Forge Home


Deploys CA and required certs for a Foreman and Katello installation.


136 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 16.0.2 (latest)
  • 16.0.1
  • 16.0.0
  • 15.1.1
  • 15.1.0
  • 15.0.0
  • 14.0.0
  • 13.0.0
  • 12.0.0
  • 11.0.0
  • 10.1.0
  • 10.0.0
  • 9.0.0
  • 8.0.0
  • 7.0.0
  • 6.1.1
  • 6.1.0
  • 6.0.2
  • 6.0.1
  • 6.0.0
  • 5.1.2
  • 5.1.1
  • 5.1.0
  • 5.0.0
  • 4.4.3
  • 4.4.2
  • 4.4.1
  • 4.4.0
  • 4.3.0
  • 4.2.0
  • 4.1.0
  • 4.0.1
  • 4.0.0
  • 3.1.0
  • 3.0.1
  • 3.0.0
  • 2.0.1
  • 2.0.0
  • 1.0.1
  • 1.0.0
  • 0.7.5
  • 0.7.4
  • 0.7.2
  • 0.7.1
  • 0.7.0
  • 0.6.0
  • 0.5.0
  • 0.4.1
  • 0.4.0
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Jun 19th 2023
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x
  • Puppet >= 6.15.0 < 8.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'katello-certs', '16.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add katello-certs
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install katello-certs --version 16.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



katello/certs — version 16.0.2 Jun 19th 2023

Table of Contents

  1. Overview
  2. Reference - An under-the-hood peek at what the module is doing and how
  3. Development - Guide for contributing to the module


This module is responsible for generating a CA and certificate used for communication between services inside the Katello deployment.

What certs affects

  • Installs and deploys a CA
  • Deploys certificates generated from the CA


  • default CA - a CA generated by the installer used by the installer
  • server CA - CA used for issuing the server certificates and it's used to verify the server identity; when not specified otherwise, the default CA is used
  • puppet CA - a CA controlled by Puppet for Puppet Agents authentication (not covered by this module)

Certificates overview

cert purpose CA
${hostname}-apache a server certificate for Apache https server
${hostname}-foreman-proxy a server certificate for Foreman-proxy https server
${hostname}-foreman-client a client certificate for Foreman -> Foreman-proxy communication default
${hostname}-puppet-client a client certificate for Puppet ENC -> Foreman communication default
${hostname}-parent-cert a client certificate to read content from Pulp parent (distributed to the child over qpid) default
${hostname}-qpid-broker a client certificate for qpid broker default
${hostname}-qpid-client-cert a client certificate for Pulp to connect to qpid default
java-client a client certificate for Candlepin to connect to qpid default


The certificates are configured in three phases:

  1. generation - producing a certificate; in this phase, the $generate parameter of the cert resources is set to true
  2. deployment - installing a certificate into a system that will use it; in this phase, a $deploy parameter of the cert resources is set to true; this allows to generate the certificates on one machine while deploying on another
  3. configuration - placing a files with keys to specific locations where the services will be configured to read them from, using the pubkey, privkey and key_bundle types, the certs need to be generated and deployed on given system before being able to use it

Types and providers

There is a set of custom Puppet types defined for defining the cert-specific resources:

  • ca - represents an authority that can be used for issuing certificates
  • cert - represents a certificate, the CA of the certs is specified by a ca property, where the keys are stored should be might be implementation specific and pubkey and privkey should be used for using the cert keys
  • pubkey - a file to copy a public key of a cert to. It produces event on subscribed resources when a certificate changes (useful for restarting a service when the certificate changes)
  • privkey - a file to copy a private key of a cert to. It produces event on subscribed resources when a certificate changes (useful for restarting a service when the certificate changes)
  • key_bundle - a file to copy both public and private key of a cert.

For now, the only implemented provider of the type is katello_ssl_tool. It works as follow:

  1. generation - the artefact of this phase is an RPM with the keys for the certificate; the RPMs, as well as other files generated in the process, are located in /root/ssl-build directory

  2. deployment - installing the RPMs into the system; the certificates are located in /etc/pki/katello-certs-tools/ directory


See the CONTRIBUTING guide for steps on how to make a change and get it accepted upstream.