How to change the Qlik Sense Proxy certificate if the service account does not have local administrative permissions

By default, Qlik Sense uses a self-signed certificate to enable HTTPS access across both the Hub and the Management Console. But self-signed certificates cannot be validated or trusted by web browsers and tend to prompt a warning message.

To establish a secure HTTPS connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.

The steps on how to apply a third-party (and trusted) certificate can be found in: How to change the certificate used by the Qlik Sense Proxy to a custom third party certificate.

However, if your Service Account does not have administrative permissions, you will see the Proxy reverting back to the old certificate or otherwise not behave as expected.

These error messages may be seen in the Proxy Security log: 

Certificate 'CN=<servername>' (2F66E692BBC9DCB5EF43853248A667EAD7CB27B2) is invalid because it was not signed correctly by 'CN=<servername>-CA'

or

Unkown error when accessing the private key for certificate

or

No private key found for certificate

or

Couldn't find a valid ssl certificate with thumbprint 

or

Reverting to default Qlik Sense SSLCertificate

The Qlik Sense Proxy System log may register the following:

INFO    <servername>    System.Proxy.Proxy.Core.QPSMain    8    40e67960-d393-4881-a7c8-efafe089ef0f    <serviceAccount>    Settings has been updated but will not take effect until bootstrap mode has been run on the repository       

Resolution

1. Verify that the certificate follows Qlik's requirements: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use ... 
2. Give access to the Private Key in the certificate store to the user running the services. See How to manage Certificate Private Key for details. 
3. Stop the Qlik Sense services except of the Qlik Sense Repository Database and Qlik Sense Service Dispatcher services.
4. Open an elevated command prompt and run repository.exe -bootstrap (If this is the central node, add the iscentral flag). Review Changing the user account to run Qlik Sense services for details. 
5. Start Qlik Sense services.

Reviewing the Qlik Sense Proxy Security logs should now result in the certificate being properly used:

QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester    DOMAIN\_service    Setting crypto key for log file secure signing: success
QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey    DOMAIN\_service    retrieving symmetric key from cert: success    
QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey    DOMAIN\_service    setting crypto key: success    
QlikServer1    Security.Proxy.Qlik.Sense.Communication.Security.CertSetup    'CN=localhost' (08C871933A58E072FED7AD65E2DB6D5AD3EAF9FA) as SSL certificate presented to browser, which is a 3rd party SSL certificate

Environment:

Qlik Sense Enterprise on Windows, all versions