ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

Anonymous — Fri, 16 Apr 2021 11:36:48 GMT

Qlik Sense Enterprise for Windows will by default use a self-signed certificate to allow for the use of HTTPS when accessing the Management Console (QMC) or the Hub.

QlikView will always use HTTP by default, but a 3rd party certificate can be installed to enable HTTPS. See QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate.

In Qlik Sense, this self-signed certificate will lead to browsers showing "Not Secure" as in this screenshot:

After implementing a 3rd party or private CA certificate, the QMC and Hub will begin to show the connection as "Secure":

If the client implements the new certificate and still receives the error ERR_CERT_COMMON_NAME_INVALID, it is possible that the expected domain in the certificate and the domain listed in the URL do not match.

Environment:

Qlik Sense Enterprise all versions
QlikView all versions

Resolution:

Unsupported TLS version or ciphers?

Verify that the Windows Server hosting QlikView does not have obsolete TLS versions installed which the browser does not support.

Does the URL match the certificate?

Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate.

For example, if a certificate is issued to qliksense.company.com, users can still access the QMC / Hub using the server name only (qliksense) but the web browser will produce a warning about a mismatch between qliksense/hub/ and qliksense.company.com/hub/

In Qlik Sense, if you are concerned about whether a certificate is correctly bound, then inspect the Security_Proxy log in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace. An example of a success binding of a certificate to the Proxy will look like:

Domain\qs_admin Set certificate 'CN=*.company.com, OU=PremiumSSL Wildcard, O=ACME, STREET="88 Broadway, Bldg 14", L=New York, S=ON, PostalCode=90213, C=CA' (D09777777738C5A799999994F9555AFF588888)

Does the Subject Alternative Name match?

Another important cause of this error is: the URL used in the browser does not match "Subject Alternative Name" in the certificate.

In most browsers, when verifying the website's identity, SubjectAlternativeName(SAN) is used first. If absent, then it falls back to Subject (or known as "Common Name" which is typically the same as "Issue to").
Since Google Chrome v58, this falling back behavior is dropped. So if an SAN does not match URL, or SAN does not exist at all, ERR_CERT_COMMON_NAME_INVALID error will happen.

Recommendation:

Use the FQDN which align with the certificate
Acquire a new certificate to include the appropriate SAN to match the URL which users will use to access Qlik Sense
Have TLS versions/ciphers up to date. See SSL & TLS Support in QlikView - How to configure QlikView and TLS

Cause:

The FQDN does not align with the certificate.

Re: ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

BrunPierre — Mon, 27 Jul 2020 21:06:57 GMT

How would you resolve this same error in QlikView environment?

Re: ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

Sonja_Bauernfeind — Thu, 30 Jul 2020 10:31:34 GMT

Hello @BrunPierre

The error is universal and by itself not connected to Qlik Sense.

"Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate." applies regardless of what product (Qlik Sense, QlikView, or any other product using a certificate not even related to Qlik) is being used.

I will rewrite the article to reflect this.

article ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate in Official Support Articles

ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

Resolution:

Unsupported TLS version or ciphers?

Does the URL match the certificate?

Does the Subject Alternative Name match?

Recommendation:

Cause:

Related Content:

Re: ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate

Re: ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate