SSL connection with proxies - auto registration

I’m preparing foreman installation and configuration with puppet. I have some issues with SSL connection between smart proxies and foreman. I would like to register proxies automatically in Foreman server. So, the main issue is with parameter $register_in_forman => true
I’m trying to use different certificates for proxies registration and different for ssl domain but it seems to not working.
I set the following params:
$foreman_url => ‘https://foreman.internal.com’ (I have DigiCert certificate for this domain)
$server_ssl_ca => path to DigiCert CA file
$server_ssl_chain => path to DigiCert CA file
$server_ssl_cert => path to DigiCert domain certificate
$server_ssl_key => path to DigiCert private key for domain
$client_ssl_ca => path to Puppet CA file
$client_ssl_cert => path to Puppet cert file
$client_ssl_key => path to Puppet key file

According to Foreman’s manual, proxies should verify themselves with Puppet’s CA in the configuration like above. Unfortunately, when I run ‘puppet agent -t’ command I get the error “certificate verify failed”.
It works perfectly fine when I put as a server certificates Puppet files.

IIRC this needs to be the Puppet CA so that it can use client certificate authentication. The chain should still be the DigiCert CA.

It’s important to remember that this is what foreman uses when it’s a client. That means when it’s connecting to foreman-proxy. There are other settings on the foreman_proxy that mirror how it connects.