I am assuming that you're on Qlik Sense June 2017 or newer. From https://help.qlik.com/en-US/sense/September2017/Subsystems/PlanningQlikSenseDeployments/Content/Deployment/Services.htm, you are missing a key command line parameter. You ought to run Repository.exe -bootstrap -iscentral *. The waiting for certificates message is signaling that the node thinks it ought to be a RIM node, where certificates are distributed to it rather than generating their own.
Previous threads may've missed this distinction since historically Qlik Sense would re-generate certificates if needed. Due to the architectural changes needed to allow failover inside of Qlik Sense (STT - Failover in Qlik Sense - Practical Guide and Implications - YouTube) this step is needed.
* At some point it was Repository.exe -bootstrap -standalone so I typically would recommend running Repository.exe -bootstrap -standalone -iscentral which would eliminate any confusion.
Hope that helps.
However, now I have a secondary problem that my proxy doesn't work, ie hub/qmc still unavailable.
See log for more info but basically
Web exception: Protocol error: Response stream exists. Remote endpoint 'https://localhost:4242/' [..] Not available Proxy Not available Not available Configure proxy -2146233079 Could not contact local repository to retrieve local server node configuration
If i open https://localhost:4242 in my browser I get a certification error (see attached screenshot).
The translation is roughly:
The server could not prove it's localhost since its certificate originates from static-184.108.40.206.se.ip.tdc.net
When removing all certificates via the MCC, Qlik generates another certificate from static-220.127.116.11.se.ip.tdc.net so how can this be an improper configuration?
It isn't an improper configuration. It's a misalignment of the host used (localhost) and the Common Name / Subject Alternative Name of the certificate (static-18.104.22.168.se.ip.tdc.net). You can either click continue to get past this point or use the Chrome interstitial command "badidea" to bypass it (https://www.reddit.com/r/sysadmin/comments/42xd4i/chrome_danger_shortcut_changed_to_badidea/).