Hello,

current version of Katello installer deploys several certificates, which are currently not uses by this backend engine. The complete list can be found here:

https://fedorahosted.org/katello/wiki/Certificates#Katellopuppetinstallergenerates

(chapter "Katello puppet installer generates")

The idea is Katello (and it's installer) will generate all necesarry certificates for all backend engines. All will be signed with the only one CA (also generated by the Katello installer - /usr/share/katello/RHN-ORG-TRUSTED-SSL-CERT).

Purpose of this task is to install current version of Katello (you can use our beaker test - I can provide you a link) and to configure the backend engine to use new Katello generated certificates. Possible outcome:

1) Only configuration change - backend engine only needs to be reconfigured. Please collect all the required steps which are needed in this BZ.

2) Configuration change + change in the backend engine code - since certificates will be signed with a different CA, some changes may be needed to get it working. Please link all possible RHBZ with this one. Once changes are done, 

3) Some more certificates needs to be generated - please provide us information about what particular certificate is missing, what format is expected and what is the preferred directory. We will add new generation step in our installer.

4) None of above - let's setup a meeting where we discuss other options if there are any issues.

Please cover all parts of the backend engine where certificates are involved.

In case of Candlepin, the following certificates should be relevant:

/etc/pki/katello/keystore - for tomcat
? - the Candlepin CA - Q - can we create this CA and sign it with the Katello CA? 
? - any other certificates are needed for Candlepin?

This RHBZ is more or less a "tracking" ticket. Please contact me (lzap) if you have any questions or issues. Many thanks for help.