Solved: Re: How can I manage client-certificates used for ... - Qlik Community

grangerats · ‎2016-08-29

I've gotten the qlik-auth-net AuthenticationModuleDemo working; I can login as needed using Tickets. However, now I'd like to use a different SSL certificate than the "QlikClient" certificate that QlikSense 3.0.1 generates via the QMC's "Certificates" export page. At the very least, I need to be able to revoke a certificate that QlikSense has already exported. Am I going to have to do something like manually connect into Postgres, find the table where it stores the cert info, and delete things?

Also, on a tangent, what's with the certificate export page's requirement to enter a "machine name"? It's only used to name the folder where it saves the "client.pfx", "root.cer", and "server.pfx" files. It doesn't get used for anything else (I'm currently using an exported cert on a machine that's named different than what I told QlikSense).

grangerats · ‎2016-10-06

My conclusion is that there is only one way to revoke a certificate that is valid in a Qlik Sense API call: You must change your instance's Certificate Authority cert. That means that if one is ever compromised, anywhere, you must change your entire Qlik Sense installation instead of just revoking the single, compromised certificate. Too bad for you if you have a complicated, multi-node installation.

I came to this conclusion because I just had to reinstall Qlik Sense 3.1. I chose to keep the already-installed CA cert, but then I manually went through the c:\Program Data\Qlik\Sense directory and deleted everything (I also checked over in Program Files). After install, I got right into the API without changing anything on the client machine I was using to test API calls. That tells me that all Qlik looks for is a cert that's signed by its custom CA cert and has CN="QlikClient". Though, if the sample code in qlik-auth-net is any indication, it might actually be looking for X509Certificate2.FriendlyName = "QlikClient" rather than parsing the Subject using X509Certificate2.GetNameInfo(X509NameType.DnsName, false) as it ought.

View solution in original post

grangerats · ‎2016-10-06

My conclusion is that there is only one way to revoke a certificate that is valid in a Qlik Sense API call: You must change your instance's Certificate Authority cert. That means that if one is ever compromised, anywhere, you must change your entire Qlik Sense installation instead of just revoking the single, compromised certificate. Too bad for you if you have a complicated, multi-node installation.

I came to this conclusion because I just had to reinstall Qlik Sense 3.1. I chose to keep the already-installed CA cert, but then I manually went through the c:\Program Data\Qlik\Sense directory and deleted everything (I also checked over in Program Files). After install, I got right into the API without changing anything on the client machine I was using to test API calls. That tells me that all Qlik looks for is a cert that's signed by its custom CA cert and has CN="QlikClient". Though, if the sample code in qlik-auth-net is any indication, it might actually be looking for X509Certificate2.FriendlyName = "QlikClient" rather than parsing the Subject using X509Certificate2.GetNameInfo(X509NameType.DnsName, false) as it ought.

How can I manage client-certificates used for Ticket API authentication?