I'm researching this in the help and it looks like the QRS requires the client certificate generated at install or exporting through the QMC.
It's possible that the self-signed certs are used throughout the internal communications in a Qlik Sense deployment. The SSL thumbprint is used to validate external connections to the proxy. It appears from the documentation that QRS happens behind the proxy in all cases which may use the self-signed certs. Therefore, you have to use the QlikClient cert to allow the inner workings of the Qlik Sense deployment to trust your external request.
I have a theory about making a QRS request work with your server cert instead of the self-signed client cert by performing the following:
- Connect https://%senseServer%:4243/qps/%virtualProxy%/ticket. Use the server cert to obtain a ticket. Here is a .Net sample, and yes it uses QlikClient cert, but you can supply the server cert here. http://help.qlik.com/sense/en-us/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-Exampl…
- Use the obtained ticket to connect to https://%senseServer%/%virtualProxy/qrs/<path>?xrfkey=...&qlikticket=<obtainedQlikTicket>. This is going to authorize you to the QRS and get you a session.
I have to test to verify this will work.