How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
How to change the certificate used by Qlik Sense Hub and QMC?
By default a self-signed certificate is being used to secure communication between the web browser (client) and the Proxy. This will result in a warning in the client web browser such as " The site's security certificate is not trusted " (Chrome) or " This Connection is Untrusted " (Firefox).
To establish a secure https connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.
Note1: A 3rd party certificate can be purchased and installed to use, or issued by a private CA. This certificate does not replaceexisting Sense certificates. These steps do NOT require the deletion of any already existing Sense certificates. Deleting the Qlik Sense generated certificates may damage the system breaking service communication. Note2: Before getting started, ensure that the new certificate issued by the specific CA is compatible with Qlik Sense. See Qlik Sense: Compatibility information for third-party SSL certificates Note3: In addition, it is highly recommended to enable HTTP, at least temporarily, in case any issue breaks HTTPS connections.
To resolve this issue, is recommended that the certificate being used for communication between the web browser (client) and the proxy be replaced with a Signed Server Certificate from a trusted Certificate Authority. The following steps are needed to be performed to accomplish this.
Obtain a valid Signed Server Certificate matching the Proxy node URL, from a trusted Certificate Authority (such as VeriSign, GlobalSign or trusted Enterprise CA), or a wild-card certificate (i.e. *.domain.com) matching the domain which is the Proxy node URL -- Warning for iOS, trusted Enterprise CA are not supported ; refer to article iOS devices cannot open QlikSense Apps on the HUB
Import the above certificate into Windows Local Computer Certificate Store
Obtain the thumbprint for the above certificate
Configure the Proxy node to use the above certificate
Note: The certificate itself has to contain private key no matter what Qlik Sense version is, and needs to have been marked as "Exportable". (i.e. setting "Mark this key as exportable...") You can verify if a key is present by reviewing the certificate in the MMC. It would look like this:
Import the certificate
Log on as the Qlik Service account or switch to the Qlik Service account.
Launch Microsoft Management Console (mmc.exe) on the Proxy node
In the MMC, go to File > Add / Remove Snap-in...
Select Certificates and click Add
Select Computer account, click Next, select Local computer and click Finish
In the MMC, go to Certificates (Local Computer)/Personal
In the MMC, go to Actions > All Tasks > Import...
Browse to the certificate file provided to you from your CA
Follow the instructions on the screen to import the certificate, including the private key, a the "certificat store" window select "Automatically select the certificate store based on the type of certificate"
Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
Double-click the Certificate > Certification Path and confirm it shows "This certificate is OK"
Warning: You must make sure that the certificate is available for the account that is running Qlik Sense services. The best way to do this is to run/execute the MMC as the service account (not a local user or admin account) and see if the certificate is visible in Personal > Certificates. If you are running services with local system, you can use a tool such as Psexec to execute the MMC as local system and check that the certificate is available.
Locate the Certificate thumbprint
In the MMC, right-click the imported certificate above and select Open
On the Details tab, scroll down and select Thumbprint
Mark/highlight the thumbprint hash and press CTRL+C to copy the hash to the clipboard
Paste the hash in Notepad
In some circumstances, there are non Unicode characters which should become apparent when pasting into Notepad
In some circumstances, you need to remove all spaces in the thumbprint (Use Replace function)
Configure the Proxy node
Open Qlik Management Console (QMC)
Go to Proxies
Select your Proxy and click Edit
In the right pane, select Security
Scroll down and locate "SSL browser certificate thumbprint" in the Security section
Paste the thumbprint for the new certificate from above
When pressing apply, Qlik Sense will restart the Proxy service and automatically unbind the previous certificate, as well as bind the new certificate to all required ports. No manual interaction with the netsh command is required.