Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
barryharmsen
Luminary Alumni
Luminary Alumni

QV in DMZ with certificate trust: Found multiple X.509 certificates

This is probably a long shot, but who knows. I'm deploying QlikView in a DMZ environment. We're using IIS as the webserver and have deployed only the "QlikView Settings Service" on the DMZ server. All the other services are sitting behind the firewall on another server. I am able to deploy the certificates to the webserver from the QMC sitting behind the firewall (went to the website, typed in the code, etc.).

The problem I'm having is that, once the certificates have been added, the QlikView Setting Service will no longer start. (Part of) the event log error is:

"Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectDistinguishedName', FindValue 'CN=MYSERVERNAME'. Provide a more specific find value."


As the error message implies, the issue is that there are multiple certificates on the server that all have the same subject. As the search name is rather generic, it's looking for the name of the server, the search returns multiple certs. The other certificates are being used by other websites and applications that are hosted on the DMZ machine, so I cannot just remove them. Is there any way to make the search a little more specific? For example by modifying a .config file (maybe switching it to FindByThumbprint instead of FindBySubjectDistinguishedName)?

Any help/ideas would be appreciated.

Labels (2)
7 Replies
stephencredmond
Luminary Alumni
Luminary Alumni

Sounds like a bug!

I wonder if the QVWS would have the same issue - just as a test (although you may not be allowed install it).

Sorry that I can't be more helpful.

Stephen

barryharmsen
Luminary Alumni
Luminary Alumni
Author

Unfortunately installing QVWS is not an option. A ticket has been logged with support as well, so will follow up if this yields a useful answer. Currently the only workaround I see is deploying a separate box with IIS, which seems like a real waste.

barryharmsen
Luminary Alumni
Luminary Alumni
Author

No reply from support yet, but we managed to work around it by renaming the other certificates.

Bill_Britt
Former Employee
Former Employee

Hi,

What version are you running? Also, when you did the install did you select to manage? Certificate or Administrator group?

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
barryharmsen
Luminary Alumni
Luminary Alumni
Author

11.2 SR3, I'm using certificate authentication. We have everything working, the problem was that there were multiple certificates with the same subjects (used by different websites and applications on the server). The client ended up changing the subjects for those certificates.

I think it would be nice if the search for the certificate was done based on the fingerprint, instead of just the server name, but I can imagine that's way down on the feature request list

stephencredmond
Luminary Alumni
Luminary Alumni

Might be worth you feeding that information to the Beta team.  They may find it interesting.

Stephen

barryharmsen
Luminary Alumni
Luminary Alumni
Author

Actually just encountered this problem again. This might actually be a bigger risk than I first thought. We resolved this by renaming the certificates used by the other apps on the server. If in the future a new app is deployed that uses the same subject name (very likely, as it's just the machine name) then the QlikView Settings Service will be brought down. I would highly suggest switching to FindByThumbprint instead of FindBySubjectDistinguishedName.