Bug 873753

Summary: [RFE] Support for custom server certificates
Product: Red Hat Satellite Reporter: Jason Montleon <jmontleo>
Component: Content ManagementAssignee: Ivan Necas <inecas>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.0CC: bbuckingham, cwelton, ehelms, inecas, jomara, kabbott, roysjosh, shughes, sthirugn, tomckay, xdmoon
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6875
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:22:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 754728, 1115190    

Description Jason Montleon 2012-11-06 16:12:28 UTC 
Description of problem:
System Engine generates its own CA Cert during install and uses it for the Web UI and signing other certs used for communication between pulp, candlepin, and AMQP.

Issues with this, outlined at https://fedorahosted.org/katello/wiki/CertsRedesign, along with a lot more detail are:

    all server certs are signed by Candlepin CA
    Candlepin CA serves as both server cert and CA cert
        its key is not password protected
        its key is accessible by three system users 
    certs are not trusted
    no multihome support 

Version-Release number of selected component (if applicable):
System Engine 1.1 Beta

Thus far https://bugzilla.redhat.com/show_bug.cgi?id=754728 to document the process for replacing the CA with a subordinate CA signed by our CA has not been completed, and I have been told that the process will not be supported until 2.0.

How reproducible:
Always

Steps to Reproduce:
1. Install System Engine
  
Actual results:
See that the CA Cert created during install is used as the server cert and the CA Cert for signing  other certs. Look for documentation on replacing the CA Cert with a subordinate CA signed by your organizations CA and see that there is none. 

Expected results:
We should be able to replace the cert for the Web UI with a standard SSL cert signed by our CA. We should also have the option of replacing the CA Cert created during install with a subordinate CA cert signed by our CA Cert.

Additional info:
Comment 2 Ivan Necas 2014-08-01 09:08:27 UTC 
Created redmine issue http://projects.theforeman.org/issues/6875 from this bug
Comment 4 Ivan Necas 2014-08-04 15:44:43 UTC 
The fix is proposed at https://github.com/Katello/katello-installer/pull/94,

see https://github.com/iNecas/katello-installer/blob/issue/6875/README.md#certificates for more details on how the changes support setting the custom certs
Comment 7 Ivan Necas 2014-08-19 11:04:12 UTC 
Updated as part of https://github.com/Katello/katello-installer/pull/94
Comment 11 Bryan Kearney 2014-09-11 12:22:28 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.