Solve On-Premises: Replace Certificate

  • Updated on Aug 21, 2025
  • Published on Jun 19, 2022
  • 2 minute(s) read
Prev Next

By default, Solve On-Premises (SOP) creates its own self-signed certificate once you deploy a new SOP appliance. When connecting to the SOP server from the browser, a warning message indicates that the certificate is not valid for the site.
SOP sign in page showing error message "Your connection to this site isn't secure"

Instead of using the self-signed certificate, we recommend to use a certificate from a trusted certificate authority (CA). In this article, we show you how to replace the self-signed certificate trusted by a certificate authority. There are several ways to perform this task. Our recommended steps are outlined below.

How to Replace a Certificate

  1. SSH into your SOP server with the user cuadmin. As the password, use the password you provide during the OVA deployment.

    Important

    Note that the root user is deactivated by default from version 8.6 and higher.

  2. Run hostname to get the fully-qualified domain name (FQDN) of the machine.

    cuadmin@sib_server [ ~ ]$ hostname
sib_server.AD2012.LOC

  3. In your DNS configuration, create an A Record and make sure the hostname resolves.
    DNS configuration showing hostname file

    Ping the hostname of the SOP server to verify that it can be resolved. The ICMP protocol is deactivated on the SOP server. The DNS configuration is correct if the IP address of the SOP machine is correctly displayed.
    command prompt displaying IP address of the SOP machine

  4. Download the attached file openssl-san.cnf and replace the hostname and the DNS entries in the red-marked fields. Once done, copy the file to the /tmp folder of your SOP server using WinSCP or any other file transfer tool.
    openssl-san.cnf file with hostname and DNS entries in red-marked fields

    openssl-san.cnf

    Note

    If the connection to the SOP server from WinSCP is refused, restart the sshd service by running the following command on the SOP server:

    systemctl restart sshd

  5. Once you uploaded the file to the /tmp folder, run the following commands on the SOP machine:

    cuadmin@sib_server [ ~ ]$ cd /tmp
openssl req -newkey rsa:2048 -subj "/C=US/ST=FL/L=MI/O=CU/CN=sib_server.AD2012.LOC/" -nodes -sha256 -keyout server.key -out server.csr -config openssl-san.cnf

    Change the -subj param values to match what you entered on .cnf file. Make sure to use server as the name for the csr and key file.

  6. The private key is generated when you see the following message:
    command prompt displaying message "generating a RSA private key"

  7. Verify that both files, server.key and server.csr, have been created.
    command prompt displaying server.key and server.csr files

  8. Submit the server.csr to your Certificate Authority. Create a certificate from your Enterprise CA or preferred public CA and make sure that you use a Web Server certificate, using the same template. Make sure to download the cert in Base64 Encoded.

    In our case, we use AD CS Web Enrollment to create the web server certificate.
    submit a certificate or renewal request dialog box

    Copy the certificate request, submit and create the certificate.
    certificate request text copied to command prompt window

  9. Rename the certificate file to server.crt and copy the key file from the appliance.
    certificate file renamed to in download window

  10. Back up the original files. From the Solve web interface, navigate to Settings > ** Export Certificate. Download the generated ZIP on the local disk of your computer.
    Solve Settings pages with Export Certificate button selected

  11. Click Upload Certificate and upload the certificate and private key files. The files you upload must be named server.crt and server.key or else the upload will fail.
    Upload Certificate button displaying server.crt and server.key

  12. Log in to the SOP web interface and check if the certificate is shown as valid.
    SOP sign in page showing message "this site has a vaid certificate issued by a trusted authority"

You have successfully replaced the default self-signed certificate on your SOP machine with a certificate from a trusted authority.