Description of problem:

In Section "6.3. Deploying the CA certificate on a host manually" , we document how to use the foreman_raw_ca endpoint of satellite to download the updated CA certificate and add it to the CA trust of the client system. 

But, We missed something important. The existing /etc/rhsm/ca/katello-server-ca.pem would still be having bad CA cert and is still being used by rhsm as well as yum\dnf. 

So there should be some step present\added to copy the new cert in /etc/rhsm/ca/katello-server-ca.pem , and do a chmod 644 on the same, or else both sub-man and yum\dnf may fall to work as expected.

Please consult with the respective team and then add the related steps.

Business Impact / Additional info:

Missing steps leading to bad customer experience for several client systems during CA renewal or CA cert change