Qlik Community

Qlik Support Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Attachments getting stuck in the virus scanner. The team is investigating.

Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

Support
Support

Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC

A third party certficiate was configured in the Qlik Sense Proxy, but is not being used.
The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access. 

Environment: 

Qlik Sense all versions


Qlik Sense Enterprise uses self-signed and self-generated certificates to protect communication between services, as well  as user web traffic to the Hub and QMC.  It is possible to use a third-party issued SSL certificate to protect client web traffic, as using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer). Third party certificates are not supported by Qlik. 

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example:  C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt
 

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE])
Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE]	
Reverting to default Qlik Sense SSLCertificate
Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

 

Resolution:


In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Certificates that are known to work well with Qlik Sense have the following attributes:

  • Certificates that are x509 version 3
  • Use signature algorithm sha256RSA
  • Use signature hash algorithm sha256
  • Signed by a valid, and os/browser configured , CA
  • Are valid according to date restrictions (valid from/valid to)
  • Key in format CryptoAPI (not in CNG)
  • Note: The certificate itself has to contain private key no matter what Qlik Sense version.

 
One thing that could be double-checked is if the CA certificate, and any relevant intermediate CA certificates, are correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.
 

Labels (1)
Version history
Revision #:
4 of 4
Last update:
a month ago
Updated by:
 
Contributors