Skip to content

Certificate workflow support #297

New issue
New issue
Open
Open
Certificate workflow support#297
@ehelms

Description

@ehelms
ehelms
opened on Nov 12, 2025

Summary

The current certificate implementation lacks support for CNAME (Subject Alternative Names) configuration, direct user input for custom certificates, and providing complete certificate stacks. The first two are gaps from the existing foreman-installer supported workflows and the latter is a feature that has long been requested by users.

Current State

Certificate Generation:

  • Only supports single hostname via subjectAltName = DNS:{{ certificates_hostname }}
  • Certificate generation limited to default source (self-generated)

Custom Certificate Support:

  • installer certificate source exists but targets legacy paths
  • No direct way for users to provide custom certificate files as deploy parameters
  • Missing CNAME/SAN support for multi-domain certificates
  • No streamlined approach for complete certificate bundles

Proposed Solutions

1. CNAME Support

Add direct parameter support for multiple DNS names:

New Parameter:

foremanctl deploy --certificate-cnames="foreman.example.com,satellite.example.com,api.example.com"

2. Providing custom certificates for server components

This scenario follows the current method that allows users to provide their own certificates for the server certificates.
This is needed for continuity of upgrades.
Add direct certificate file parameters for replacing just the server certificates, and not the client/Candlepin CA:

foremanctl deploy
  --certificate-server-cert=</path/to/server.crt>
  --certificate-server-key=</path/to/server.key>
  --certificate-server-ca-cert=</path/to/ca.crt>

3. Providing the entire certificate stack

This scenario aims to provide new functionality heavily requested by users to provide the entire certificate stack.

Server Certificate Parameters (Co-Required):

foremanctl deploy
  --certificate-server-cert=</path/to/server.crt>
  --certificate-server-key=</path/to/server.key>
  --certificate-server-ca-cert=</path/to/ca.crt>
  --certificate-localhost-cert=</path/to/localhost.crt>
  --certificate-localhost-key=</path/to/localhost.key>
  --certificate-client-cert=</path/to/client.crt>
  --certificate-client-key=</path/to/client.key>
  --certificate-client-ca-cert=</path/to/ca.crt>
  --certificate-ca-cert=</path/to/ca.crt>
  --certificate-ca-key=</path/to/ca.key>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions