How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub

There may be several different symptoms associated with a need to regenerate and redistribute certificates;

• After installing, renewing, or changing a third-party certificate for use with Qlik Sense the Qlik Management Console (QMC) and Hub may become inaccessible leading to Page Cannot Be Displayed error.
  
  

  This article does not cover the use of a 3rd party certificate for end user Hub access, but the certificates used for communication between the Sense services. For recommendation on how to use a 3rd party certificate for end user access, see How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate

• In the Qlik Sense Proxy trace logs, the last line may be indicating waiting for certificates to be installed or similar. In addition, even though Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.
  
  
• Qlik Sense may sometimes fail to create the correct certificates during installation if there are old/unused certificates left from a previous installation.  Also, certs can become corrupted, or newly installed certificates configured to be used may not be compatible. See Qlik Sense: Compatibility information for third-party SSL certificates and Requirements for configuring Qlik Sense with SSL.

Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup.
By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.

The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.

1. Open Qlik Sense Management Console (QMC)
2. Navigate to Nodes section
3. Add the column Central Node column through Column selector

If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.

Step by Step instructions:

Test all data connections after the certificates are regenerated.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certificates.  When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

1. Log on to the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.
   
   
2. Stop the QRS (this will also stop the other services; however, make sure the postgresql-64-12 or Qlik Sense Repository Database is still running).
   
   
    
3. Open Microsoft Management Console (MMC). 
   
   Important: Execute the MMC as the account configured to run the services (using Run as a different user [Ctrl-Shift & Right click on the exe to see option]... )
   
   
4. Add the following snap-ins for Certificates:
   
   
   • My user account
   • Local Computer account
     
     
5. In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA*
   
   *Where HOSTNAME is the machine name of the server in question and domain is the domain of the server.
   So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
    
6. In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA
   
   
7. In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
    
8. Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'
   
   
9. Run this command from an elevated (admin) command prompt to create new certificates:
   
   "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname 
   
   Note: If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)
   
   
10. Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were not created (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.
    

There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.

For Qlik Sense multi-cloud deployment (September 2020 or later):

The steps in this section must be performed after recreating certificates as described above.

1. Start Qlik Sense Repository Database service on CENTRAL NODE, or PostgreSQL Server service if running a dedicated instance of PostgreSQL database server.
   
   
2. Using pgAdmin tool or any other database client, connect to SenseServices database. (IMPORTANT: the below query needs to be executed on the SenseServices DB)
   
   

3. Execute following query against SenseServices database:

   DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;

    

4. Navigate to Deployments page of Multi-cloud Setup Console (MSC).

5. Delete and re-add any existing deployments by following the steps mentioned in Distributing apps from Qlik Sense Enterprise on Windows to Qlik Sense Enterprise SaaS  and Distributing apps to Qlik Sense Enterprise on Kubernetes.

Node.js certificates

After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:

1. Stop all Qlik Sense services
   
   
2. In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates
   
   
3. Back up the Local certificates directory and then delete it
   
   
4. Restart the Qlik Sense services

Test all data connections after the certificates are rebuilt.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certs.  When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

Self Signed Certificates:

Notice if using an official Signed Server Certificate from a trusted Certificate Authority

The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.

1. Go to Proxies 
   
   
2. Select your Proxy and click Edit
   
   
3. In the right pane, select Security
   
   
4. Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.

If the Central Node repository service hanging in the logs:

1. Open C:\ProgramData\Qlik\Sense\Log\Repository\Trace
   
   
2. Look for this Example "API service initialized with 1501 available methods".  This is Central Node. 
   
   
3. If you see this Example "API service initialized with 2 available methods". This is a Rim node. 
   
   
4. For Central Node you should see as an example ""API service initialized with 1501 available methods". 
   
   
5. Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.
   
   

If the above does not work, see Qlik Sense Enterprise Hub and Qlik Management Console (QMC) down - bootstrap fails with "Newly creat...