Replace Expired Red Hat Satellite Certificates

Introduction

Research

Fixing the Issue

Create New TLS Certificates

Initializing the Signing Host

[root@satellite ~]# touch /etc/pki/CA/index.txt
[root@satellite ~]# echo '1000' | sudo tee /etc/pki/CA/serial
1000

Creating a Certificate Authority

# mkdir -p /root/satellite_cert

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_ca_key.pem 4096

# openssl req \
-key /root/satellite_cert/satellite_cert_ca_key.pem \
-new -x509 -days 7300 -extensions v3_ca \
-out /root/satellite_cert/satellite_cert_ca_crt.pem

Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SP
Locality Name (eg, city) [Default City]:Sao Paulo
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []:satellite.example.com
Email Address []:support@domain.com

Adding the Certificate Authority to OS

# cp -v /root/satellite_cert/satellite_cert_ca_crt.pem /etc/pki/ca-trust/source/anchors/

Update Linux CA’s

# update-ca-trust extract

Creating an SSL/TLS Key

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_key.pem 4096 -days 7300

Creating an SSL/TLS Certificate Signing Request

# cd /root/satellite_cert

# cp /etc/pki/tls/openssl.cnf .

# vi /root/satellite_cert/openssl.conf

(...)
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SP
localityName = Locality Name (eg, city)
localityName_default = Sao Paulo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = satellite.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = support@domain.com
emailAddress_max = 64
(...)

(...)
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
IP.1 = PUT YOUR HOST IP HERE
DNS.1 = satellite.example.com
(...)
# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.conf \
-out /root/satellite_cert/satellite_cert_csr.pem
# openssl ca \
-config /root/satellite_cert/openssl.conf \
-extensions v3_req \
-days 7300 \
-in /root/satellite_cert/satellite_cert_csr.pem \
-out /root/satellite_cert/satellite_cert_crt.pem \
-cert /root/satellite_cert/satellite_cert_ca_crt.pem \
-keyfile /root/satellite_cert/satellite_cert_ca_key.pem
# katello-certs-check \
-c /root/satellite_cert/satellite_cert_crt.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-r /root/satellite_cert/satellite_cert_csr.pem \
-b /root/satellite_cert/satellite_cert_ca_crt.pem

Update Certificates on the Satellite

# satellite-installer \
--scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert_crt.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/satellite_cert_ca_crt.pem" \
--certs-update-server \
--certs-update-server-ca

Check hammer

# hammer location list
---|-------|------|------------
ID | TITLE | NAME | DESCRIPTION
---|-------|------|------------
2 | PROD | PROD |Production
---|-------|------|------------

Finishing

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store