Replace Expired Red Hat Satellite Certificates

Andre Rocha
4 min readMar 30, 2022

This one took me a whole day to figure out. There are plenty o documentation about this, but none of them explain how to proper build and replace an expired CA and self signed Satellite certificate. So I decided to share my experience to make things easier for the ones who need this information.


It all started with the need to upgrade an old Satellite 6.3 to a newer version. The environment was without maintenance for a while, and the digital certificates were already expired, which prevented the upgrade process from being carried out.


All documentation I found pointed to actions that would not solve the case. There seems to be no consensus on this, and it is precisely the missing points that prevented the work from being carried out successfully.

After talking to some co-workers, I understood that the process should continue with the creation of custom certificates. However, the documentation on this is somewhat vague, and the example OpenSSL configuration used to generate the CA was incomplete.

Fixing the Issue

Through previous experiences with OpenStack deployment, I used this knowledge to correctly configure OpenSSL and thus be able to successfully generate certificates. I will present the details below.

Create New TLS Certificates

Just follow the procedure below and everything should work as it should.

Initializing the Signing Host

[root@satellite ~]# touch /etc/pki/CA/index.txt
[root@satellite ~]# echo '1000' | sudo tee /etc/pki/CA/serial

Creating a Certificate Authority

Be sure to customize information according to your environment.

# mkdir -p /root/satellite_cert

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_ca_key.pem 4096

# openssl req \
-key /root/satellite_cert/satellite_cert_ca_key.pem \
-new -x509 -days 7300 -extensions v3_ca \
-out /root/satellite_cert/satellite_cert_ca_crt.pem

Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SP
Locality Name (eg, city) [Default City]:Sao Paulo
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []
Email Address []

Adding the Certificate Authority to OS

# cp -v /root/satellite_cert/satellite_cert_ca_crt.pem /etc/pki/ca-trust/source/anchors/

Update Linux CA’s

# update-ca-trust extract

Creating an SSL/TLS Key

We will create keys and certificates valid for 20 years. Exaggerated? Maybe. But for an environment that is not usually maintained, this may be reasonable.

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_key.pem 4096 -days 7300

Creating an SSL/TLS Certificate Signing Request

This is the most important part of the process. Pay attention to details, otherwise things won’t work out.

CSR Config

Be sure to customize the information according to your environment. Add the missing lines if needed.

# cd /root/satellite_cert

# cp /etc/pki/tls/openssl.cnf .

# vi /root/satellite_cert/openssl.conf

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SP
localityName = Locality Name (eg, city)
localityName_default = Sao Paulo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default =
commonName_max = 64
emailAddress = Email Address
emailAddress_default =
emailAddress_max = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =

CSR Request

# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.conf \
-out /root/satellite_cert/satellite_cert_csr.pem

Creating the SSL/TLS Certificate

# openssl ca \
-config /root/satellite_cert/openssl.conf \
-extensions v3_req \
-days 7300 \
-in /root/satellite_cert/satellite_cert_csr.pem \
-out /root/satellite_cert/satellite_cert_crt.pem \
-cert /root/satellite_cert/satellite_cert_ca_crt.pem \
-keyfile /root/satellite_cert/satellite_cert_ca_key.pem

Validate The Certificates

Now use Katello to verify that the generated certificates are suitable for use by the Satellite.

# katello-certs-check \
-c /root/satellite_cert/satellite_cert_crt.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-r /root/satellite_cert/satellite_cert_csr.pem \
-b /root/satellite_cert/satellite_cert_ca_crt.pem

Update Certificates on the Satellite

This step will update the certificates on all satellite components where this is needed. During a troubleshooting I did, I noticed that the certificate was not updated in Tomcat. However, according to the documentation, Tomcat will never use the certificates we are creating.

# satellite-installer \
--scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert_crt.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/satellite_cert_ca_crt.pem" \
--certs-update-server \

Check hammer

If the update was successful, check if the hammer is functional.

# hammer location list
2 | PROD | PROD |Production


Work done! You can now proceed with the Satellite environment upgrade. I hope this article has helped you in some way. If you need it, send me a message and I’ll try to help.

Did you like this post? Take a look at to read more interesting content.



Andre Rocha

I'm just a SysAdmin with some experience in OpenSource, DevOps and Datacenter Services, who likes to share knowledge.