That was not what I asked. I'd appreciate it if you'd read the question again. The certificate does not have the CA flag set and is therefore worthless as a CA certificate in the eyes of e.g. OpenSSL. That is a bug even if Windows accepts certificates without the CA flag as CA certificates.

"Third-party certificates are bound to the Qlik Sense Proxy Service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate." Just to be clear, I'm talking about the server certificate, or rather the root certificate that signs the server certificate.

Hi @millnet-maho,

To further clarify, are you referring to the below entry in the Qlik Sense June 2019 Release Notes?

Qlik Sense self-signed root certificate missing basic constraint CA:true
Jira issue ID: QLIK-95021
Description: "X509v3 Basic Constraints: critical CA:TRUE" extension has been added to root.pem certificate.
Can be disabled via "Certificates.SelfSignedRoot.BasicConstraintsCA" setting in Repository.exe.config file.

If yes, this issue is addressed in the Qlik Support article "Qlik Sense: The certificate authority certificate does not contain the attribute “CA:True” and appea...". Thanks.

Yes, exactly.

Were you able to successfully resolve this issue? I'm having the same issue. I did everything including

1. Upgrading QlikSense from April 2018 to November 2019
2. Deleting and recreating the  Qliksense certificates
3. Setting this "Certificates.SelfSignedRoot.BasicConstraintsCA" to false in Repository.exe.config, restart all the service and generate new certificates

No success. We call the Qliksense server from Tomcat. I'm getting the same error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=XXXXXXXXXX-CA" is not a CA certificate

Did you follow step #3? If yes, did that certificate has "-CA" in the Issuer name?  I don't know what changed recently that could started this problem. Everything was working fine. And all of sudden this issue started popping up. We are using chrome

Thanks

Hi even I am getting the error all of a sudden for a ticket solution call from jboss.

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=xxxxxxxxxx.ae-CA" is not a CA certificate.

Am not sure if this has got anything to do with Java version, as it was working good.

Thank @Anonymous . I have gone through the document.

Why would  this impact all of a sudden. I need to justify my action before proceeding for a upgrade. We are running February 2019 release and all of a sudden the ticketing solution stopped working with this error. Nothing was changed from Qlik environment.

Can you please help me understand.