Qlik Community

Qlik Support Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate

Support
Support

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate

How to change the certificate used by Qlik Sense Hub and QMC?


By default a self-signed certificate is being used to secure communication between the web browser (client) and the Proxy. This will result in a warning in the client web browser such as " The site's security certificate is not trusted " (Chrome) or " This Connection is Untrusted " (Firefox).

Related information can be found under Changing to a signed server proxy certificate

Also see in Qlik Community: Qlik Sense Hub and QMC with a custom SSL certificate on our #QlikSupport Update blog for more detailed steps.

Environment: 

Qlik Sense all versions 

 

Cause:


To establish a secure https connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.

 

Resolution:


Note1: A 3rd party certificate can be purchased and installed to use, or issued by a private CA. This certificate does not replace existing Sense certificates. These steps do NOT require the deletion of any already existing Sense certificates. Deleting the Qlik Sense generated certificates may damage the system breaking service communication.
Note2: Before getting started, ensure that the new certificate issued by the specific CA is compatible with Qlik Sense. See Qlik Sense: Compatibility information for third-party SSL certificates
Note3: In addition, it is highly recommended to enable HTTP, at least temporarily, in case any issue breaks HTTPS connections. 
 

User-added image


To resolve this issue, is recommended that the certificate being used for communication between the web browser (client) and the proxy be replaced with a Signed Server Certificate from a trusted Certificate Authority. The following steps are needed to be performed to accomplish this.


Note: If still using the Qlik Sense self-signed certificate, an alternative solution is also documented under General: what does the certificate error(red cross) in browser mean and how to fix it.

  • Obtain a valid Signed Server Certificate matching the Proxy node URL, from a trusted Certificate Authority (such as VeriSign, GlobalSign or trusted Enterprise CA), or a wild-card certificate (i.e. *.domain.com) matching the domain which is the Proxy node URL -- Warning for iOS, trusted Enterprise CA are not supported ; refer to article iOS devices cannot open QlikSense Apps on the HUB
  • Import the above certificate into Windows Local Computer Certificate Store
  • Obtain the thumbprint for the above certificate
  • Configure the Proxy node to use the above certificate
Note: The certificate itself has to contain private key no matter what Qlik Sense version is, and needs to have been marked as "Exportable". (i.e. setting "Mark this key as exportable...")
You can verify if a key is present by reviewing the certificate in the MMC. It would look like this:

Import the certificate

 

       Log on as the Qlik Service account or switch to the Qlik Service account. 

  1. Launch Microsoft Management Console (mmc.exe) on the Proxy node
  2. In the MMC, go to File > Add / Remove Snap-in...
  3. Select Certificates and click Add
  4. Select Computer account, click Next, select Local computer and click Finish
  5. In the MMC, go to Certificates (Local Computer)/Personal
  6. In the MMC, go to Actions > All Tasks > Import...
  7. Browse to the certificate file provided to you from your CA
  8. Follow the instructions on the screen to import the certificate, including the private key, a the "certificat store" window select "Automatically select the certificate store based on the type of certificate"
  9. Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
    User-added image
  10. Double-click the Certificate > Certification Path and confirm it shows "This certificate is OK"
User-added imageUser-added image

Warning: You must make sure that the certificate is available for the account that is running Qlik Sense services. The best way to do this is to run/execute the MMC as the service account (not a local user or admin account) and see if the certificate is visible in Personal > Certificates.
If you are running services with local system, you can use a tool such as Psexec to execute the MMC as local system and check that the certificate is available.
 

Locate the Certificate thumbprint 

  1. In the MMC, right-click the imported certificate above and select Open
  2. On the Details tab, scroll down and select Thumbprint
  3. Mark/highlight the thumbprint hash and press CTRL+C to copy the hash to the clipboard
  4. Paste the hash in Notepad
    1. In some circumstances, there are non Unicode characters which should become apparent when pasting into Notepad
    2. In some circumstances, you need to remove all spaces in the thumbprint (Use Replace function)
User-added image
 

Configure the Proxy node

 

  1. Open Qlik Management Console (QMC)
  2. Go to Proxies 
  3. Select your Proxy and click Edit
  4. In the right pane, select Security
  5. Scroll down and locate "SSL browser certificate thumbprint" in the Security section
  6. Paste the thumbprint for the new certificate from above
  7. Click Apply
User-added image
 

When pressing apply, Qlik Sense will restart the Proxy service and automatically unbind the previous certificate, as well as bind the new certificate to all required ports. 
No manual interaction with the netsh command is required. 

Note: If the Qlik Sense service account does not have local Administrative privileges, the Proxy service may roll back to using the default self-signed certificates. For next steps, see How to: Change the Qlik Sense Proxy certificate if the service account does not have local administr...
 

Related Content:

Qlik Sense Hub and QMC with custom SSL certificate 
ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate
Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC
Requirements for configuring Qlik Sense with SSL

Version history
Revision #:
2 of 2
Last update:
‎2020-06-16 01:40 PM
Updated by:
 
Contributors