Rectify differences in the custom SSL CSR for LB and Smart Proxy (#2832)

There are differences in the `openssl.cnf` files created for cert signing requests for LB and for Smart Proxy: - guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc > LB custom SSL CSR file - guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc > Smart Proxy custom SSL CSR file BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2256021 * Additional changes suggested in PR - Dropped x509 section. - Separated DN infomation into separate "Optional" section. - Changed required extenstions to `v3_req`. * Merge both files into a single module Merge `proc_creating-a-custom-ssl-certificate.adoc` and `proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc` into a single file using attributes to differentiate the steps required by each. Co-authored-by: Zuzana Lena Ansorgová <zuansorg@redhat.com>
theforeman · Apr 22, 2024 · b366b61 · b366b61
1 parent d6d7283
commit b366b61
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 117 deletions.
diff --git a/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc b/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc
@@ -11,8 +11,12 @@ To configure your {SmartProxyServer} with a custom certificate, complete the fol
 . xref:deploying-a-custom-ssl-certificate-to-{smart-proxy-context}-server_{smart-proxy-context}[]
 . xref:deploying-a-custom-ssl-certificate-to-hosts_{smart-proxy-context}[]
 
+:ssl-common-name: {smartproxy-example-com}
+:cert-name: {smart-proxy-context}
 //Creating a Custom SSL Certificate for {SmartProxyServer}
 include::modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+1]
+:!cert-name:
+:!ssl-common-name:
 
 include::modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc[leveloffset=+1]
 

diff --git a/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc b/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc
@@ -25,8 +25,12 @@ To configure your {ProjectServer} with a custom certificate, complete the follow
 . If you have external {SmartProxyServers} registered to {ProjectServer}, configure them with custom SSL certificates.
 For more information, see {InstallingSmartProxyDocURL}configuring-capsule-custom-server-certificate_{smart-proxy-context}[Configuring {SmartProxyServer} with a Custom SSL Certificate] in _{InstallingSmartProxyDocTitle}_.
 
+:ssl-common-name: {foreman-example-com}
+:cert-name: {project-context}
 //Creating a Custom SSL Certificate for {ProjectServer}
 include::modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+1]
+:!cert-name:
+:!ssl-common-name:
 
 //Deploying a Custom SSL Certificate to {ProjectServer}
 include::modules/proc_deploying-a-custom-ssl-certificate-to-satellite-server.adoc[leveloffset=+1]

diff --git a/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc b/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc
@@ -11,12 +11,17 @@ On {ProjectServer}, create a custom certificate for your {ProductName}.
 If you already have a custom SSL certificate for {ProductName}, skip this procedure.
 endif::[]
 
+ifdef::load-balancing[]
+This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and {SmartProxyServer} as Subject Alternative Names (SAN).
+Complete this procedure on each {SmartProxyServer} that you want to configure for load balancing.
+endif::[]
+
 .Procedure
 . To store all the source certificate files, create a directory that is accessible only to the `root` user:
 +
 [options="nowrap", subs="+quotes,attributes"]
 ----
-# mkdir /root/{context}_cert
+# mkdir /root/{cert-name}_cert
 ----
 . Create a private key with which to sign the certificate signing request (CSR).
 +
@@ -27,45 +32,69 @@ If you already have a private key for this {ProductName}, skip this step.
 +
 [options="nowrap", subs="+quotes,attributes"]
 ----
-# openssl genrsa -out `/root/{context}_cert/{context}_cert_key.pem` 4096
+# openssl genrsa -out `/root/{cert-name}_cert/{cert-name}_cert_key.pem` 4096
 ----
-. Create the `/root/{context}_cert/openssl.cnf` configuration file for the CSR and include the following content:
+
+ifndef::load-balancing[]
+. Create the `/root/{cert-name}_cert/openssl.cnf` configuration file for the CSR and include the following content:
 +
 [options="nowrap", subs="+quotes,attributes"]
 ----
 [ req ]
 req_extensions = v3_req
 distinguished_name = req_distinguished_name
-x509_extensions = usr_cert
 prompt = no
 
 [ req_distinguished_name ]
-CN = _{context}.example.com_
+commonName = _{ssl-common-name}_
 
 [ v3_req ]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
 subjectAltName = @alt_names
 
-[ usr_cert ]
-basicConstraints=CA:FALSE
-nsCertType = client, server, email
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ alt_names ]
+DNS.1 = _{ssl-common-name}_ 
+----
+endif::[]
+
+ifdef::load-balancing[]
+. Create the `/root/{cert-name}_cert/openssl.cnf` configuration file for the CSR and include the following content:
++
+[options="nowrap", subs="+quotes,attributes"]
+----
+[ req ]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+x509_extensions = usr_cert
+prompt = no
+
+[ req_distinguished_name ]
+commonName = _{ssl-common-name}_ <1>
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
+subjectAltName = @alt_names
 
