topic Re: Exported Qlik Sense Certificates Do Not Include Configured DNS in Integration, Extension & APIs

Exported Qlik Sense Certificates Do Not Include Configured DNS

nilesh007 — Tue, 17 Jun 2025 07:12:08 GMT

Hello,
We recently installed a new SSL certificate on our Qlik Sense server and configured the Central Proxy to reference this custom certificate.
Full details of our setup are similar to this discussion:
https://community.qlik.com/t5/Management-Governance/Qlik-Sense-still-using-default-certificate-rather-than-SSL/m-p/2436486#M26927

We can now access Qlik Sense from the configured DNS (qliksenseserver.company.com)) in a browser, and the correct certificate is displayed there. However, when we tried exporting certificates from the QMC on DNS name, they still appear based on the default self-signed certificate.
As a result, any backend client (e.g., Java WebSocket clients) fails SSL validation with an error like:
Error:
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching qliksenseserver.company.com)found.
Similarly, using curl results in:
curl: (60) SSL: no alternative certificate subject name matches target host name

This suggests that the exported certificates do not include the configured DNS name (no SAN — Subject Alternative Name — entry for the domain).
Question:
How can we export client certificates from Qlik Sense that include the correct SAN or are aligned with the new configured dns name (qliksenseserver.company.com)?

Re: Exported Qlik Sense Certificates Do Not Include Configured DNS

SimonMinifie — Tue, 17 Jun 2025 12:32:14 GMT

Hi Nilesh,
The 3rd party SSL cert binds itself to port 443 for https traffic.
I would suggest from the responses that you are coming into the Sense server via one of the APIs such as 4242 for the QRS api.
Your new SSL certificate won't be bound to that port.
This would work if you were calling the Proxy API over port 443, but with the rest you're going to have to use the server name.

Thanks,

Simon

Re: Exported Qlik Sense Certificates Do Not Include Configured DNS

SimonMinifie — Tue, 17 Jun 2025 12:33:43 GMT

Have a look at:
https://help.qlik.com/en-US/sense-developer/May2025/Subsystems/RepositoryServiceAPI/Content/Sense_RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-cURL-Certificates.htm

Re: Exported Qlik Sense Certificates Do Not Include Configured DNS

nilesh007 — Thu, 03 Jul 2025 11:31:51 GMT

Hi Simon,

I am not connecting to the 4242 QRS APIs; instead, I am trying to connect to the QlikSense WebSocket using Java, but I am encountering an error.

However, when I connect using Node.js with the public DNS, I am able to establish a connection successfully. Here’s the Node.js code I used:

const WebSocket = require('ws');
const fs = require('fs');
const path = require('path');

var certPath = path.join('C:', 'ProgramData', 'Qlik', 'Sense', 'Repository', 'Exported Certificates', '.Local Certificates');
var certificates = {
    cert: fs.readFileSync(path.resolve(certPath, 'client.pem')),
    key: fs.readFileSync(path.resolve(certPath, 'client_key.pem')),
    root: fs.readFileSync(path.resolve(certPath, 'root.pem'))
};

const ws = new WebSocket('wss://qliksensebi-uat.qliksense.com:4747/app/', {
    ca: [certificates.root],
    cert: certificates.cert,
    key: certificates.key,
    headers: {
        'X-Qlik-User': 'UserDirectory=qliksense3; UserId=nilesh'
    },
    rejectUnauthorized: false
});

ws.onopen = function (event) {
    console.log("Connected");
};

When trying to connect using Java, I am receiving an error. I would appreciate your assistance in troubleshooting this issue.

WebSocket ERROR: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.

javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.

WebSocket CLOSED. Reason:

at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:647)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:467)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)

at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)

at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)

at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)

at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)

at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)

at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)

at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)

at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:922)

at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1013)

at java.base/java.io.InputStream.read(InputStream.java:220)

at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:515)

at java.base/java.lang.Thread.run(Thread.java:1583)

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.

at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207)

at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:417)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:631)

... 15 more

Error fetching KPI:

org.java_websocket.exceptions.WebsocketNotConnectedException

at org.java_websocket.WebSocketImpl.send(WebSocketImpl.java:673)

at org.java_websocket.WebSocketImpl.send(WebSocketImpl.java:649)

at org.java_websocket.client.WebSocketClient.send(WebSocketClient.java:431)

at QlikWebSocketClient.sendRpc(Main.java:256)

at QlikKpiFetcher.fetchKpi(Main.java:300)

at Main.main(Main.java:56)