How I did it.
Received from domain CA certificate on the server. If not necessary to, I will describe how to do this.
further open the properties of the certificate, tab "details" option "Thumbprint"
and copied value as is, with spaces.
Open QMC in my server
Edit Proxy, check Security and paste value in "SSL browser sertificate thumbprint" with space.
Restart Qlik Sense Web Server.
I exactly followed the process above for installing a server SSL certificate (both with entering the thumbprint with and without spaces). After saving the thumbprint, connection is lost and I cannot connect to QMC anymore.
Firefox : "The connection was interrupted"
- How to rollback?
- How to find out what actually goes wrong?
Appreciate any suggestions
OK, I got my SSL certificate running by
1. stopping the qlik repository service,
2. installing my certificates on the windows server
3. entering the SSL browser certificate thumbprint in the proxy (with the whitespaces)
4. removing the qlik certificates
5. restart the qlik repository service (which re-installs the qlik certificates again)
I ended up getting things working again by running the query below directly in the Postgres database that Qlik Sense is using behind the scenes (note that I only had one server and there was only one row in the table).
update public."ProxyServiceSettings" set "SslBrowserCertificateThumbprint" = null
- Stop Qlik Sense Repository Service (this will also stop the other services)
- Applying an SSL Certificate to server
to apply an SSL Certificate to a Qlik Sense server
- Launch the MMC
- When the MMC opens go to File|Add/Remove Snap-in.
- Click on the Certificates snap-in on the left side list box and click the add button.
- Choose Computer account and click Next.
- Leave Local computer selected and click Finish.
- Click OK to go back to the MMC.
Then restart the server and running all qlik services and try again for more details please check this link
Hope it Work
I already installed the certificates, but the site still show the insecure legend when I tried to open from outside.
I saw the logs and I see this:
No private key found for certificate 'CN=xx.xxxxxxxxxxxx.com, OU=Domain Control Validated' (xxxxxxxxxxxxxxx)c3b9033e-xxxx-xxxx-xxxx-xxxxxxxxxxx
5 20170815T172713.730-0300 WARN XXXX Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 7 d0297779-xxxx-xxxx-xxxx-b51b06a8db33
XXXX\QSADM Couldn't find a valid ssl certificate with thumbprint xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 0x d0297779-ea18-4521-870f-b51b06a8db33
6 20170815T172713.730-0300 WARN XXXX Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 7 ea1a39dd-b87c-43c0-ad8c-492f9e14d305
XXXX\QSADM Reverting to default Qlik Sense SSLCertificate ea1a39dd-b87c-43c0-ad8c-492f9e14d305
7 20170815T172713.730-0300 INFO XXXX Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 7 2fee8c35-1aaa-4f0f-9cac-a354854910cd
XXXX\QSADM Set certificate 'CN=xxxx.xxxxx.LOCAL' (8FA4393ECD334653A281886E4C3FA3D302A97F35) as SSL certificate presented to browser
Thats mean the certificated doesnt work and restored to the default one?
PS: I already added the site in the whitelist
facing the same problem here.
this link https://support.aginic.com/support/solutions/articles/14000031148-applying-an-ssl-certificate-to-qlik-sense says on step 9 "(the pfx file)". I only have a .crt file from go daddy and the certificate import worked.
and when i try to access using https I get:
Expires on: 17 de jul de 2027
Current date: 6 de nov de 2017
But this is the old certificate and not the new one
thanks in advance
Two possible reasons for this...
1. incorrect certificate type... make sure it has a Purpose of "Server Authentication" and Key Usage of "Digital Signature & Key Enciphement"
2. Make sure that the Service Account being used for the Qlik Services has permissions to access the Private Key.
How to Modify Private Key Permissions to Support Management Server or Streaming Server | Microsoft Docs
1. The Certificate or one of the Certificates in its Issuing Chain has to be in the Trusted Root on the Computer you are using. (Public certificate Authorities such as DigiCert, Comodo etc are already in the Trusted Root by default) If you are using a Internal CA for the SSL Cert then it will need to be trusted by your end users
2. The Certificate needs to have a "Subject Name" or "Subject Alternative Name" (SAN) that matches the server/Domain Component of the URL you are using to access the server. e.g SAN of dns=server.domain.com
3. The Certificate & Private Key need to be installed in the Servers Personal (\My) Certificate Store
4. The Service account Running the Qlik Sense Proxy Service Needs to have Permissions on the Private Key to read it.
5. The thumbprint of the certificate needs to be added to the proxy.
(having a valid Certificate and then using https://localhost will show not secure)