-[ alt_names ]
-DNS.1 = _{context}.example.com_
+[alt_names] <2>
+DNS.1 = _{loadbalancer-example-com}_
+DNS.2 = _{smartproxy-example-com}_
 ----
-Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the `[ req_distinguished_name ]` section:
+<1> The certificate's common name must match the FQDN of {SmartProxyServer}.
+Ensure to change this when running the command on each {SmartProxyServer} that you configure for load balancing.
+You can also set a wildcard value `*`.
+If you set a wildcard value, you must add the `-t {certs-proxy-context}` option when you use the `katello-certs-check` command.
+<2> Under `[alt_names]`, include the FQDN of the load balancer as `DNS.1` and the FQDN of {SmartProxyServer} as `DNS.2`.
+endif::[]
+. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the `[ req_distinguished_name ]` section:
 +
 [options="nowrap", subs="+quotes,attributes"]
 ----
 [req_distinguished_name]
-CN = _{context}.example.com_
+CN = _{ssl-common-name}_
 countryName =_My_Country_Name_ <1>
 stateOrProvinceName = _My_State_Or_Province_Name_ <2>
 localityName = _My_Locality_Name_ <3>
@@ -81,17 +110,35 @@ organizationalUnitName = _My_Organizational_Unit_Name_ <4>
 [options="nowrap", subs="+quotes,attributes"]
 ----
 # openssl req -new \
--key _/root/{context}_cert/{context}_cert_key.pem_ \ <1>
--config _/root/{context}_cert/openssl.cnf_ \ <2>
--out _/root/{context}_cert/{context}_cert_csr.pem_ <3>
+-key _/root/{cert-name}_cert/{cert-name}_cert_key.pem_ \ <1>
+-config _/root/{cert-name}_cert/openssl.cnf_ \ <2>
+-out _/root/{cert-name}_cert/{cert-name}_cert_csr.pem_ <3>
 ----
 <1> Path to the private key
 <2> Path to the configuration file
 <3> Path to the CSR to generate
-
 . Send the certificate signing request to the certificate authority (CA).
 The same CA must sign certificates for {ProjectServer} and {SmartProxyServer}.
 +
 When you submit the request, specify the lifespan of the certificate.
 The method for sending the certificate request varies, so consult the CA for the preferred method.
 In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
+ifdef::load-balancing[]
+. Copy the Certificate Authority bundle and {SmartProxyServer} certificate file that you receive from the Certificate Authority, and {SmartProxyServer} private key to your {ProjectServer}.
+. On {ProjectServer}, validate {SmartProxyServer} certificate input files:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# katello-certs-check \
+-c /root/{cert-name}_cert/{cert-name}_cert.pem \ <1>
+-k /root/{cert-name}_cert/{cert-name}_cert_key.pem \ <2>
+-b /root/{cert-name}_cert/ca_cert_bundle.pem <3>
+----
+<1> {SmartProxyServer} certificate file, provided by your Certificate Authority
+<2> {SmartProxyServer}’s private key that you used to sign the certificate
+<3> Certificate Authority bundle, provided by your Certificate Authority
++
+If you set the `commonName=` to a wildcard value `*`, you must add the `-t {certs-proxy-context}` option to the `katello-certs-check` command.
++
+Retain a copy of the example `{certs-generate}` command that is output by the `katello-certs-check` command for creating the Certificate Archive File for this {SmartProxyServer}.
+endif::[]
diff --git a/...ommon/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc b/...ommon/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc
diff --git a/guides/doc-Configuring_Load_Balancer/master.adoc b/guides/doc-Configuring_Load_Balancer/master.adoc
@@ -1,5 +1,6 @@
 include::common/attributes.adoc[]
 include::common/header.adoc[]
+:load-balancing:
 :context: load-balancing
 
 = {ConfiguringLoadBalancerDocTitle}
@@ -34,16 +35,28 @@ include::common/modules/proc_configuring-remaining-smart-proxy-servers-with-defa
 
 include::common/modules/con_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-without-puppet.adoc[leveloffset=+2]
 
-include::common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc[leveloffset=+3]
+:ProductName: {SmartProxyServer}
+:ssl-common-name: {smartproxy-example-com}
+:cert-name: {smart-proxy-context}
+include::common/modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+3]
+:!cert-name:
+:!ssl-common-name:
+:!ProductName:
 
 include::common/modules/proc_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-without-puppet.adoc[leveloffset=+3]
 
 include::common/modules/con_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-with-puppet.adoc[leveloffset=+2]
 
+:ProductName: {SmartProxyServer}
+:ssl-common-name: {smartproxy-example-com}
+:cert-name: {smart-proxy-context}
 :parent-context: {context}
 :context: load-balancing-with-custom-ssl-certificates-with-puppet
-include::common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc[leveloffset=+3]
+include::common/modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+3]
 :context: {parent-context}
+:!cert-name:
+:!ssl-common-name:
+:!ProductName:
 
 include::common/modules/proc_configuring-smart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc[leveloffset=+3]