Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
See why Qlik is recognized as a Leader for the 10th year in a row – and discover how Qlik can help put your business in the lead. Get Report
Highlighted
Partner
Partner

Qlik Sense - Certificate Trust - Certificates validity period

Dear all,

 

During a security penetration test performed on Qlik Sense Sept. 2018, we were informed that the validity period for the certificates used to provide trust between Qlik nodes within a site is 10 years. I know that we can recreate those certificates (e.g. when changing the host name of a server) by running the Repository executable with various parameters:

 

Example

repository.exe -bootstrap -iscentral -restorehostname 

 

Can we change the default validity period for those certificates? Is there any configuration file that controls the certificate creation process?

 

Thanks for your help,

iLiAS

We're entering a new world in which data may be more important than software.
Labels (2)
1 Solution

Accepted Solutions
Highlighted
Employee
Employee

Re: Qlik Sense - Certificate Trust - Certificates validity period

No, it is not possible. This style of ask (customizing the internal certificates used by Qlik Sense) has come up before, although primarily relating to the signing authority to be honest rather than the period of validity. I know folks from our Product side are keen on collecting use cases to help drive prioritization. I'd reach out to your account rep about the scenario and feel free to reference me so I can point them to the right people.

View solution in original post

6 Replies
Highlighted

Re: Qlik Sense - Certificate Trust - Certificates validity period

I do not think there's a way to possibly to do this. 

BR

Gio

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
Highlighted
Employee
Employee

Re: Qlik Sense - Certificate Trust - Certificates validity period

No, it is not possible. This style of ask (customizing the internal certificates used by Qlik Sense) has come up before, although primarily relating to the signing authority to be honest rather than the period of validity. I know folks from our Product side are keen on collecting use cases to help drive prioritization. I'd reach out to your account rep about the scenario and feel free to reference me so I can point them to the right people.

View solution in original post

Highlighted
Partner
Partner

Re: Qlik Sense - Certificate Trust - Certificates validity period

Thank you both for your fast replies!

 

Best regards,

iLiAS

We're entering a new world in which data may be more important than software.
Highlighted
Partner
Partner

Re: Qlik Sense - Certificate Trust - Certificates validity period

Hi Levi,

Thanks for you comments re the self signed certs.

I have just run into a case where the client has highlighted the Self Signed Certs as a Security Vulnerability.

I logged it with Support and their answer was similar to yours.

Do you know if there is any move towards being able to sign these certs?

And maybe a stupid question (I am not really comfortable around certificates). Is it possible to export the Certs, get them signed by a CA and then replace the original certs with the signed ones.

 

Highlighted
Employee
Employee

Re: Qlik Sense - Certificate Trust - Certificates validity period

> Do you know if there is any move towards being able to sign these certs?

Not that I've heard, no. But I haven't asked in a while.

> And maybe a stupid question (I am not really comfortable around certificates). Is it possible to export the Certs, get them signed by a CA and then replace the original certs with the signed ones.

No, that would not be possible. Qlik Sense Enterprise on Windows is looking for a specific entity on the certificate which would be modified by any fiddling to try to get it into compliance.

While I am sympathetic to why security teams consider self-signed certificates bad practice, the fact that these are scoped solely to internal traffic between services and that they are unique per site mollifies most concerns from the conversations that I have had with customers. And to be technical, they aren't self-signed. The server and client certs are generated from a trusted root. So there's a chain of trust for the certificates. It's just that the root isn't signed by trusted party (i.e. an internal certificate authority or third party certificate vendor).

I'd encourage you to reach out to your partner manager about these concerns and reference me. I can help them navigate the folks inside of Qlik who can be helpful here.

Highlighted
Partner
Partner

Re: Qlik Sense - Certificate Trust - Certificates validity period

Hi Levi,

Thanks for the quick answer. Appreciated.