How to change the Insights Certificate
Issue Description
If a certificate is expired or the wrong certificate is used for Insights it may need to be changed. Insights has its own mechanism for changing its certificate.Changing the Certificate
- All the following steps should be done on the Insights Server.
- Important: The new certificate must support the original hostname of Insights.
- Make sure that a PFX is available for the certificate. Also note that modern browsers required that a certificate have a SAN attribute that maps to the certificate subject name.
- The PFX file can be generated with the help of your network admin. We do not recommend using a self-signed certificate but if needed, please see the section "Generating a Domain Certificate through MMC via a Domain Certificate Authority"
- Once the PFX file is generated, import it into the personal store. If the cert was generated via MMC it will already be there
- See here
- In the above step, instead of importing the certificate to trusted root, import it to the "Personal" Node.
- Additionally, the password for the PFX will need to be entered to import the certificate.
- After importing the certificate into the personal node, right click the certificate and select 'Open'. Then go to the Details section and select 'Copy To File'.
- When asked if the private keys should be exported, select 'No'.
- When asked for the file type select 'Base-64 encoded X.509 (.CER).
- If the PFX file was generated via MMC, redo the above step, but export the private keys. Also the format will be pre-set.
- Once the .CER file and the PFX file have been generated go to http://localhost:3030
- On the webpage in the Update Certificate section, select 'browse'
- Select the PFX file and enter the password. When done, select 'Upload'
- After the upload is complete, the SSL certificate will need to be added. Open up the .CER file that was created in step 5. in notepad.
- Copy the contents exactly and paste it into the section 'SSL Certificate'
- After this is done, select 'Save'.
- After this is done, double click the .CER file and import it into Trusted Root. See here
- Insights needs the Public Certificate to be in Trusted Root.
- Try going to https://InsightsURL - If it loads, then everything is complete.
Generating a Domain Certificate through MMC via a Domain Certificate Authority
- Note: This requires the network to have a domain server that can issue certificates.
- Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
- Right-click on the Personal node->All Tasks->Advanced Operations->Custom Request->click Next in the welcome screen.
- In "Select Certificate Enrollment Policy" choose "Active Directory Enrollment Policy".
- In the next screen, pick up a certificate template designated for web server use. It should be called "Web Server" or "Web.SAN" but its name may vary. Then, choose "Request Format" -> "PKCS #10"
- In "Certificate Information", click on the "Details" of the request and then click "Properties" button to customize the certificate request as follows:
- Customize the info from the tab "Subject"
- In the group "Subject name", choose Type -> Common Name and Value -> the fully qualified domain name of the machine (FQDN), e.g. myhost.domain.local. Then click Add.
- In the group "Alternative name", choose Type -> DNS and Value -> the machine's FQDN (the same as above). Then click Add.
- If Orchestrator will be installed on multiple nodes, you need to add all these FQDNs as in the above point. Also add the FQDN of the load balancer.
- Customize the info from the tab "Private Key"
- In "Cryptographic Service Provider" go to "Select cryptographic service provider (CSP)" and check "Microsoft RSA SChannel cryptographic Provider (Encryption)"
- In "Key options", make sure field "Key Size" is set to at least 2048 and "Make private key exportable" is checked.
- In "Key type", make sure "Key usage" is set to "Exchange"
- Click on "OK" button of the configuration window and "Next" in the "Certificate Information" screen.
- In the next screen, choose "File format" -> "Base 64" and a file name of your choice, e.g. C:\Users\YourUser\Documents\sslRequest.req
- After the enrollment request gets accepted (on the Authority side), the certificate will be visible in the Personal store.