Insights On-Premises: Replace Certificate
    • Dark
      Light
    • PDF

    Insights On-Premises: Replace Certificate

    • Dark
      Light
    • PDF

    Article Summary

    By default, Insights On-Premises (IOP) creates its own self-signed certificate once you deploy a new IOP appliance. When connecting to the IOP server from the browser, a warning message indicates that the certificate is not valid for the site.

    Instead of using the self-signed certificate, we recommend using a certificate from a trusted certificate authority (CA). In this article, we show you how to replace the self-signed certificate with a certificate trusted by a certificate authority. There are several ways to perform this task. Our recommended steps are outlined below.

    How to Replace a Certificate

    1. SSH into the IOP server. Log in with the user cuadmin and use the password you created during the OVA deployment.

      Important

      Due to security reasons, the root user is deactivated by default from version 8.6 and higher.

    2. Run hostname to get the fully-qualified domain name (FQDN) of the IOP machine.

      cuadmin@iopserver [ ~ ]$ hostname
      iopserver.AD2012.LOC
      
    3. In your DNS configuration, create an A Record and make sure the hostname resolves.
      image.png

      Ping the hostname of the IOP server to verify that it can be resolved. The ICMP protocol is deactivated on the IOP server. The DNS configuration is correct if the IP address of the IOP machine is correctly displayed.
      image.png

    4. Download the attached file openssl-san.cnf and replace the hostname and the DNS entries in the red-marked fields.
      image.png

      openssl-san.cnf

    5. Once done, copy the file to the /tmp folder of your IOP server using WinSCP or any other file transfer tool.
      image.png

    6. Once you uploaded the file to the /tmp folder, run the following commands on the IOP machine:

      cuadmin@iopserver [ ~ ]$ cd /tmp
      openssl req -newkey rsa:2048 -subj "/C=US/ST=FL/L=MI/O=CU/CN=iopserver.AD2012.LOC/" -nodes -sha256 -keyout server.key -out server.csr -config openssl-san.cnf
      

      Change the -subj param values to match what you entered on .cnf file. Make sure to use server as the name for the csr and key file.

    7. The private key is generated when you see the following message:
      image.png

    8. Verify that both files, server.key and server.csr, have been created.
      image.png

    9. Submit the server.csr to your Certificate Authority. Create a certificate from your Enterprise CA or preferred public CA and make sure that you use a Web Server certificate, using the same template. Make sure to download the cert in Base64 Encoded.

      In our case, we use AD CS Web Enrollment to create the web server certificate.
      image.png

      Copy the certificate request, submit and create the certificate.
      image.png

    Important

    Make sure you download the certificate in Base 64 encoding
    image.png

    1. On the IOP server, back up the original files certificate files in /opt/iop_volumes/config/iop_proxy/ssl. Use the following command to back up the certificate and private key file:
    sudo mv server.crt server.crt.bak
    sudo mv server.key server.key.bak
    

    image.png

    1. On the machine where you stored the certificate file, rename the certificate file to server.crt and copy the server.crt and the server.key to the /tmp directory on the IOP server.
      image.png

    2. Move the server.crt and server.key files to the /opt/iop_volumes/config/iop_proxy/ssl folder.

      cd /tmp
      sudo mv server.crt /opt/iop_volumes/config/iop_proxy/ssl
      sudo mv server.key /opt/iop_volumes/config/iop_proxy/ssl
      
    3. Run the following command

      sudo docker container exec iop_proxy nginx -s reload
      

      image.png

    4. Check if the certificate is valid by logging in to Insights again using HTTPS.
      image.png

    In this article, you learned, how to replace the self-signed certificate with a certificate trusted by a certificate authority.


    Was this article helpful?