Add CA cert refreshing on hosts

guides/common/assembly_refreshing-ca-certificates-on-hosts.adoc

@@ -0,0 +1,7 @@
+include::modules/con_refreshing-ca-certificates-on-hosts.adoc[]
+
+include::modules/proc_deploying-a-ca-certificate-on-a-host-by-using-script-rex.adoc[leveloffset=+1]
+
+include::modules/proc_deploying-a-ca-certificate-on-a-host-by-using-ansible-rex.adoc[leveloffset=+1]
+
+include::modules/proc_deploying-a-ca-certificate-on-a-host-manually.adoc[leveloffset=+1]

guides/common/modules/con_refreshing-ca-certificates-on-hosts.adoc

@@ -0,0 +1,4 @@
+[id="refreshing-ca-certificates-on-hosts"]
+= Refreshing CA certificates on hosts
+
+When you change the CA certificate on your {ProjectServer}, you must refresh the public SSL key of the CA certificate on your hosts.

guides/common/modules/proc_deploying-a-ca-certificate-on-a-host-by-using-ansible-rex.adoc

@@ -0,0 +1,39 @@
+[id="deploying-a-ca-certificate-on-a-host-by-using-ansible-rex"]
+= Deploying a CA certificate on a host by using Ansible REX
+
+You can use remote execution (REX) with the Ansible provider to deploy the CA certificate.
+Redeploy the CA certificate when you change it on {ProjectServer}.
+
+.Prerequisites
+* The host is registered to {Project}.
+* Remote execution is enabled on the host.
+
+.Procedure
+. In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*.
+. Click *Run Job*.
+. From the *Job category* list, select `Ansible Commands`.
+. From the *Job template* list, select `Download and execute a script`.
+. Click *Next*.
+. Select hosts on which you want to execute the job.
+. In the *url* field, enter the following URL:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+http://_{foreman-example-com}_/unattended/public/foreman_ca_refresh
+----
++
+Replace _{foreman-example-com}_ with the hostname of your {ProjectServer}.
+. Optional: Click *Next* and configure advanced fields and scheduling as you require.
+. Click *Run on selected hosts*.
+
+.Verification
+* The following command succeeds on your host:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+curl https://_{foreman-example-com}_
+----
+
+[role="_additional-resources"]
+.Additional resources
+* xref:executing-a-remote-job_managing-hosts[]

guides/common/modules/proc_deploying-a-ca-certificate-on-a-host-by-using-script-rex.adoc

@@ -0,0 +1,39 @@
+[id="deploying-a-ca-certificate-on-a-host-by-using-script-rex"]
+= Deploying a CA certificate on a host by using Script REX
+
+You can use remote execution (REX) with the Script provider to deploy the CA certificate.
+Redeploy the CA certificate when you change it on {ProjectServer}.
+
+.Prerequisites
+* The host is registered to {Project}.
+* Remote execution is enabled on the host.
+
+.Procedure
+. In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*.
+. Click *Run Job*.
+. From the *Job category* list, select `Commands`.
+. From the *Job template* list, select `Download and run a script`.
+. Click *Next*.
+. Select hosts on which you want to execute the job.
+. In the *url* field, enter the following URL:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+http://_{foreman-example-com}_/unattended/public/foreman_ca_refresh
+----
++
+Replace _{foreman-example-com}_ with the hostname of your {ProjectServer}.
+. Optional: Click *Next* and configure advanced fields and scheduling as you require.
+. Click *Run on selected hosts*.
+
+.Verification
+* The following command succeeds on your host:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+curl https://_{foreman-example-com}_
+----
+
+[role="_additional-resources"]
+.Additional resources
+* xref:executing-a-remote-job_managing-hosts[]

guides/common/modules/proc_deploying-a-ca-certificate-on-a-host-manually.adoc

@@ -0,0 +1,57 @@
+[id="deploying-a-ca-certificate-on-a-host-manually"]
+= Deploying a CA certificate on a host manually
+
+You can deploy the CA certificate on the host manually by rendering a public provisioning template, which will provide the certificate to your host.
+Redeploy the CA certificate when you change it on {ProjectServer}.
+
+.Prerequisites
+* You have root access on your host.
+
+.Procedure
+. Log in to you host by using SSH.
+. Download the certificate on your host:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+curl -o "foreman_ca_cert.crt" http://_{foreman-example-com}_/unattended/public/foreman_raw_ca
+----
++
+Replace _{foreman-example-com}_ with the hostname of your {ProjectServer}.
+. Copy the certificate to the trust store:
+ifdef::client-content-dnf[]
+* On {EL}:
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+cp foreman_ca_cert.crt /etc/pki/ca-trust/source/anchors
+----
+endif::[]
+ifdef::client-content-apt[]
+* On {DL}:
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+cp foreman_ca_cert.crt /usr/local/share/ca-certificates/
+----
+endif::[]
+. Update the cert store:
+ifdef::client-content-dnf[]
+* On {EL}:
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+update-ca-trust
+----
+endif::[]
+ifdef::client-content-apt[]
+* On {DL}:
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+update-ca-certificates
+----
+endif::[]
+
+.Verification
+* The following command succeeds on your host:
++
+[options="nowrap" subs="+quotes,verbatim,attributes"]
+----
+curl https://_{foreman-example-com}_
+----

guides/doc-Managing_Hosts/master.adoc

@@ -25,6 +25,8 @@ include::common/assembly_registering-hosts.adoc[leveloffset=+1]
 
 include::common/assembly_managing-network-interfaces.adoc[leveloffset=+1]
 
+include::common/assembly_refreshing-ca-certificates-on-hosts.adoc[leveloffset=+1]
+
 include::common/modules/proc_upgrading-hosts-to-next-major-release.adoc[leveloffset=+1]
 
 include::common/assembly_converting-a-host-to-rhel.adoc[leveloffset=+1]