How to configure a .pfx certificate for use with the Qlik NPrinting Web Console and NewsStand

pbr — Mon, 10 Jun 2024 19:44:39 GMT

How to configure to use a new .pfx certificate for use with Qlik NPrinting Web Console and/or the NewsStand after converting it to the .key and .crt format

CNG-type certificates are not supported for use with NPrinting Server. See Requirements(help.qlik.com).

Items Needed:

A certificate with the Private Key that can be extracted (PFX files are the easiest)
Import the Password for the PFX certificate
OpenSSL (3rd Party free software- see disclaimer at end of this article) to extract the certificate and gather the .crt and .key files. See Installing OpenSSL

Please review this information with your internal Certificate Authority or appropriate IT team that would provide the certificate and follow their guidelines if it differs from the steps here. If a new certificate cannot be issued for the Qlik NPrinting server, a workaround for the issue may be found under General: what does the certificate error(red cross) in browser mean and how to fix it.

All the steps below can be performed automatically with one click using a third-party tool called NPrinting Certificate Configurator, which can be downloaded from the Releases section. Keep in mind that Qlik does NOT support the 3rd party software mentioned and used in this documentation. Please use them at your own discretion and, if concerned, contact the proper IT team within your company to verify the ability to use non-Qlik related software in the environment.

Before proceeding to the following steps, you must first install Open SSL. See Installing OpenSSL.

Extract the .CRT and .KEY files

Three Steps:

Extract the .crt file from the .pfx file. Using an administrative command prompt, navigate to the Open SSL/bin folder on your NPrinting computer and extract the .crt file from the .pfx file.

Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -clcerts -nokeys -out C:\NPCerts\QS3.crt
Example Command: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Note: The Import Password is determined by the CA when the certificate is exported/created. This is to help protect the Private Key. It should be supplied with the certificate from the 3rd Party SSL CA / Internal CA. If you do not have this password, you will not be able to use the certificate.
Extract the .key file from the .pfx file.

Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -nocerts -out C:\NPCerts\QS3.key
Example Command: openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

Note: The PEM passphrase is used to protect the new .key file you’ve created.

3. Decrypt the .key file. Qlik NPrinting cannot have a passphrase on the .key file. Follow steps below to remove/decrypt the .key file. This is REQUIRED.

Test Command: openssl rsa -in C:\NPCerts\QS3.key -out C:\NPCerts\QS3.key
Example Command: openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

Note: At this stage, we’re removing the pass phrase from the .key, unencrypting it for Qlik NPrinting to read it.

In the Test Command, we’re overwriting the same file in the command. This works, but if you want a separate copy of the encrypted and decrypted Key you’ll need to make them different file names or locations.

NPrinting Web Console

Place the extracted .crt and .key files in the webconsoleproxy folder and update the app.conf file.
Edit the Qlik NPrinting Web Console proxy configuration file: %ProgramData%\NPrinting\webconsoleproxy\app.conf.
1. Uncomment by removing the # and change or add the following lines to:
http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As an alternative, you can insert your full path, for example, C:\ProgramData\NPrinting\webconsoleproxy\NPrinting.crt.
SAVE the app.conf file to preserve the changes

Qlik NPrinting Newsstand

Place the new .crt / .key files in the newsstandproxy folder and update the app.conf file.
SAVE the app.conf file to preserve the changes

Finalize

Restart the Qlik NPrinting Web Engine and check the nprinting_webengine.log to verify there’s no issues with new certificate information.

Note: The above is an example of a clean start of the Web Engine. Default location for those logs are located: "C:\ProgramData\NPrinting\Logs"

Verify the Certificates

Verify that the certificate is being used in the browser.

Note: In this example, the certificate is correctly being presented to the browser under the URL of qlikserver3.domain.local. With this certificate, it’s the ONLY name that this certificate will trust.

Note: This is the result using the servername instead of the FQDN. You can access the URL, but it presents a “Not secure” message, but shows the correctly installed certificate. The reason for this is that the server recognizes the name, but the certificate only allows qlikserver3.domain.local. If you want multiple URL/Aliases, they need to be added in the certificate.

article How to configure a .pfx certificate for use with the Qlik NPrinting Web Console and NewsStand in Official Support Articles