Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ilias_fytrakis
Partner - Contributor III
Partner - Contributor III
‎2019-02-27 10:27 AM

Qlik Sense - Certificate Trust - Certificates validity period

Dear all,

 

During a security penetration test performed on Qlik Sense Sept. 2018, we were informed that the validity period for the certificates used to provide trust between Qlik nodes within a site is 10 years. I know that we can recreate those certificates (e.g. when changing the host name of a server) by running the Repository executable with various parameters:

 

Example

repository.exe -bootstrap -iscentral -restorehostname 

 

Can we change the default validity period for those certificates? Is there any configuration file that controls the certificate creation process?

 

Thanks for your help,

iLiAS

We're entering a new world in which data may be more important than software.
Labels (2)
Labels
1,966 Views
0 Likes
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
‎2019-02-27 03:46 PM

No, it is not possible. This style of ask (customizing the internal certificates used by Qlik Sense) has come up before, although primarily relating to the signing authority to be honest rather than the period of validity. I know folks from our Product side are keen on collecting use cases to help drive prioritization. I'd reach out to your account rep about the scenario and feel free to reference me so I can point them to the right people.

View solution in original post

1,935 Views
7 Replies
Giuseppe_Novello
Support
Support
‎2019-02-27 11:55 AM

I do not think there's a way to possibly to do this. 

BR

Gio

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
1,957 Views
Levi_Turner
Employee
Employee
‎2019-02-27 03:46 PM

No, it is not possible. This style of ask (customizing the internal certificates used by Qlik Sense) has come up before, although primarily relating to the signing authority to be honest rather than the period of validity. I know folks from our Product side are keen on collecting use cases to help drive prioritization. I'd reach out to your account rep about the scenario and feel free to reference me so I can point them to the right people.

1,936 Views
ilias_fytrakis
Partner - Contributor III
Partner - Contributor III
‎2019-02-28 03:13 AM
Author

In response to Levi_Turner

Thank you both for your fast replies!

 

Best regards,

iLiAS

We're entering a new world in which data may be more important than software.
1,927 Views
0 Likes
johnh
Partner - Creator
Partner - Creator
‎2019-11-20 09:53 AM

In response to Levi_Turner

Hi Levi,

Thanks for you comments re the self signed certs.

I have just run into a case where the client has highlighted the Self Signed Certs as a Security Vulnerability.

I logged it with Support and their answer was similar to yours.

Do you know if there is any move towards being able to sign these certs?

And maybe a stupid question (I am not really comfortable around certificates). Is it possible to export the Certs, get them signed by a CA and then replace the original certs with the signed ones.

 

1,755 Views
Levi_Turner
Employee
Employee
‎2019-11-20 11:20 AM

In response to johnh

> Do you know if there is any move towards being able to sign these certs?

Not that I've heard, no. But I haven't asked in a while.

> And maybe a stupid question (I am not really comfortable around certificates). Is it possible to export the Certs, get them signed by a CA and then replace the original certs with the signed ones.

No, that would not be possible. Qlik Sense Enterprise on Windows is looking for a specific entity on the certificate which would be modified by any fiddling to try to get it into compliance.

While I am sympathetic to why security teams consider self-signed certificates bad practice, the fact that these are scoped solely to internal traffic between services and that they are unique per site mollifies most concerns from the conversations that I have had with customers. And to be technical, they aren't self-signed. The server and client certs are generated from a trusted root. So there's a chain of trust for the certificates. It's just that the root isn't signed by trusted party (i.e. an internal certificate authority or third party certificate vendor).

I'd encourage you to reach out to your partner manager about these concerns and reference me. I can help them navigate the folks inside of Qlik who can be helpful here.

1,745 Views
0 Likes
johnh
Partner - Creator
Partner - Creator
‎2019-11-21 01:46 AM

In response to Levi_Turner

Hi Levi,

Thanks for the quick answer. Appreciated.

1,730 Views
0 Likes
karthikmedam
Contributor
Contributor
‎2020-02-27 02:45 PM

In response to Levi_Turner

Hello LeviTurner,

 

I am setting up the server with central /scheduler & rim/consumer node.  Do you see an issue if the QlikClient certificate has a different expiration date than the other two certificates on the central node ? ( not sure how that happened ) .  I am unable to unlock the certificates on rim node. Just want to check if you see the difference in expiry dates as an issue thats causing it to not unlock in rim node, before I go ahead & recreate the certificates on central node.

 

1,646 Views
0 Likes