[RFE] Support for custom server certificates
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=873753
Description of problem:
System Engine generates its own CA Cert during install and uses it for the Web UI and signing other certs used for communication between pulp, candlepin, and AMQP.
Issues with this, outlined at https://fedorahosted.org/katello/wiki/CertsRedesign, along with a lot more detail are:
all server certs are signed by Candlepin CA
Candlepin CA serves as both server cert and CA cert
its key is not password protected
its key is accessible by three system users
certs are not trusted
no multihome support
Version-Release number of selected component (if applicable):
System Engine 1.1 Beta
Thus far https://bugzilla.redhat.com/show_bug.cgi?id=754728 to document the process for replacing the CA with a subordinate CA signed by our CA has not been completed, and I have been told that the process will not be supported until 2.0.
Steps to Reproduce:
1. Install System Engine
See that the CA Cert created during install is used as the server cert and the CA Cert for signing other certs. Look for documentation on replacing the CA Cert with a subordinate CA signed by your organizations CA and see that there is none.
We should be able to replace the cert for the Web UI with a standard SSL cert signed by our CA. We should also have the option of replacing the CA Cert created during install with a subordinate CA cert signed by our CA Cert.
Refs #6875 - separate the default CA and server CA
Up until now, we used the default CA for both server and client certificates.
This made practically impossible to issue the server certificates outside of
the installer and pass it in as arguments.
By default, the server CA is the same as default CA, unless the $server_ca_cert
In the bootstrap rpm, we ship both server CA (for verifying the server) as well
the default CA (for verifying the qpid by the gofer).
Fixes #6875 - Ability to pass own server certs for apache and smart-proxy
Also ability to renew the sever or all certs
#8 Updated by Ivan Necas over 6 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-installer|dd1f7daeafcd67a4d98c8d7165f883ec4a9e0e7a.