topic Re: Create HTTPS cert with internal CA in Management & Governance

Create HTTPS cert with internal CA

gustavgager — Mon, 23 Oct 2017 13:48:23 GMT

Hi there.

We have a PFsense Firewall wich does have a build in CA. So my plan is to use this CA to create a certificate that i can deploy using GPO and then use it to run HTTPS on several internal websites, inlcuding QS. However i cant seem to get it working.

First of, im pretty new to how certificates work but im trying to learn.

I have created a Root-CA and a Suborinate-CA on the firewall. I then exported the root-CA certificate and installed on my local desktop machine. I then created a server-certificate using the subordinate CA. From pfsense i can then export the crt file and i can export an .key file.

I the used openSSL.exe to merge theese two into one file and imported in on the qliksense server. I took the thumbprint and added it to the QS Proxy (as i have done on several customers befor without any problem).

But when i load the page and check what certificate it uses. It looks like its still uses the serlf-signed cert (The CA seems to be the sense-server). So what am I doing wrong? Do i need to convert my certificates to a specific format or something?

Re: Create HTTPS cert with internal CA

simon_minifie — Tue, 24 Oct 2017 09:16:09 GMT

Hi Gustav,

Have a look at the Proxy security logs. (C:\ProgramData\Qlik\Sense\Log\Proxy)

They usually give an explanation of why a specific certificate can't be used, and why it has reverted to its self-signed one.

Best regards,

Simon

Re: Create HTTPS cert with internal CA

gustavgager — Tue, 24 Oct 2017 09:35:26 GMT

Ahh good one! Found this in the log:

Couldn't find a valid ssl certificate with thumbprint xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

But when i check my cert-store (local computer->personal->certificates) its there, and the Thumbprint is correct.

So my conclusion is that my cert is not "valid"?

Re: Create HTTPS cert with internal CA

simon_minifie — Tue, 24 Oct 2017 09:48:36 GMT

Hi Gustav,

What constitutes a 'valid' cert is sort of outlined here:

https://help.qlik.com/en-US/sense/September2017/Subsystems/ManagementConsole/Content/change-proxy-certificate.htm

If the private key isn't present it is usually stated in the logs, so there must be a different reason Sense doesn't like it.

Thanks,

Simon

Re: Create HTTPS cert with internal CA

simon_minifie — Tue, 24 Oct 2017 09:50:21 GMT

Have a look at this post:

Sense unable to locate a ssl certificate

Same error as you're seeing.

Re: Create HTTPS cert with internal CA

gustavgager — Tue, 24 Oct 2017 10:07:21 GMT

Yes i have imported a key. If i open the Cert i certmanager it say that i have a private key that works with this certificate.

Re: Create HTTPS cert with internal CA

gustavgager — Tue, 24 Oct 2017 10:50:50 GMT

Thank you Simon. I actually got a bit closer to the problem now.

I had do install the certificate for the root CA and the Sub CA. After that, the cert was identified OK and the services started OK. I was under the impression that if i trust the root CA, then all sub.certs would be automaticly trusted?

However i still cannot get it to work. When i connect to the site, i get the error:

"Missmacthed Adress. The security certificate presented by this website was issued for another server".

I added several names including the IP adress. The IP adress works, but the name doesnt

So it looks like the subject alternative name forks. But the CN does not

Re: Create HTTPS cert with internal CA

gustavgager — Wed, 25 Oct 2017 13:04:19 GMT

A quick update. I got everything working when i added my URL as secondary. The primary CN did not work. Not on to try to get it to work with Nprinting