How to configure to use a new .pfx certificate for use with NPrinting Web Console and/or the NewsStand after converting it to the .key and .crt format

• NOTE: CNG type certificates are not supported for use with NPrinting Server. See requirements at https://help.qlik.com/en-US/nprinting/May2021/Content/NPrinting/On-Demand/Install-Components.htm#anc...
  

Items Needed:

• A certificate with the Private Key that can be extracted (PFX files are the easiest)
• Import Password for the PFX certificate
• OpenSSL (3rd Party free software- see disclaimer at end of this article) to extract the certificate and gather the .crt and .key files. See Installing OpenSSL

Note: Please review this information with your internal Certificate Authority or appropriate IT team that would provide the certificate and follow their guidelines if it differs from the steps here. If a new certificate cannot be issued for the NPrinting server, a workaround for the issue may be found under General: what does the certificate error(red cross) in browser mean and how to fix it

Environment:

• NPrinting all versions

All the steps below can be performed automatically with one click using a third-party tool called NPrinting Certificate Configurator, which can be downloaded from the Releases section. Keep in mind that Qlik does NOT support the 3rd party software mentioned and used in this documentation. Please use them at your own discretion and, if concerned, contact the proper IT team within your company to verify the ability to use non-Qlik related software in the environment.

NOTE: Before proceeding to the following steps, you must first install Open SSL. See: https://help.qlik.com/en-US/nprinting/November2020/Content/NPrinting/DeployingQVNprinting/Installing...

• Step 1: Using an administrative command prompt, navigate to the Open SSL/bin folder on your NPrinting computer and extract the .crt file from the .pfx file.
  
  
  Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -clcerts -nokeys -out C:\NPCerts\QS3.crt
  Example Command: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
  Note: The Import Password is determined by the CA when the certificate is exported/created. This is to help protect the Private Key. It should be supplied with the certificate from the 3rd Party SSL CA  / Internal CA. If you do not have this password, you will not be able to use the certificate.
  
   
  Step 2: Extract the .key file from the .pfx file.
  
  
  
  Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -nocerts -out C:\NPCerts\QS3.key
  Example Command:  openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
  Note: The PEM passphrase is used to protect the new .key file you’ve created.
  
  
  Step 3: Decrypt the .key file. (NPrinting CANNOT have a passphrase on the .key file)
  
  
  
  Test Command: openssl rsa -in C:\NPCerts\QS3.key -out C:\NPCerts\QS3.key
  Example Command:  openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
  Note: At this stage, we’re removing the pass phrase from the .key, unencrypting it for NPrinting to read it.
  In the Test Command, we’re overwriting the same file in the command. This works, but if you want a separate copy of the encrypted and decrypted Key you’ll need to make them different file names or locations.  
   
  
  Step 4: Place the new .crt / .key files in the webconsoleproxy folder and add them to the app.conf file.
  
  
   

1. Edit the Qlik NPrinting Web Console proxy configuration file: %ProgramData%\NPrinting\webconsoleproxy\app.conf.
   1. Uncomment by removing the # and change or add the following lines to:
2. http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
3. http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
   1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As an alternative, you can insert your full path, for example, C:\ProgramData\NPrinting\webconsoleproxy\NPrinting.crt.

Step 5: Place the new .crt / .key files in the newsstandproxy folder and add them to the app.conf file.



Note: For older then June 2017 or upgraded from older versions, see Installing Certificates for used path.

1. Edit the NewsStand proxy configuration file: %ProgramData%\NPrinting\newsstandproxy\app.conf.
   1. Uncomment by removing the # and change or add the following lines to:
2. http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
3. http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
   1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As alternative you can insert your full path, for example C:\ProgramData\NPrinting\newsstandproxy\NPrinting.crt.

Step 6: Restart the Qlik NPrinting Web Engine and check the nprinting_webengine.log to verify there’s no issues with new certificate information.



Note:  The above is an example of a clean start of the Web Engine. Default location for those logs are located: C:\ProgramData\NPrinting\Logs

 
Step 7: Verify that the certificate is being used in the browser.


 

Note: The certificate is correctly being presented to the browser under the URL of qlikserver3.domain.local. With this certificate, it’s the ONLY name that this certificate will trust.


 
Note: This is the result using the servername instead of the FQDN. You can access the URL, but it presents a “Not secure” message, but shows the correctly installed certificate. The reason for this is that the server recognizes the name, but the certificate only allows qlikserver3.domain.local. If you want multiple URL/Aliases, they need to be added in the certificate. 

Related information:

• Securing the NPrinting Web Console with 3rd party certificates 

NOTE: The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.