Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
gustavgager
Partner - Creator II
Partner - Creator II

Create HTTPS cert with internal CA

Hi there.

We have a PFsense Firewall wich does have a build in CA. So my plan is to use this CA to create a certificate that i can deploy using GPO and then use it to run HTTPS on several internal websites, inlcuding QS. However i cant seem to get it working.

First of, im pretty new to how certificates work but im trying to learn.

I have created a Root-CA and a Suborinate-CA on the firewall. I then exported the root-CA certificate and installed on my local desktop machine. I then created a server-certificate using the subordinate CA. From pfsense i can then export the crt file and i can export an .key file.

I the used openSSL.exe to merge theese two into one file and imported in on the qliksense server. I took the thumbprint and added it to the QS Proxy (as i have done on several customers befor without any problem).

But when i load the page and check what certificate it uses. It looks like its still uses the serlf-signed cert (The CA seems to be the sense-server). So what am I doing wrong? Do i need to convert my certificates to a specific format or something?

1 Solution

Accepted Solutions
simon_minifie
Partner - Creator III
Partner - Creator III

Have a look at this post:

Sense unable to locate a ssl certificate

Same error as you're seeing.

View solution in original post

7 Replies
simon_minifie
Partner - Creator III
Partner - Creator III

Hi Gustav,

Have a look at the Proxy security logs. (C:\ProgramData\Qlik\Sense\Log\Proxy)

They usually give an explanation of why a specific certificate can't be used, and why it has reverted to its self-signed one.

Best regards,

Simon

gustavgager
Partner - Creator II
Partner - Creator II
Author

Ahh good one! Found this in the log:

Couldn't find a valid ssl certificate with thumbprint xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

But when i check my cert-store (local computer->personal->certificates) its there, and the Thumbprint is correct.

So my conclusion is that my cert is not "valid"?

simon_minifie
Partner - Creator III
Partner - Creator III

Hi Gustav,

What constitutes a 'valid' cert is sort of outlined here:

https://help.qlik.com/en-US/sense/September2017/Subsystems/ManagementConsole/Content/change-proxy-ce...

If the private key isn't present it is usually stated in the logs, so there must be a different reason Sense doesn't like it.

Thanks,

Simon

simon_minifie
Partner - Creator III
Partner - Creator III

Have a look at this post:

Sense unable to locate a ssl certificate

Same error as you're seeing.

gustavgager
Partner - Creator II
Partner - Creator II
Author

Yes i have imported a key. If i open the Cert i certmanager it say that i have a private key that works with this certificate.

gustavgager
Partner - Creator II
Partner - Creator II
Author

Thank you Simon. I actually got a bit closer to the problem now.

I had do install the certificate for the root CA and the Sub CA. After that, the cert was identified OK and the services started OK. I was under the impression that if i trust the root CA, then all sub.certs would be automaticly trusted?

However i still cannot get it to work. When i connect to the site, i get the error:

"Missmacthed Adress. The security certificate presented by this website was issued for another server".

I added several names including the IP adress. The IP adress works, but the name doesnt

So it looks like the subject alternative name forks. But the CN does not

gustavgager
Partner - Creator II
Partner - Creator II
Author

A quick update. I got everything working when i added my URL as secondary. The primary CN did not work. Not on to try to get it to work with Nprinting