Qlik Community

Support Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Coming your way, the Qlik Data Revolution Virtual Summit. October 27-29. REGISTER

How to configure a .pfx certificate for use with NPrinting Web Console and the NewsStand

Employee
Employee

How to configure a .pfx certificate for use with NPrinting Web Console and the NewsStand

How to configure to use a new .pfx certificate for use with NPrinting Web Console and/or the NewsStand after converting it to the .key and .crt format

Items Needed:

  • Certificate with the Private Key that can be extracted (PFX files are the easiest)
  • Import Password for the PFX certificate
  • OpenSSL (3rd Party free software- NOT SUPPORTED) to extract the certificate and gather the .crt and .key files. See Installing OpenSSL

Note: Please review this information with your internal Certificate Authority or appropriate IT team that would provide the certificate and follow their guidelines if it differs from the steps here. If a new certificate cannot be issued for the NPrinting server, a workaround for the issue may be found under General: what does the certificate error(red cross) in browser mean and how to fix it

Environment:

  • NPrinting all versions


All the steps below can be performed automatically with one click using a third-party tool called NPrinting Certificate Configurator, which can be downloaded from the Releases section. Keep in mind that Qlik does NOT support the 3rd party software mentioned and used in this documentation. Please use them at your own discretion and, if concerned, contact the proper IT team within your company to verify the ability to use non-Qlik related software in the environment.


Step 1: Using and administrative command prompt, navigate to the Open SSL/bin folder on your NPrinting computer and extract the .crt file from the .pfx file.

User-added image
Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -clcerts -nokeys -out C:\NPCerts\QS3.crt
Example Command: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
Note: The Import Password is determined by the CA when the certificate is exported/created. This is to help protect the Private Key. It should supplied with the certificate from the 3rd Party SSL CA  / Internal CA. If you do not have this password, you will not be able to use the certificate.

 
Step 2: Extract the .key file from the .pfx file.

User-added image

Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -nocerts -out C:\NPCerts\QS3.key
Example Command:  openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
Note: The PEM pass phrase is used to protect the new .key file you’ve created.


Step 3: Decrypt the .key file. (NPrinting CANNOT have a passphrase on the .key file)

User-added image

Test Command: openssl rsa -in C:\NPCerts\QS3.key -out C:\NPCerts\QS3.key
Example Command:  openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Note: At this stage, we’re removing the pass phrase from the .key, unencrypting it for NPrinting to read it.
In the Test Command, we’re overwriting the same file in the command. This works, but if you want a separate copy of the encrypted and decrypted Key you’ll need to make them different file names or locations.  
 

Step 4: Place the new .crt / .key files in the webconsoleproxy folder and add them to the app.conf file.

User-added image
 

  1. Edit the Qlik NPrinting Web Console proxy configuration file: %ProgramData%\NPrinting\webconsoleproxy\app.conf.
    1. Uncomment by removing the # and change or add the following lines to:
  2. http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
  3. http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
    1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As alternative you can insert your full path, for example C:\ProgramData\NPrinting\webconsoleproxy\NPrinting.crt.


Step 5: Place the new .crt / .key files in the newsstandproxy folder and add them to the app.conf file.

User-added image

Note: For older then June 2017 or upgraded from older versions, see Installing Certificates for used path.

  1. Edit the NewsStand proxy configuration file: %ProgramData%\NPrinting\newsstandproxy\app.conf.
    1. Uncomment by removing the # and change or add the following lines to:
  2. http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
  3. http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
    1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As alternative you can insert your full path, for example C:\ProgramData\NPrinting\newsstandproxy\NPrinting.crt.


Step 6: Restart the Qlik NPrinting Web Engine and check the nprinting_webengine.log to verify there’s no issues with new certificate information.

User-added image

Note:  The above is an example of a clean start of the Web Engine. Default location for those logs are located: C:\ProgramData\NPrinting\Logs

 
Step 7: Verify that the certificate is being used in the browser.

User-added image
 

Note: The certificate is correctly being presented to the browser under the URL of qlikserver3.domain.local. With this certificate, it’s the ONLY name that this certificate will trust.

User-added image
 
Note: This is the result using the servername instead of the FQDN. You can access the URL, but it presents a “Not secure” message, but shows the correctly installed certificate. The reason for this is that the server recognizes the name, but the certificate only allows qlikserver3.domain.local. If you want multiple URL/Aliases, they need to be added in the certificate. 

Labels (1)
Version history
Revision #:
4 of 4
Last update:
‎2020-08-24 08:18 AM
Updated by:
 
Contributors