Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Apr 16, 2021 7:36:48 AM
Mar 1, 2017 7:59:46 PM
Qlik Sense Enterprise for Windows will by default use a self-signed certificate to allow for the use of HTTPS when accessing the Management Console (QMC) or the Hub.
QlikView will always use HTTP by default, but a 3rd party certificate can be installed to enable HTTPS. See
In Qlik Sense, this self-signed certificate will lead to browsers showing "Not Secure" as in this screenshot:
After implementing a 3rd party or private CA certificate, the QMC and Hub will begin to show the connection as "Secure":
If the client implements the new certificate and still receives the error ERR_CERT_COMMON_NAME_INVALID, it is possible that the expected domain in the certificate and the domain listed in the URL do not match.
Environment:
- Qlik Sense Enterprise all versions
- QlikView all versions
Resolution:
Unsupported TLS version or ciphers?
Verify that the Windows Server hosting QlikView does not have obsolete TLS versions installed which the browser does not support.
Does the URL match the certificate?
Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate.
For example, if a certificate is issued to qliksense.company.com, users can still access the QMC / Hub using the server name only (qliksense) but the web browser will produce a warning about a mismatch between qliksense/hub/ and qliksense.company.com/hub/
In Qlik Sense, if you are concerned about whether a certificate is correctly bound, then inspect the Security_Proxy log in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace. An example of a success binding of a certificate to the Proxy will look like:
Does the Subject Alternative Name match?
Another important cause of this error is: the URL used in the browser does not match "Subject Alternative Name" in the certificate.
In most browsers, when verifying the website's identity, SubjectAlternativeName(SAN) is used first. If absent, then it falls back to Subject (or known as "Common Name" which is typically the same as "Issue to").
Since Google Chrome v58, this falling back behavior is dropped. So if an SAN does not match URL, or SAN does not exist at all, ERR_CERT_COMMON_NAME_INVALID error will happen.
Recommendation:
- Use the FQDN which align with the certificate
- Acquire a new certificate to include the appropriate SAN to match the URL which users will use to access Qlik Sense
- Have TLS versions/ciphers up to date. See SSL & TLS Support in QlikView - How to configure QlikView and TLS
Cause:
The FQDN does not align with the certificate.
Related Content:
Qlik Sense Hub and QMC with custom SSL certificate
How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC
Requirements for configuring Qlik Sense with SSL
Qlik Sense: Couldn't find a valid ssl certificate with thumbprint in Proxy logs, the third party cer...
