I was able to sign an admin (read: user) certificate with my own CA and have pulp accept it. Relevant snippet from the admin certificate that was given to me by pulp: Issuer: CN=localhost Relevant snippet from my self-signed certificate: Issuer: C=US, ST=New Jersey, L=Mickleton, O=Red Hat, OU=Cloud Enablement, CN=redhat.com The CA information in /etc/pki/pulp/ca.crt: Subject: CN=localhost Using my self-signed certificate, I'm able to make commands against the pulp server: # Show that the admin certificate is the one I signed: -> openssl x509 -text -in ~/.pulp/admin-cert.crt | head -6 Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=New Jersey, L=Mickleton, O=Red Hat, OU=Cloud Enablement, CN=redhat.com # Make a command against pulp, which will use that certificate: -> sudo pulp-admin repo list No repositories available to list In my /etc/http/conf.d/pulp.conf: # Example ssl cert and key files to get you started. # This MUST match /etc/pulp/pulp.conf [security] 'cacert'. SSLCACertificateFile /etc/pki/pulp/ca.crt
Closing as not a bug. I didn't realize we renamed the client's certificate to user-cert.pem and was doing my test against admin-cert.pem.