Problem Statement

Current below Red Hat Satellite documentation for refreshing self-signed CA certificates on hosts using Remote Execution (rex) does not explicitly clarify the correct procedure for hosts registered to a Capsule server.

https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html-single/managing_hosts/index#refreshing-the-self-signed-ca-certificate-on-hosts

The documented steps assume that the host is registered directly to the Satellite Server and reference only the Satellite URL in the job execution step. This can lead to confusion for customers and support engineers when managing hosts registered to a Capsule, where the CA refresh workflow and endpoint expectations are different.

Clarifying this is important to prevent failed executions or incorrect assumptions during certificate renewal.

User Experience & Workflow

• A user changes or renews the self-signed CA certificate on the Red Hat Satellite Server and Capsule server.

• The user refers to below documentation to refresh CA certificates on managed hosts using Remote Execution.
  https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html-single/managing_hosts/index#refreshing-the-self-signed-ca-certificate-on-hosts

•  The user has a mixed environment where some hosts are registered directly to Satellite, and others are registered to a Capsule.
• The documentation currently instructs users to execute a job using the Satellite Server URL, without explicitly stating how this applies to hosts registered to a Capsule.
• While the documented steps worked correctly for hosts directly connected to the Satellite Server, the same steps failed for hosts that were registered through the Capsule Server.

Requirements

• Explicit clarification on whether it is supported and achievable to deploy or refresh the CA certificate on hosts registered to a Capsule server using Remote Execution (ReX)

• If supported, provide clear, step-by-step instructions for performing the CA certificate deployment or refresh on Capsule-registered hosts

• Specify which endpoint or URL (Satellite or Capsule) must be used when executing the ReX job for Capsule-registered hosts

• Clearly document any differences, prerequisites, or limitations compared to hosts registered directly to the Satellite Server

Business Impact

Without this documentation enhancement:

• Customers may attempt to refresh CA certificates using incorrect endpoints for Capsule-registered hosts

• Remote execution jobs may fail or behave unexpectedly

• Support cases and escalations may increase due to unclear documentation

• Support engineers must repeatedly clarify undocumented behavior during CA renewals

Improving this documentation will reduce confusion, prevent misconfiguration, and improve the customer experience during CA certificate maintenance in Capsule-based environments.