Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
teemusalo
Contributor II
Contributor II

Qlik Sense Server certificate export issuer

Hello,

we have recently changed our qlik sense server browser certificate which is signed with out internal certificate authority. Connecting through browser works fine and dandy and the certificate is valid.

However, now when we export new certificates for client computers through the QMC, those certificates are signed by the old certificate authority. How can we change which certificate authority the QMC uses to issue those new certs?

All the old and new certificates still exists within the windows certificate manager. We have changed the thumbprint setting in the QMC proxy settings but it only affects the certificate handed to browser clients.

-Teemu

Sincerely,
Teemu
Labels (2)
5 Replies
Levi_Turner
Employee
Employee

When you export from the QMC, you are solely exporting the internal certificates. The intended scenario is to allow easy options for integrations where you need the internal certificate(s) for API calls (QPS, QRS, QES).

teemusalo
Contributor II
Contributor II
Author

Hi Leviturner,

thank you for your response. We are using the certificates for our internal machines. These client have some need for the APIs like starting reloads or checking user sessions.

Where does the QMC get the certificate authority to sign these exported certs? Does it come from the windows certificate manager and how does it choose which one to use? Is there some internal copy of a certificate pair somewhere in the server files?

Also, when connecting to APIs like QPS, it seems Qlik server uses the old client certificate to communicate back with clients connecting to this API. It does not use the certificate with the thumb print given as the browser certificate for consuming users. How can we change the certificate used by the server for internal communication as well?

Sincerely,
Teemu
Levi_Turner
Employee
Employee

Yes, they are built off the root which generates the internal certificates.

As for the second question, it not currently possible. All ports other than 443 will use an internal certificate (4242 for QRS, 4747 for QES, 4243 for QPS).

teemusalo
Contributor II
Contributor II
Author

Hi,

thanks again for answering. I have just one final question regarding the internal certificates.

Updating from node.js 8.x to 10.x no longer accepts our root qlik certificate authority file. This is propably because the certificate is missing attributes that allows it to sign other certificates (restrictions and key usage). Now when we try make requests from node.js the connection raises an error "Invalid purpose".

My belief is that if we could create this root certificate again with these valid CA attributs, this problem would go away and we wouldn't have to ignore authority validation in our connections.

So, is it possible to replace this root internal certificate with a new one, and if so, how?

Sincerely,
Teemu
Levi_Turner
Employee
Employee

No, it is not possible.

As for the change in how NodeJS handles certificates, this thread seems useful: https://github.com/stefanwalther/qrs/issues/21