I was wondering if it would be a good idea to use short lived certs like certs issues by Let’s Encrypt for the use by the Foreman? As everything uses the certs created by installer to communicate I’m not sure if things will start breaking if you have to change the cert every 3 months.
The other consideration is that the Foreman would then be using a a generic intermediary cert with Puppet and I don’t know if that was exactly the intent to prevent any cert to verify against the puppet server or if it needs to be it’s own CA that issues the chain.
If it is viable to use a provider like Let’s Encrypt, won’t it be a good idea to build the functionality for the installer to requests the certs from Let’s Encrypt automatically and maintain the key rotation once the Forman is running in production? My security team is not too happy to use the default self signed certs and with the option to use Let’s Encrypt what do you suggest? Even normal certs now only have a validity period of a year.
As I’m using the Foreman in a locked down environment I don’t see the specific need for OV or even EV certs by Foreman.
I believe it should not be a problem to use them for the UI part of Foreman, e.g. the Foreman Webinterface that serves the UI and the API. I can see that your security team has concerns there. For the internal communication, what are the issues with the internal CA? Basically, Foreman uses these certificates to communicate with all smart proxies and vice-versa. In my opinion, that’s a good thing to have a separate CA for this.
What you need to do is change the Foreman cert and CA certificate and then tell the smart-proxies that they should trust the CA that issued the Foreman certificate by extending the ca bundle.
I did try to use my own certs before but I ran into issues with Katello and I’ve not since found a good guide to use custom certs for the UI. Using my own certs broke Katello. I am considering running the UI behind a transparent proxy but don’t see the immediate win doing that. That’s why I’m hopeful that a future version of theforeman can use LE certs automatically similar to how Proxmox brought the feature into itself.