Qlik Community

Ask a Question

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Talk to Experts Tuesday: Live chat Aug. 24th 10 AM ET: Bring your Qlik Gold Client questions REGISTER TODAY

How to: Change the Qlik Sense Proxy certificate if the service account does not have local administrative permissions

Sonja_Bauernfeind
Digital Support
Digital Support

How to: Change the Qlik Sense Proxy certificate if the service account does not have local administrative permissions

If the Qlik Sense Services are not run with local administrative privileges, a few additional steps need to be carried out to be able to successfully change the SSL certificate used for the HUB and QMC. The following article has a video that also include the resolution steps below: How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate.

Otherwise, the third-party certificate may not be used by the Proxy after the restart, and the Qlik Sense server reverts back to the default self-signed certificate. 

  • Browsers will show an untrusted certificate. 
  • The Qlik Sense Proxy security log may show any or all of the following lines:


Certificate 'CN=<servername>' (2F66E692BBC9DCB5EF43853248A667EAD7CB27B2) is invalid because it was not signed correctly by 'CN=<servername>-CA'

or

Unkown error when accessing the private key for certificate

or

No private key found for certificate

or

Couldn't find a valid ssl certificate with thumbprint 

or

Reverting to default Qlik Sense SSLCertificate

  • The Qlik Sense Proxy system log may register the following:


INFO    <servername>    System.Proxy.Proxy.Core.QPSMain    8    40e67960-d393-4881-a7c8-efafe089ef0f    <serviceAccount>    Settings has been updated but will not take effect until bootstrap mode has been run on the repository       

 

Environment:

  • Qlik Sense Enterprise on Windows, all versions

 

Perform these steps:

  1. Give access to the Private Key in the certificate store to the user running the services. See How to manage Certificate Private Key for details. 
  2. top the Qlik Sense services except of the Qlik Sense Repository Database and Qlik Sense Service Dispatcher services.
  3. Open an elevated command prompt and run repository.exe -bootstrap (If this is the central node, add the iscentral flag). Review Changing the user account to run Qlik Sense services for details. 
  4. Start Qlik Sense services.

Reviewing the Qlik Sense Proxy Security logs should now result in the certificate being properly used:

QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester    DOMAIN\_service    Setting crypto key for log file secure signing: success
QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey    DOMAIN\_service    retrieving symmetric key from cert: success    
QlikServer1    Security.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey    DOMAIN\_service    setting crypto key: success    
QlikServer1    Security.Proxy.Qlik.Sense.Communication.Security.CertSetup    'CN=localhost' (08C871933A58E072FED7AD65E2DB6D5AD3EAF9FA) as SSL certificate presented to browser, which is a 3rd party SSL certificate

 

Labels (1)
Version history
Revision #:
4 of 4
Last update:
‎2021-04-30 06:57 AM
Updated by: