Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
WEBINAR April 23, 2025: Iceberg Ahead: The Future of Open Lakehouses - REGISTER TODAY
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mbespartochnyy
Creator III
Creator III
‎2024-08-05 10:16 PM

What is Qlik's self-signed certificate used for in an on-prem Qlik Sense server environment?

I'm having trouble understanding what the self-signed certificate is used for in an on-prem Qlik Sense server environment. More precisely, I'm referring to the self-signed certificate which is stored in Certificates (Local Computer) > Personal > Certificates location in Microsoft Management Console (MMC).

Service certificates documentation has this sentence about the self-signed certificate:

The service certificate and service private key are used for server authentication when your service acts as a server, that is, when another service calls an API in your service.

I find that sentence a bit too confusing.

Does anyone know, in layman's terms, what exactly a self-signed certificate used for in an on-prem Qlik Sense server environment?

Labels (4)
1,298 Views
3 Solutions

Accepted Solutions
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2024-08-06 10:34 AM

The certificate is used as an authentication mechanism between services -- eg between the Proxy Service and the Repository Servive to generate a list of Apps for the Hub. The certificate is used like a key card and sent with the API call. If the call presents the certificate, then it's trusted.

-Rob

View solution in original post

1,227 Views
mpc
Partner Ambassador
Partner Ambassador
‎2024-08-07 02:13 AM

You're right, it's also encrypt credentials for data connection. Then, deleting and recerating it force you to retype credentials 

From Next Decision and mpc with love

View solution in original post

1,179 Views
0 Likes
mbespartochnyy
Creator III
Creator III
‎2024-08-09 09:58 AM
Author

It sounds like in an on-prem Qlik Sense server environment, there are three roles that the self-signed certificate serves. They are:

  • Secure communications between the Qlik Sense server and client PCs.
    • That is unless the self-signed certificate is replaced by a certificate generated by a trusted third-party or by an internal Certification Authority.
    • Side Note: Recreating the self-signed certificate won't cause any issues here.
    • Another Side Note: Changing the third party certificate, if one is used, will require changes to proxy settings in QMC in order for Qlik Sense to use the new certificate.
  • Secure communications between Qlik Sense services.
    • Applies to both a single node site and to a multi-node site.
    • Side Note: Recreating the self-signed certificate won't cause any issues here.
  • Secure credentials of data connections
    • Side Note: Recreating the self-signed certificate will result in a need to re-enter password for every password-protected data connection.

There are no other known roles that self-signed certificate plays in an on-prem Qlik Sense server environment. Is that accurate?

View solution in original post

1,150 Views
9 Replies
mpc
Partner Ambassador
Partner Ambassador
‎2024-08-06 04:11 AM

Hi, 

When you connect to Qlik Sense, it's establish a secure connection between your computer and Qlik Sense. To do that, it's need a certificate, a file which says "Yes, I'm Qlik Sense". 

But as you can see when connecting, your browser display an error. It's because it's Qlik Sense who says "Yes I'm Qlik Sense". That called a self-signed certificate. 

To truly secure the connection, you need to install a certificate signed by a external provider. Like an ID Card signed by your Government. It will say "Me, the third party, garantuee that this server is Qlik Sense"

I hope I'm more clear than the doc. 

Kind regards

From Next Decision and mpc with love
1,262 Views
0 Likes
mbespartochnyy
Creator III
Creator III
‎2024-08-06 09:45 AM
Author

In response to mpc

Thanks for the reply @mpc!

I did a bit of experimenting today and the results I got suggest that the self-signed certificate is doing more than securing communications between Qlik Sense server and client PCs.

I have an internal Certification Authority (CA) at my company and I went through the process of creating Certificate Signing Request, installing the certificate I received from internal CA, and configured Qlik Sense proxy settings to use the certificate generated by the internal CA. Doing so resolves the whole "connection is not secure" message, but what I did next broke my Qlik Sense server.

After installing the certificate from internal CA, I went ahead and deleted the original self-signed certificate and restarted my Qlik Sense server. The thought was "since Qlik Sense is now using the new cert, I no longer need the original one."

