Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2026 Agenda Now Available: Explore Sessions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
nilesh007
Partner - Creator
Partner - Creator
‎2025-06-17 03:12 AM

Exported Qlik Sense Certificates Do Not Include Configured DNS

Hello,
We recently installed a new SSL certificate on our Qlik Sense server and configured the Central Proxy to reference this custom certificate.
Full details of our setup are similar to this discussion:
https://community.qlik.com/t5/Management-Governance/Qlik-Sense-still-using-default-certificate-rathe...

We can now access Qlik Sense from the configured DNS (qliksenseserver.company.com)) in a browser, and the correct certificate is displayed there. However, when we tried exporting certificates from the QMC on DNS name, they still appear based on the default self-signed certificate.
As a result, any backend client (e.g., Java WebSocket clients) fails SSL validation with an error like:
Error:
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching qliksenseserver.company.com)found.
Similarly, using curl results in:
curl: (60) SSL: no alternative certificate subject name matches target host name

This suggests that the exported certificates do not include the configured DNS name (no SAN — Subject Alternative Name — entry for the domain).
Question:
How can we export client certificates from Qlik Sense that include the correct SAN or are aligned with the new configured dns name (qliksenseserver.company.com)?

Labels (5)
Preview file
47 KB
599 Views
3 Replies
SimonMinifie
Partner - Contributor III
Partner - Contributor III
‎2025-06-17 08:32 AM

Hi Nilesh,
The 3rd party SSL cert binds itself to port 443 for https traffic. 
I would suggest from the responses that you are coming into the Sense server via one of the APIs such as 4242 for the QRS api.
Your new SSL certificate won't be bound to that port. 
This would work if you were calling the Proxy API over port 443, but with the rest you're going to have to use the server name. 

Thanks,

Simon

 

570 Views
0 Likes
SimonMinifie
Partner - Contributor III
Partner - Contributor III
‎2025-06-17 08:33 AM

Have a look at:
https://help.qlik.com/en-US/sense-developer/May2025/Subsystems/RepositoryServiceAPI/Content/Sense_Re...

570 Views
0 Likes
nilesh007
Partner - Creator
Partner - Creator
‎2025-07-03 07:31 AM
Author

Hi Simon,

I am not connecting to the 4242 QRS APIs; instead, I am trying to connect to the QlikSense WebSocket using Java, but I am encountering an error.

However, when I connect using Node.js with the public DNS, I am able to establish a connection successfully. Here’s the Node.js code I used:

const WebSocket = require('ws');
const fs = require('fs');
const path = require('path');

var certPath = path.join('C:', 'ProgramData', 'Qlik', 'Sense', 'Repository', 'Exported Certificates', '.Local Certificates');
var certificates = {
    cert: fs.readFileSync(path.resolve(certPath, 'client.pem')),
    key: fs.readFileSync(path.resolve(certPath, 'client_key.pem')),
    root: fs.readFileSync(path.resolve(certPath, 'root.pem'))
};

const ws = new WebSocket('wss://qliksensebi-uat.qliksense.com:4747/app/', {
    ca: [certificates.root],
    cert: certificates.cert,
    key: certificates.key,
    headers: {
        'X-Qlik-User': 'UserDirectory=qliksense3; UserId=nilesh'
    },
    rejectUnauthorized: false
});

ws.onopen = function (event) {
    console.log("Connected");
};

When trying to connect using Java, I am receiving an error. I would appreciate your assistance in troubleshooting this issue.


WebSocket ERROR: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.
WebSocket CLOSED. Reason: 
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:647)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:467)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:922)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1013)
at java.base/java.io.InputStream.read(InputStream.java:220)
at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:515)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching qliksenseexpobi.exponentia.ai found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:417)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:631)
... 15 more
Error fetching KPI: 
org.java_websocket.exceptions.WebsocketNotConnectedException
at org.java_websocket.WebSocketImpl.send(WebSocketImpl.java:673)
at org.java_websocket.WebSocketImpl.send(WebSocketImpl.java:649)
at org.java_websocket.client.WebSocketClient.send(WebSocketClient.java:431)
at QlikWebSocketClient.sendRpc(Main.java:256)
at QlikKpiFetcher.fetchKpi(Main.java:300)
at Main.main(Main.java:56)
449 Views
0 Likes