Continuing from this post, WebUI and Web Reports now behave just fine along with web-based SAML authentication (which, according to my understanding, depends on the WebUI), but trying to log in to the Console via SAML authentication fails due to the ServerSigningCertificate (in the ADMINSETTINGS database table) still referring to the old server name.
So, It now looks like we need to replace/rotate the Server Signing Certificate. Anyone know how to do that? Is that something that .\BESAdmin.exe /rotateserversigningkey might do?
Calling out @JasonWalker and @atlauren since they were both helpful in the earlier post. 
No, in this case, you want to update the certificate presented by the Root Server on port 52311, when the Console connects to.
You could create your own certificate with the correct CN: http://10.134.132.39:8080/Bigfix/HelpCenter/11.0/platform/Platform/Config/c_restapi_https_settings.html
or use the following KB to re-create the internal certs: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109312
1 Like
Oh, this is tickling a memory.
Somewhen ago, we were migrating our database somewhere. (From colocated to remote? Was it that long ago?) Doing this required updating the MSSQL version in the old location so that the database would be peer with the new version on the new server. But we ran into a mysterious error in the MSSQL installer. Turns out that was a known issue that had a patch (or workaround).
BUT… the core issue was that the server’s original system name – from being deployed as a Windows VM from a template – was embedded in a table somewhere.
Probably not related to your certificate issue, but I remembered it. 
3 Likes
@DanieleColi,
The first link you gave is to an internal HCL resource. 
However, I think the external version is here:
https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Config/c_restapi_https_settings.html
Taking a look now…
The second link you gave is what I’ve already tried (twice!) with HCL Support. It replaces the cert that gets published on 52315.
@DanieleColi,
That first link worked. Thank you! Will continue to engage Support, though, because it works by bypassing the problem, not fixing it. I mean, we’ll use the REST HTTPS solution in production, but there’s still an issue that should be resolved and documented for the next time someone runs into this and doesn’t have (or want) a custom third-party certificate as the solution.
Hi, to regenerate the Server Signing Certificate, the BESAdmin with rotateserversigningkey will do the job.
1 Like