How to Change the Insights Certificate

How to change the Insights Certificate

Issue Description

If a certificate is expired or the wrong certificate is used for Insights it may need to be changed. Insights has its own mechanism for changing its certificate.


Changing the Certificate

  1. All the following steps should be done on the Insights Server.
  2. Important: The new certificate must support the original hostname of Insights.
  3. Make sure that a PFX is available for the certificate. Also note that modern browsers required that a certificate have a SAN attribute that maps to the certificate subject name.
  4. The PFX file can be generated with the help of your network admin. We do not recommend using a self-signed certificate but if needed, please see the section "Generating a Domain Certificate through MMC via a Domain Certificate Authority"
  5. Once the PFX file is generated, import it into the personal store. If the cert was generated via MMC it will already be there
    • See here
    • In the above step, instead of importing the certificate to trusted root, import it to the "Personal" Node.
    • Additionally, the password for the PFX will need to be entered to import the certificate.
  6. After importing the certificate into the personal node, right click the certificate and select 'Open'. Then go to the Details section and select 'Copy To File'.
    • When asked if the private keys should be exported, select 'No'.
    • When asked for the file type select 'Base-64 encoded X.509 (.CER).
  7. If the PFX file was generated via MMC, redo the above step, but export the private keys. Also the format will be pre-set.
  8. Once the .CER file and the PFX file have been generated go to http://localhost:3030
  9. On the webpage in the Update Certificate section, select 'browse'
  10. Select the PFX file and enter the password. When done, select 'Upload'
  11. After the upload is complete, the SSL certificate will need to be added. Open up the .CER file that was created in step 5. in notepad.
  12. Copy the contents exactly and paste it into the section 'SSL Certificate'
  13. After this is done, select 'Save'.
  14. After this is done, double click the .CER file and import it into Trusted Root. See here
    • Insights needs the Public Certificate to be in Trusted Root.
  15. Try going to https://InsightsURL - If it loads, then everything is complete.

Generating a Domain Certificate through MMC via a Domain Certificate Authority

  1. Note: This requires the network to have a domain server that can issue certificates.
  2. Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
  3. Right-click on the Personal node->All Tasks->Advanced Operations->Custom Request->click Next in the welcome screen.
  4. In "Select Certificate Enrollment Policy" choose "Active Directory Enrollment Policy".
  5. In the next screen, pick up a certificate template designated for web server use. It should be called "Web Server" or "Web.SAN" but its name may vary. Then, choose "Request Format" -> "PKCS #10" 
  6. In "Certificate Information", click on the "Details" of the request and then click "Properties" button to customize the certificate request as follows:
  7. Customize the info from the tab "Subject"
    • In the group "Subject name", choose Type -> Common Name and Value -> the fully qualified domain name of the machine (FQDN), e.g. myhost.domain.local. Then click Add.
    • In the group "Alternative name", choose Type -> DNS and Value  -> the machine's FQDN (the same as above). Then click Add. 
    • If Orchestrator will be installed on multiple nodes, you need to add all these FQDNs as in the above point. Also add the FQDN of the load balancer.
  8. Customize the info from the tab "Private Key"
    • In "Cryptographic Service Provider" go to "Select cryptographic service provider (CSP)" and check "Microsoft RSA SChannel cryptographic Provider (Encryption)"
    • In "Key options", make sure field "Key Size" is set to at least 2048 and "Make private key exportable" is checked.
    • In "Key type", make sure "Key usage" is set to "Exchange"
  9. Click on "OK" button of the configuration window and "Next" in the "Certificate Information" screen.
  10. In the next screen, choose "File format" -> "Base 64" and a file name of your choice, e.g. C:\Users\YourUser\Documents\sslRequest.req
  11. After the enrollment request gets accepted (on the Authority side), the certificate will be visible in the Personal store.