Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Not applicable

Change SSL Certificate for Qlik Sence Service API

Hello,

we need to change the SSL certificate used by Qlik Sense for its REST service API (QRS and QPS).

The "security" section of the proxy settings in QMC contains an SSL certificate thumbprint but that only seems to apply to the connections of web browsers to the QMC and Hub but not the REST service calls we also use.

Our use case is that we'd like to install Qlik Sense on an Amazon Web Services system with our own software on another AWS system.

Here, each system has a publicly accessible hostname and an internally known one.

The certificates that Qlik generates itself are issued to the internal hostname and thus when accessed from the outside via the public hostname are considered invalid. Changing the SSL certificate thumbprint to one matching the public hostname only affects the connections with the browser but our REST calls fail because the certificate used there is still issued to the internal hostname.

Is there a way to change those SSL certificates as well or tell Qlik to generate them issued to a specific hostname (instead of the one it figures out itself)?

Kind Regards,

Ulf Liller

1 Reply
Not applicable

Re: Change SSL Certificate for Qlik Sence Service API

Ulf,

I'm researching this in the help and it looks like the QRS requires the client certificate generated at install or exporting through the QMC.

It's possible that the self-signed certs are used throughout the internal communications in a Qlik Sense deployment.  The SSL thumbprint is used to validate external connections to the proxy.  It appears from the documentation that QRS happens behind the proxy in all cases which may use the self-signed certs.  Therefore, you have to use the QlikClient cert to allow the inner workings of the Qlik Sense deployment to trust your external request.

I have a theory about making a QRS request work with your server cert instead of the self-signed client cert by performing the following:

  1. Connect https://%senseServer%:4243/qps/%virtualProxy%/ticket.  Use the server cert to obtain a ticket.  Here is a .Net sample, and yes it uses QlikClient cert, but you can supply the server cert here. http://help.qlik.com/sense/en-us/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/Pr...
  2. Use the obtained ticket to connect to https://%senseServer%/%virtualProxy/qrs/<path>?xrfkey=...&qlikticket=<obtainedQlikTicket>.  This is going to authorize you to the QRS and get you a session.

I have to test to verify this will work.

Community Browser