Unable to change ssl certificate

initially, a self-signed ssl certificate was installed on the server. Now there is a need to change it to an organization certificate. To do this, I requested an intermediate CA from my organization, issued a katello certificate, signing it with an intermediate certificate. The problem is that when passing the check, an error is detected in one of the items

[root@foreman]# katello-certs-check -c katello.crt -k frmkey.pem  -b frmCA.cer
Checking server certificate encoding:

Checking expiration of certificate:

Checking expiration of CA bundle:

Checking if server certificate has CA:TRUE flag

Checking for private key passphrase:

Checking to see if the private key matches the certificate:

Checking CA bundle against the certificate file:

The /opt/frmCA.cer does not verify the /opt/katello.crt
C = RU, ST = City, L = City, O = home, OU = IT, CN = foreman.my.ru
error 18 at 0 depth lookup: self signed certificate
error /opt/katello.crt: verification failed

Checking CA bundle size: 1

Checking Subject Alt Name on certificate

Checking if any Subject Alt Name on certificate matches the Subject CN

Checking Key Usage extension on certificate for Key Encipherment

Checking for use of shortname as CN

Expected outcome:
successful completion of verification
Foreman and Proxy versions:
foreman 3.4
Foreman and Proxy plugin versions:
katello 4.6
Distribution and version:

Other relevant data:

As the error message tells you: the certificate in katello.crt cannot be verified against the CA chain in frmCA.cer.


$ openssl verify -CAfile /opt/frmCA.cer -purpose sslserver -verbose /opt/katello.crt

and make sure this succeeds.

The same mistake…
error 18 at 0 depth lookup: self signed certificate
error katello.crt: verification failed

  • What could I have done wrong?

The openssl command is the command the script executes at the point of error. That’s why I posted it so you can test the certificate without running the whole script.

As the error says: the certificate in katello.crt is self signed. It has not been issued by the CA chain certs in frmCA.cer.

I received a RootCA certificate from my organization, and with the help of it I signed the katello certificate, isn’t that right?

I thought you have got a intermediate CA, not a root CA. What is it?

But either way: according to the error message the server certificate in katello.crt is self signed, i.e. it’s NOT signed by any CA but only by itself…

# openssl x509 -in katello.crt -noout -issuer -subject

should show you.