However, when I deleted the original self-signed certificate, both Hub and QMC broke:

mbespartochnyy_1-1722951611943.png

mbespartochnyy_2-1722951868485.png

 

They broke even though all of Qlik Sense services are running fine:

mbespartochnyy_0-1722951586069.png

 

This suggests that the self-signed certificate is doing more than securing communications between a Qlik Sense server and client PCs.

Do you know what else the self-signed certificate is used for?

1,244 Views
mpc
Partner Ambassador
Partner Ambassador
‎2024-08-06 10:02 AM

Indeed the self-signed certificate is used by the authentication mechanism between Qlik Sense services. 
Remove it then will broke Qlik Sense. 

Complete process is available here: How to change the certificate used by the Qlik Sen... - Qlik Community - 1712773

To recreate the certificate: How to recreate or just delete certificates in Qli... - Qlik Community - 1712692

Good luck !

 

 

From Next Decision and mpc with love
1,237 Views
0 Likes
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2024-08-06 10:34 AM

The certificate is used as an authentication mechanism between services -- eg between the Proxy Service and the Repository Servive to generate a list of Apps for the Hub. The certificate is used like a key card and sent with the API call. If the call presents the certificate, then it's trusted.

-Rob

1,228 Views
mbespartochnyy
Creator III
Creator III
‎2024-08-06 11:39 AM
Author

Thank you both! It's starting to become clearer. It sounds like the self-signed certificate is used to authenticate the identity of server on which Qlik Sense is installed and to encrypt communications between Qlik Sense services.

What about encryption of data connection strings and credentials?

I read through the How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub document which, at the very beginning, mentions this:

mbespartochnyy_1-1722957975396.png

It sounds like the self-signed certificate might also play a role in encrypting data within QSR database. The rest of the document seems to suggest that credentials used when creating data connections are also encrypted using (I assume the self-signed) certificate.

mbespartochnyy_3-1722958523607.png

Is the self-signed certificate also used to encrypt credentials for data connections or is the self-signed certificate only used for server authentication and to secure communications between Qlik Sense services?

1,222 Views
0 Likes
mpc
Partner Ambassador
Partner Ambassador
‎2024-08-07 02:13 AM

You're right, it's also encrypt credentials for data connection. Then, deleting and recerating it force you to retype credentials 

From Next Decision and mpc with love
1,180 Views
0 Likes
mbespartochnyy
Creator III
Creator III
‎2024-08-09 09:58 AM
Author

It sounds like in an on-prem Qlik Sense server environment, there are three roles that the self-signed certificate serves. They are:

  • Secure communications between the Qlik Sense server and client PCs.
    • That is unless the self-signed certificate is replaced by a certificate generated by a trusted third-party or by an internal Certification Authority.
    • Side Note: Recreating the self-signed certificate won't cause any issues here.
    • Another Side Note: Changing the third party certificate, if one is used, will require changes to proxy settings in QMC in order for Qlik Sense to use the new certificate.
  • Secure communications between Qlik Sense services.
    • Applies to both a single node site and to a multi-node site.
    • Side Note: Recreating the self-signed certificate won't cause any issues here.
  • Secure credentials of data connections
    • Side Note: Recreating the self-signed certificate will result in a need to re-enter password for every password-protected data connection.

There are no other known roles that self-signed certificate plays in an on-prem Qlik Sense server environment. Is that accurate?

1,151 Views
Senor_Dai
Partner - Creator II
Partner - Creator II
‎2025-02-19 07:27 AM

Hi,

We've been picked up by an external PenTest for using self signed certificates.  We have a third part SSL installed for the Hub/QMC - can this be used to replace the self signed cert?

Many thanks

370 Views
0 Likes
mpc
Partner Ambassador
Partner Ambassador
‎2025-02-19 07:47 AM

Hi, 

You can to it by register the cert in the QMC > Proxy > Security section. You must not uninstall the Qlik self-signed one

Best

From Next Decision and mpc with love
354 Views
0 Likes