3.1 the relevant section was hidden on the ‘foreman only’ documentation and only present on the katello documentation:


Good luck future web searchers!

1 Like