OCP often uses a self-managed CA to sign the API certificates, which means that a Satellite system by default won't trust those, unless the user provides the right CA certs either in /etc/pki/ca-trust/source/anchors/ or in the ComputeResource creation dialog.

As obtaining these certificates is non-trivial, as a user I wish that Satellite would help me fetching them when I configure a compute resource (and don't provide a cert myself, obviously).

The workflow could be like follows:

• open the "new compute resource page"
• fill in required details (name, hostname, port, namespace, token) and leave the cert blank
• clicking "save" will try to validate the connection, fail certificate validation, and return with an error
• clicking "test connection" will try to validate the connection, when the certificate validation fails, the certs that were offered by the remote are remembered and passed back to the controller with the error message
• the controller updates the ca_cert field based on the certs that were passed and asks the user to validate and re-test the connection

For some technical details on how the cert can be obtained and passed around, see SAT-42114