Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

gustavgager
Contributor II

Create HTTPS cert with internal CA

Hi there.

We have a PFsense Firewall wich does have a build in CA. So my plan is to use this CA to create a certificate that i can deploy using GPO and then use it to run HTTPS on several internal websites, inlcuding QS. However i cant seem to get it working.

First of, im pretty new to how certificates work but im trying to learn.

I have created a Root-CA and a Suborinate-CA on the firewall. I then exported the root-CA certificate and installed on my local desktop machine. I then created a server-certificate using the subordinate CA. From pfsense i can then export the crt file and i can export an .key file.

I the used openSSL.exe to merge theese two into one file and imported in on the qliksense server. I took the thumbprint and added it to the QS Proxy (as i have done on several customers befor without any problem).

But when i load the page and check what certificate it uses. It looks like its still uses the serlf-signed cert (The CA seems to be the sense-server). So what am I doing wrong? Do i need to convert my certificates to a specific format or something?

1 Solution

Accepted Solutions
simon_minifie
Contributor III

Re: Create HTTPS cert with internal CA

Have a look at this post:

Sense unable to locate a ssl certificate

Same error as you're seeing.

7 Replies
simon_minifie
Contributor III

Re: Create HTTPS cert with internal CA

Hi Gustav,

Have a look at the Proxy security logs. (C:\ProgramData\Qlik\Sense\Log\Proxy)

They usually give an explanation of why a specific certificate can't be used, and why it has reverted to its self-signed one.

Best regards,

Simon

gustavgager
Contributor II

Re: Create HTTPS cert with internal CA

Ahh good one! Found this in the log:

Couldn't find a valid ssl certificate with thumbprint xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

But when i check my cert-store (local computer->personal->certificates) its there, and the Thumbprint is correct.

So my conclusion is that my cert is not "valid"?

simon_minifie
Contributor III

Re: Create HTTPS cert with internal CA

Hi Gustav,

What constitutes a 'valid' cert is sort of outlined here:

https://help.qlik.com/en-US/sense/September2017/Subsystems/ManagementConsole/Content/change-proxy-ce...

If the private key isn't present it is usually stated in the logs, so there must be a different reason Sense doesn't like it.

Thanks,

Simon

simon_minifie
Contributor III

Re: Create HTTPS cert with internal CA

Have a look at this post:

Sense unable to locate a ssl certificate

Same error as you're seeing.

gustavgager
Contributor II

Re: Create HTTPS cert with internal CA

Yes i have imported a key. If i open the Cert i certmanager it say that i have a private key that works with this certificate.

gustavgager
Contributor II

Re: Create HTTPS cert with internal CA

Thank you Simon. I actually got a bit closer to the problem now.

I had do install the certificate for the root CA and the Sub CA. After that, the cert was identified OK and the services started OK. I was under the impression that if i trust the root CA, then all sub.certs would be automaticly trusted?

However i still cannot get it to work. When i connect to the site, i get the error:

"Missmacthed Adress. The security certificate presented by this website was issued for another server".

I added several names including the IP adress. The IP adress works, but the name doesnt

So it looks like the subject alternative name forks. But the CN does not

gustavgager
Contributor II

Re: Create HTTPS cert with internal CA

A quick update. I got everything working when i added my URL as secondary. The primary CN did not work. Not on to try to get it to work with Nprinting