Replace Expired Red Hat Satellite Certificates

This one took me a whole day to figure out. There are plenty o documentation about this, but none of them explain how to proper build and replace an expired CA and self signed Satellite certificate. So I decided to share my experience to make things easier for the ones who need this information.



After talking to some co-workers, I understood that the process should continue with the creation of custom certificates. However, the documentation on this is somewhat vague, and the example OpenSSL configuration used to generate the CA was incomplete.

Fixing the Issue

Create New TLS Certificates

Initializing the Signing Host

[root@satellite ~]# touch /etc/pki/CA/index.txt
[root@satellite ~]# echo '1000' | sudo tee /etc/pki/CA/serial

Creating a Certificate Authority

# mkdir -p /root/satellite_cert

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_ca_key.pem 4096

# openssl req \
-key /root/satellite_cert/satellite_cert_ca_key.pem \
-new -x509 -days 7300 -extensions v3_ca \
-out /root/satellite_cert/satellite_cert_ca_crt.pem

Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SP
Locality Name (eg, city) [Default City]:Sao Paulo
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []
Email Address []

Adding the Certificate Authority to OS

# cp -v /root/satellite_cert/satellite_cert_ca_crt.pem /etc/pki/ca-trust/source/anchors/

Update Linux CA’s

# update-ca-trust extract

Creating an SSL/TLS Key

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_key.pem 4096 -days 7300

Creating an SSL/TLS Certificate Signing Request

CSR Config

# cd /root/satellite_cert

# cp /etc/pki/tls/openssl.cnf .

# vi /root/satellite_cert/openssl.conf

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SP
localityName = Locality Name (eg, city)
localityName_default = Sao Paulo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default =
commonName_max = 64
emailAddress = Email Address
emailAddress_default =
emailAddress_max = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =

CSR Request

# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.conf \
-out /root/satellite_cert/satellite_cert_csr.pem

Creating the SSL/TLS Certificate

# openssl ca \
-config /root/satellite_cert/openssl.conf \
-extensions v3_req \
-days 7300 \
-in /root/satellite_cert/satellite_cert_csr.pem \
-out /root/satellite_cert/satellite_cert_crt.pem \
-cert /root/satellite_cert/satellite_cert_ca_crt.pem \
-keyfile /root/satellite_cert/satellite_cert_ca_key.pem

Validate The Certificates

# katello-certs-check \
-c /root/satellite_cert/satellite_cert_crt.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-r /root/satellite_cert/satellite_cert_csr.pem \
-b /root/satellite_cert/satellite_cert_ca_crt.pem

Update Certificates on the Satellite

# satellite-installer \
--scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert_crt.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/satellite_cert_ca_crt.pem" \
--certs-update-server \

Check hammer

# hammer location list
2 | PROD | PROD |Production




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andre Rocha

I'm just a SysAdmin with some experience in OpenSource, DevOps and Datacenter Services, who likes to share knowledge.