Force update of certificate in Satellite

May 4, 2017 - Reading time: 2 minutes

I needed to update our certificate for Satellite and capsule to include SAN to get around issues in Chrome 58. In this tutorial we use a single certificate for both the Satellite and capsule(s) servers. 

This is what I did:

First create a CSR that contains the SAN field

san.cnf  (you only have to adapt the DNS.? fields)

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
DNS.1   =
DNS.2   =

Next generate the CSR using this config

openssl req -out satellite.csr -newkey rsa:4096 -nodes -keyout satellite.key -config san.cnf

Next validate your CSR against your CA or SSL provider.

And now we are going to update the Satellite (as root on the satellite server)

satellite-installer --certs-server-cert /home/koen/satellite.cer --certs-server-cert-req /home/koen/satellite.csr --certs-server-key /home/koen/satellite.key --certs-server-ca-cert /etc/pki/ca-trust/source/anchors/CA01.crt --certs-update-server --certs-update-server-ca

And optionel create the package for the capsule server using the same certificate (since we have both FQDNs in the SAN field) (still as root on the satellite server)

capsule-certs-generate --capsule-fqdn "" --certs-tar /root/sat_cert/ --server-cert /home/koen/satellite.cer --server-cert-req /home/koen/satellite.csr --server-key /home/koen/satellite.key --server-ca-cert /etc/pki/ca-trust/source/anchors/CA01.crt --regenerate --regenerate-ca --certs-update-server

Which will tell you how to install it on the capsule server. Next you can restart the katello-service on both machines and check if everything has been updated with the new cert.

katello-service restart



Koen Diels

I'm a freelance system and network engineer from Mechelen (BE) and I'm available for ad-hoc and long term projects.

>>my resume<<