topic Generated root certificate is not a valid CA certificate in Management & Governance

Generated root certificate is not a valid CA certificate

millnet-maho — Sat, 16 Nov 2024 04:57:28 GMT

It appears that the internal CA root certificate (subject: CN=server-name-CA, which is used for internal authentication even if a different certificate is used for port 443) is not a valid CA, because it lacks the CA flag (the X509v3 Basic Constraints extension). It's obviously possible to install as a trusted root CA in Windows' certificate store, but other software refuses to recognize certificates signed by it as valid, even if you tell such software to trust it.

Is this a known bug? Is it possible to replace the root certificate with a manually constructed one? Will Qlik Sense use it as long as it has the right subject and the private key is available or if the thumbprint is updated in some obscure place (more obscure than the thumbprint for the public web interface certificate)? Or has it even been fixed recently (but certificates will still have to be replaced in that case)?

Re: Generated root certificate is not a valid CA certificate

Anonymous — Thu, 15 Aug 2019 21:39:44 GMT

When Qlik Sense is installed, self-sighed certificate is created on server.
This certificate, however, is not trusted on any other devices other than the server itself.

You can add a trusted certificate for purposes where a trust is required. (ref link)

https://help.qlik.com/en-US/sense/February2019/Subsystems/ManagementConsole/Content/Sense_QMC/change-proxy-certificate.htm

NOTE: removing, replacing, or altering the certificates that are installed with Qlik Sense generally results in effectively disabling the product (until the certificates are restored or recreated the same).

EDL

Re: Generated root certificate is not a valid CA certificate

millnet-maho — Fri, 16 Aug 2019 09:40:29 GMT

That was not what I asked. I'd appreciate it if you'd read the question again. The certificate does not have the CA flag set and is therefore worthless as a CA certificate in the eyes of e.g. OpenSSL. That is a bug even if Windows accepts certificates without the CA flag as CA certificates.

"Third-party certificates are bound to the Qlik Sense Proxy Service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate." Just to be clear, I'm talking about the server certificate, or rather the root certificate that signs the server certificate.

Re: Generated root certificate is not a valid CA certificate

millnet-maho — Wed, 04 Sep 2019 07:51:47 GMT

The answer was that it is a known bug, fixed in the June 2019 Patch 1 release, although it's listed as part of the June 2019 initial release.

Re: Generated root certificate is not a valid CA certificate

Chip_Matejowsky — Wed, 04 Sep 2019 12:56:43 GMT

Hi @millnet-maho,

To further clarify, are you referring to the below entry in the Qlik Sense June 2019 Release Notes?

Qlik Sense self-signed root certificate missing basic constraint CA:true
Jira issue ID: QLIK-95021
Description: "X509v3 Basic Constraints: critical CA:TRUE" extension has been added to root.pem certificate.
Can be disabled via "Certificates.SelfSignedRoot.BasicConstraintsCA" setting in Repository.exe.config file.

If yes, this issue is addressed in the Qlik Support article "Qlik Sense: The certificate authority certificate does not contain the attribute “CA:True” and appears as invalid.". Thanks.

Re: Generated root certificate is not a valid CA certificate

millnet-maho — Wed, 04 Sep 2019 13:54:18 GMT

Yes, exactly.

Re: Generated root certificate is not a valid CA certificate

rajeshmuthu — Sat, 01 Feb 2020 03:07:12 GMT

Were you able to successfully resolve this issue? I'm having the same issue. I did everything including

Upgrading QlikSense from April 2018 to November 2019
Deleting and recreating the Qliksense certificates
Setting this "Certificates.SelfSignedRoot.BasicConstraintsCA" to false in Repository.exe.config, restart all the service and generate new certificates

No success. We call the Qliksense server from Tomcat. I'm getting the same error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=XXXXXXXXXX-CA" is not a CA certificate

Did you follow step #3? If yes, did that certificate has "-CA" in the Issuer name? I don't know what changed recently that could started this problem. Everything was working fine. And all of sudden this issue started popping up. We are using chrome

Thanks

Re: Generated root certificate is not a valid CA certificate

fabdulazeez — Wed, 26 Feb 2020 14:34:18 GMT

Hi even I am getting the error all of a sudden for a ticket solution call from jboss.

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=xxxxxxxxxx.ae-CA" is not a CA certificate.

Am not sure if this has got anything to do with Java version, as it was working good.

Re: Generated root certificate is not a valid CA certificate

Anonymous — Wed, 26 Feb 2020 14:42:22 GMT

Please refer to this.

https://support.qlik.com/articles/000075724

Eddie

Re: Generated root certificate is not a valid CA certificate

fabdulazeez — Wed, 26 Feb 2020 16:26:41 GMT

Thank @Anonymous . I have gone through the document.

Why would this impact all of a sudden. I need to justify my action before proceeding for a upgrade. We are running February 2019 release and all of a sudden the ticketing solution stopped working with this error. Nothing was changed from Qlik environment.

Can you please help me understand.

Re: Generated root certificate is not a valid CA certificate

Anonymous — Wed, 26 Feb 2020 20:32:21 GMT

As you can see. The Fix for this is in recent release (June 2019) but the problem can occur as far back as the releases in 2017. The reasons I've found vary. For example, a recent client reported they upgrade their JDK from 1.7 to 1.8. Then this popped up. There may be other reasons as well but we do not document them.

Eddie