Hello Qlik Community,

We have a customer running Qlik Sense Enterprise on Windows in a single-node environment without app distribution. They are experiencing issues with their internal security scans, which flag the self-signed certificates generated by Qlik Sense, i.e. the QlikServiceCluster certificate and self-signed certificate for the server.

Their security policy only allows certificates that are either:

• Signed by their internal CA, or
• Signed by a globally trusted CA

Our questions:

1. Is the QlikServiceCluster certificate actually required in a single-node setup without app distribution? Since there's no multi-node communication or cluster functionality being used, we're wondering if this certificate serves any purpose in this scenario.
2. Can we safely remove or replace the QlikServiceCluster certificate without breaking the Qlik Sense installation or causing issues with services?
3. What is the officially recommended approach for customers who have strict certificate policies and cannot use self-signed certificates for internal communication?
4. Are there any configuration options or best practices to handle this situation while maintaining full supportability?

We understand that replacing proxy certificates for HTTPS is straightforward via QMC, but we're specifically concerned about the internal service communication certificates.

Any guidance from Qlik or the community would be greatly appreciated!

Environment details:

• Qlik Sense Enterprise on Windows
  • May 2024
• Single-node installation
• No app distribution configured

Thank you in advance for your help!