Qlik Sense enterprise SSL certificates without clientAuth (1.3.6.1.5.5.7.3.2)
Hi,
it's time to renew the Qlik Sense SSL certificates, but the Digicert (the vendor) we're using has introduced some changes and the certificates cannot be requested with clientAuth (1.3.6.1.5.5.7.3.2) anymore. You can read more on this here: Sunsetting the client authentication EKU from DigiCert public TLS certificates
Going with the standard TLS / SSL certificate doesn't work for Qlik Sense anymore as the imported certificate is missing the clientAuth and also the private key leading to unsecure site reported by any browser.
Have you tried the standard public TLS from DigiCert? The certificate only needs serverAuth EKU. The Standard Public TLS should work in your case.
Until March 1, 2027, DigiCert's CertCentral includes EKU options allowing you to explicitly request both Server Authentication and Client Authentication EKUs in a single public certificate — but you must proactively select this option during enrollment. This is a temporary workaround that buys time until the hard cutoff. Check Extended key usage (EKU) options
Regards,
Eduardo Monteiro - Senior Support Engineer @ IPC Global Follow me on my LinkedIn | Know IPC Global at ipc-global.com
yes, I tried the standard one and it didn't work because the Windows machine doesn't recognize the private key for it. The old workaround is still working, but it will be removed.
Grant private key permissions to the Qlik service account: An admin needs to add read access to the certificate's private key for the group Qlik Sense service users. When the proxy is running with a user without admin privileges.
All the admin accounts have access to the private key and you can add user via "Manage private keys", but only for the installed certificates that have private keys. For the standard TLS/SSL requested now via DigiCert that option is even not available, obviously because the certificate is different and somehow the private key is not recognized on the machine.
I managed to fix it using DigiCertUtil. After importing the certificate you run the utility and press "repair the certificate". That action somehow fixes the private key, although when you open the installed and fixed certificate it still doesn't display you have a private key for it. Then you can just update the thumbprint in Qlik Sense proxy settings and the site is reported secure.
Yes, the standard external TSL/SSL is also accepted, of course only after fixing it with the digicertutil:). That tool seems to be very useful. You can even export the certificate with it including private key as .pfx, which is necessary to be able to extract the private key for the Nprinting certificate for example, but Windows still doesn't see and report the private key for the certificate in Microsoft management console which I've always used to manage the certificates.
Going with the standard TLS / SSL certificate doesn't work for Qlik Sense anymore as the imported certificate is missing the clientAuth and also the private key leading to unsecure site reported by any browser.
What is the solution for this?
DigiCert no longer issuing certs with clientAuth EKU is expected, since public TLS certs are now serverAuth only. For Qlik Sense, you’ll need to use either internally generated certificates (QMC) or issue from a private/internal CA that supports clientAuth. Public CA certs are fine for front-end HTTPS, but mutual auth between services requires clientAuth-enabled certs. So the workaround is to split use: public cert for users, internal CA certs for Qlik services.
