article Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC in Official Support Articles

Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Mario_Petre — Tue, 21 Feb 2023 12:18:39 GMT

A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.

The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access.

Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console. It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer).

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

Resolution:

In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.

Certificates that are known to work well with Qlik Sense have the following attributes:

Certificates that are x509 version 3. More information including filename extensions under https://en.wikipedia.org/wiki/X.509
Use signature algorithm sha256RSA
Use signature hash algorithm sha256
Signed by a valid, and OS/browser configured , CA
Are valid according to date restrictions (valid from/valid to)
Key in format CryptoAPI (not in CNG)
The certificate itself has to contain private key no matter what Qlik Sense version.

Re: Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

mbespartochnyy — Sat, 18 Feb 2023 02:53:18 GMT

@Andre_Sostizzo, @Sonja_Bauernfeind I wanted to check in and see if there are any updates to certificate attribute requirements. SHA1 hashing algorithm is not considered reliable anymore and CryptoAPI has been deprecated for more than two years now.

I'm assuming newer versions of Qlik Sense support more secure hashing algorithms and CNG providers but I can't find updated list of certificate requirements anywhere.

Would you be able to either provide a link to updated requirements or update this post that modern versions of Qlik Sense support?

Thanks,

Mikhail B.

Re: Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

Sonja_Bauernfeind — Tue, 21 Feb 2023 11:24:54 GMT

Hello @mbespartochnyy

Thank you for reaching out!

Let me look into this for you.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

mbespartochnyy — Tue, 21 Feb 2023 14:46:11 GMT

Thanks for looking into this, Sonja! I appreciate it.

Also, a side note, the very last point in the list of requirements above states:

"The certificate itself has to contain private key no matter what Qlik Sense version."

Certificates, as far as I know, don't contain a private key. They contain a public key. More specifically, certificates contain a modulus and an exponent which are used to calculate a public key. Private key is securely stored on a server and never shared, unlike a certificate which is shared with every client PC requesting interaction with a server.

I believe that point should say:

"The server on which Qlik Sense is installed has to contain private key that is corresponding to public key contained within a certificate no matter what Qlik Sense version."

Mikhail B.

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Sonja_Bauernfeind — Tue, 21 Feb 2023 15:18:01 GMT

Hello @mbespartochnyy

The private key statement does apply and refers to whether or not you import a certificate which has been exported to include a private key. See Requirements, or: What to look out for when getting your cert. and How to manage the Certificate Private Key. If a certificate is used which does not include this, the Qlik Sense Proxy will discard it and revert to the default self-signed certificate.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

mbespartochnyy — Tue, 21 Feb 2023 18:04:28 GMT

Interesting. I've never heard of certificate containing a private key. Ever the message in the Certificate window in the GIF in this post and a screenshot in Requirements, or: What to look out for when getting your cert post that you've mentioned both says:

"You have a private key that corresponds to this certificate."

Public / private key pair is generated on a server and private key is stored in a secured key store on the server never to be shared with anyone including a CA. Public key along with server and organization information is included in a CSR and sent to a CA for verification and signing. CA, once verifies identity of a requester, then signs a certificate containing server's identity and public key and send the signed certificate back to the server. A server then uses this signed certificate to distribute it to client PCs. Client PCs validate CA signature from the certificate it receives from the server and, if validations is successful, client PC then use public key which is included in a certificate to securely exchange session keys. Server uses its securely saved private key to decrypt session keys and use the session keys to secure client / server communications from that point on.

It makes sense for client PCs to ignore certificates if a server doesn't have a corresponding private key because Qlik Sense server wouldn't be able to decrypt session keys it receives from client PC. Also a certificate is imported for which a server does not own a private key, that server wouldn't be able to use that certificate. I can't find anything on workings of PKI or TLS/SSL that suggest that private keys are ever contained within a certificate. Not to say that it's not possible. Do you have anything that you can share that would support the idea that private keys are included in certificates?

Mikhail B.

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

mbespartochnyy — Tue, 21 Feb 2023 19:43:38 GMT

Just reread your message and noticed that you mentioned exporting of certificates. Certificates can be exported along with a private key. However export of certificate and private key is a step that someone would take during a backup process to ensure successful restoration of a Qlik Sense site rather than installing a newly received certificate from a CA.

Since the topic of this post is third-party certificates and the requirements of third-party certificates, I don't believe a statement like "[Third-party] certificate itself has to contain private key..." is accurate.

Mikhail B.

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

balajibc64 — Wed, 03 Jan 2024 10:30:16 GMT

Hi @Sonja_Bauernfeind @mbespartochnyy I'm also facing issue "NET::ERR_CERT_COMMON_NAME_INVALID" . I tried all the ways, but still facing this error on developer tool. any suggestion. pls.

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Sonja_Bauernfeind — Wed, 03 Jan 2024 11:35:48 GMT

Hello @balajibc64

Please post about your issue in detail in the Qlik NPrinting forum.

Include:

The version of the product
What you are attempting to do
What steps you performed
Where the steps fail and where you are seeing errors

Feel free to tag me in the post.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

tloe_4ebit — Mon, 15 Jul 2024 21:11:04 GMT

@Sonja_Bauernfeind Are there any news on the question that @mbespartochnyy has raised concerning more secure hashing algorithms and CNG providers or an updated list of certificate requirements?

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Sonja_Bauernfeind — Tue, 16 Jul 2024 04:37:03 GMT

Hello @tloe_4ebit

I recommend logging a support ticket regarding this so that the question reaches our Security Office and is appropriately investigated.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

fabdulazeez — Wed, 10 Sep 2025 14:36:00 GMT

@mbespartochnyy do you understand how the private keys are included in certificate? Even I need to guide our team to get one

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

mbespartochnyy — Wed, 10 Sep 2025 16:59:37 GMT

My understanding is that a private key is not included in a certificate.

As far as I know, when we run a certreq command to create a certificate signing request (CSR) to have a certification authority generate a certificate for Qlik Sense server, the certreq command creates and securely stores a private key on the server where CSR was created.

The CSR is then sent to the certification authority (CA) and the CA generates a certificate that we can use on a Qlik Sense server.

When we import the certificate from the CA to the Qlik Sense server using Microsoft Management Console, the server does the check to see if the server has a private key for the imported certificate. If it does, then we see this message:

When we export a certificate during the backup process, we can export the certificate AND a private key, but a certificate and private key are two different things. They work together, but they're two distinct pieces, not one.

If your certificate doesn't have a corresponding private key, there's a process of "re-binding" a certificate to a private key but it's a bit tricky. If your company has its own internal certification authority (it's very likely that it does), it's probably easier to just create a new CSR, have your company's CA create a new certificate, import the new certificate, and update proxy settings in QMC to use the new certificate.

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

fabdulazeez — Thu, 11 Sep 2025 00:49:11 GMT

We are using a wild card ssl certificate from a third party. So the CSR was not generated on Qlik server as the certificate is used on multiple servers. Can you let me know how can I add private key to the certificate. I have .crt file,.p7b file and ca-bundle file.

@Mario_Petre can you help me on this.

article Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC in Official Support Articles

Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Resolution:

Related Content:

Re: Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC

Re: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC