Problem Statement
As a Satellite administrator using custom SSL certificates I'd like to persistently configure RHSM on my registered hosts with a custom trust anchor (e.g. the OS trust store where the enterprise internal root CA certificate is already configured and maintained).

User Experience & Workflow
In the current configuration the trust anchor for RHSM is defined by Satellite using the repo_ca_cert directive in /etc/rhsm/rhsm.conf. An administrator can customize this value but Satellite will eventually override it (e.g. if the katello-rhsm-consumer script is executed, if the katello-ca-consumer RPM is re-installed, or by global registration subscription_manager_setup snippet if the host gets re-registered).

In the desired configuration Satellite would check if the value of the repo_ca_cert directive in {{/etc/rhsm/rhsm.conf }}has been customized and, if that's the case, leave the administrator-defined value as is.

Business Impact
The strategic goal is to minimize the changes needed on the fleet of registered hosts in the event a change in the chain of trust happens over time.