Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC
A third party certficiate was configured in the Qlik Sense Proxy, but is not being used. The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access.
Qlik Sense all versions
Qlik Sense Enterprise uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the Hub and QMC. It is possible to use a third-party issued SSL certificate to protect client web traffic, as using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer). Third party certificates are not supported by Qlik.
If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:
No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE])
Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE]
Reverting to default Qlik Sense SSLCertificate
Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser
In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:
Certificates that are known to work well with Qlik Sense have the following attributes:
Certificates that are x509 version 3
Use signature algorithm sha256RSA
Use signature hash algorithm sha256
Signed by a valid, and os/browser configured , CA
Are valid according to date restrictions (valid from/valid to)
Key in format CryptoAPI (not in CNG)
Note: The certificate itself has to contain private key no matter what Qlik Sense version.
One thing that could be double-checked is if the CA certificate, and any relevant intermediate CA certificates, are correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.