Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Dec 11, 2023 10:20:39 AM
Aug 25, 2020 4:33:20 AM
There may be several different symptoms associated with a need to regenerate and redistribute certificates;
This article does not cover the use of a 3rd party certificate for end user Hub access, but the certificates used for communication between the Sense services. For recommendation on how to use a 3rd party certificate for end user access, see How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup.
By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.
The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.
If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.
Test all data connections after the certificates are regenerated. It is likely that data connections with passwords will fail. This is because passwords are saved in the repository database with encryption. That encryption is based on a hash from the certificates. When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted. The customer must re-enter the passwords in each data connection and save. See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.
The steps in this section must be performed after recreating certificates as described above.
Execute following query against SenseServices database:
DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;
Navigate to Deployments page of Multi-cloud Setup Console (MSC).
Delete and re-add any existing deployments by following the steps mentioned in Distributing apps from Qlik Sense Enterprise on Windows to Qlik Sense Enterprise SaaS and Distributing apps to Qlik Sense Enterprise on Kubernetes.
After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:
Test all data connections after the certificates are rebuilt. It is likely that data connections with passwords will fail. This is because passwords are saved in the repository database with encryption. That encryption is based on a hash from the certs. When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail. The customer must re-enter the passwords in each data connection and save. See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
Notice if using an official Signed Server Certificate from a trusted Certificate Authority
The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.
If the above does not work, see Qlik Sense Enterprise Hub and Qlik Management Console (QMC) down - bootstrap fails with "Newly creat...
I Tried This above New Solution the certificates in the personal got created new but I couldn't see qlik certificate in "Trusted Root Certification Authorities"
@Sonja_Bauernfeind
@Bjorn_Wedbratt
Hello @qlikthomas1
Verify that all services were correctly restarted. If the certificate still has not been created, review the Qlik Sense Repository Trace logs for possible errors: C:\ProgramData\Qlik\Sense\Log\Repository\Trace
All the best,
Sonja
Hello @Sonja_Bauernfeind @Bjorn_Wedbratt
I'm planning an upgrade from Qlik sense August 2022 to Qlik sense February 2024
I have an issue: i don't have the password for my qlik sense certificate so i can't do the backup (Export)
Is there any way to solve this issue ?
If i delete the certificate QlikClient and i run the command to generate automatically is it safe and will it solve my issue ?
I'm looking for a solution so i can back up my qlik sense environment
Thank you in advance.