Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Problem installing certificate in Qlik sense server

Hi,

I have Qlik Sense server on a standalone serve.

It is using self signed certificate.

I went on and installed certificate from a public CA: *.company.com

I have followed this instructions:

http://help.qlik.com/en-US/sense/1.1/Subsystems/ManagementConsole/Content/ServerUserGuide/SUG_Config...

After I have installed the cert, in QMC-> Proxies, I have edit the current proxy -> Security I have added the certificate thumbprint.

I have applied the changes. Every time I log in to https://qlik.company.local I am getting the self signed certificate.

I can see the cert installed under Personal->Certificates under Local Computer

I have put the thumbprint as is from the certificate, later I have taken out spaces but that did not helped.

Thanks

1 Solution

Accepted Solutions
Not applicable
Author

Is your goal to remove the cert privacy messages generated using self-signed certs?  One option if you are trying to do this on a closed network that isn't exposed to the internet is to distribute the root certificate from the Qlik Sense generated certs  (without private key) to users and add it to their trusted root cert authority on their local machines.  This will help.

Buying a trusted cert from a third party for a .local cert is possible is well because you supply the CSR that contains the domain you are creating the cert to recognize.

View solution in original post

9 Replies
Gysbert_Wassenaar

Did you also restart the proxy?

Have you read this document? Generating Certificate Signing Requests for Trusted Certificates


talk is cheap, supply exceeds demand
Not applicable
Author

Please see this document.  As of 1.1, taking out spaces is not necessary.  However, you may have not grabbed the whole thumbprint from cert manager if you clicked and dragged to select.  Do a Control A.

See this document for more info: Generating Certificate Signing Requests for Trusted Certificates

Not applicable
Author

Thanks Gysbert for the Document.

I am reading the document now

I have one question though, my qlik server name is server1.bisintel.local . Its just a local domain for qlik sense.

I cant buy certificate for .local domain. If I by certificate for *.company.local can I apply it here and will it work?

Or do I need to by domain like busintel.com and set up that domain for our qliksense?

Not applicable
Author

I an reading the document, but I already have *.company.com which is from public CA.

That certificate we are using for our company domain.

I have created busintel.local domain where I have installed Qlik Sense and it needs to be accessible for external users.

I installed *.company.com cert that is from public CA on the qlik sense server that is in a busintel.local domain.

I don't think I need to create certificate request, as I already have wildcard public certificate that I want to use.

I am assuming I can use that certificate.

Not applicable
Author

Is your goal to remove the cert privacy messages generated using self-signed certs?  One option if you are trying to do this on a closed network that isn't exposed to the internet is to distribute the root certificate from the Qlik Sense generated certs  (without private key) to users and add it to their trusted root cert authority on their local machines.  This will help.

Buying a trusted cert from a third party for a .local cert is possible is well because you supply the CSR that contains the domain you are creating the cert to recognize.

Not applicable
Author

Yes you can, so just read the document from the point that you have the cert and you need to upload to cert manager and then grab the thumbprint.  Pay mind to the places where the cert is uploaded and making sure you have proper cert path and private key attached to the wildcard cert or it will not work with Qlik Sense.

What version of Qlik Sense?

jg

Not applicable
Author

Actually it is not going to be used by internal users.

It is going to be used by external users.

I don't want for them to see the certificate error message and more over some apple devices does not work well with self signed certificates.

Are you suggesting that its better to buy *.busintel.local . I don;t mind buying it, if that will work.

Not applicable
Author

If it's for external,

I'm suggesting you register an external domain, purchase a certificate for that domain, and then apply that certificate to your Qlik Sense server using the instructions that have been linked.

For example.  I have a Qlik Sense server and I want to expose it to the internet.  To do that I  do the following:

1.  make sure my firewall supports inbound connections on port 443 (and 4244 if performing windows authentication).

2.  Go to a domain register and register a domain name.

3.  Add an entry for my domain to the DNS registry of a DNS provider with the ip address of my server.

4.  Generate a CSR for a certificate for the domain name I have registered.

5. Request the certificate from a trusted CA.

6.  Obtain the certificate and add the private key to the certificate

7. Add the certificate to windows cert manager localmachine\personal store.  potentially root certs as well.

8. Add the certificate thumbprint to the Qlik Sense proxy.

9.  In your Qlik Sense virtual proxy, make sure the domain name you have registered has been added to the websocket whitelist.

Restart the QMC.

When you open a browser, navigate to the domain you purchased and you will be routed to the Qlik Sense server because DNS will know where to point it.  You will authenticate and get into Qlik Sense.

Not applicable
Author

Actually I was able to use *.company.com on the qlik sense.

Deleted the cert, reintall it and it was fine.

When I log in external all looks good, no error messages.

When I log in from the qlik sense server locally I got a message that Certificate mismatch, that the cert does not corresponds to the computer name.

As long as that message does not pop ups for the external users should be fine.

Thanks a lot guys for your help.

You have been great.