We have a PFsense Firewall wich does have a build in CA. So my plan is to use this CA to create a certificate that i can deploy using GPO and then use it to run HTTPS on several internal websites, inlcuding QS. However i cant seem to get it working.
First of, im pretty new to how certificates work but im trying to learn.
I have created a Root-CA and a Suborinate-CA on the firewall. I then exported the root-CA certificate and installed on my local desktop machine. I then created a server-certificate using the subordinate CA. From pfsense i can then export the crt file and i can export an .key file.
I the used openSSL.exe to merge theese two into one file and imported in on the qliksense server. I took the thumbprint and added it to the QS Proxy (as i have done on several customers befor without any problem).
But when i load the page and check what certificate it uses. It looks like its still uses the serlf-signed cert (The CA seems to be the sense-server). So what am I doing wrong? Do i need to convert my certificates to a specific format or something?
Solved! Go to Solution.
Have a look at the Proxy security logs. (C:\ProgramData\Qlik\Sense\Log\Proxy)
They usually give an explanation of why a specific certificate can't be used, and why it has reverted to its self-signed one.
Ahh good one! Found this in the log:
Couldn't find a valid ssl certificate with thumbprint xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
But when i check my cert-store (local computer->personal->certificates) its there, and the Thumbprint is correct.
So my conclusion is that my cert is not "valid"?
What constitutes a 'valid' cert is sort of outlined here:
If the private key isn't present it is usually stated in the logs, so there must be a different reason Sense doesn't like it.
Thank you Simon. I actually got a bit closer to the problem now.
I had do install the certificate for the root CA and the Sub CA. After that, the cert was identified OK and the services started OK. I was under the impression that if i trust the root CA, then all sub.certs would be automaticly trusted?
However i still cannot get it to work. When i connect to the site, i get the error:
"Missmacthed Adress. The security certificate presented by this website was issued for another server".
I added several names including the IP adress. The IP adress works, but the name doesnt
So it looks like the subject alternative name forks. But the CN does not
A quick update. I got everything working when i added my URL as secondary. The primary CN did not work. Not on to try to get it to work with Nprinting