Probably it is user problem. I may not understand /usr/bin/katello-rhsm-consumer behaviour.
I did update of SSL certificates for scenario katello.
I used utility /sbin/katello-certs-check -c /etc/pki/pr0mgm01-ssl/pr0mgm01_encrypted.crt -k /etc/pki/pr0mgm01-ssl/pr0mgm01_encrypted_pem.key -b /etc/pki/pr0mgm01-ssl/pr0mgm01_cabundle.pem
It generated command after validation, i run that command, successfully finished, Web interface run with green lock SSL icon.
So my clients(consumers) are not able to yum update because they do not know CA which signed new certificate.
I understand, that i have to download and install
curl --insecure --output katello-ca-consumer-latest.noarch.rpm https://pr0mgm01.blabla.com/pub/katello-ca-consumer-latest.noarch.rpm
But there is problem.
On newly installed server /usr/bin/katello-rhsm-consumer script works as expected.
If i am going to reinstall on already registered servers, it replace our pr0mgm01.blabla.com server in /etc/rhsm/rhsm.conf with cdn.redhat.com from /etc/rhsm/rhsm.conf.kat-backup, so i need to re-run /usr/bin/katello-rhsm-consumer one more time and it fix it.
Is it correct behaviour ?