Skip to main content Skip to complementary content

Managing keys and certificates

Qlik NPrinting encryption requires a X.509 certificate file in PEM format. You can generate a self-signed certificate, or get one signed from a certification authority (CA). A single certificate covers both the NewsStand and the Qlik NPrinting web console, as they have the same domain name.

Generating a self-signed certificate

A self-signed certificate is an identity certificate that is signed by the entity owning the certificate. This entity uses its own private key to certify its identity. Using a self-signed certificate lets you sign your certificate by yourself.

You can use a self-signed certificate if:

  • You intend to use HTTPS (HTTP over TLS) to secure your web servers.
  • You do not require that your certificates are signed by a certificate authority (CA).

For example, you can use a self-signed certificate if your web servers are used only inside your local network.

Do the following:

  1. Open a Windows command line prompt.
  2. Move to the OpenSSL binary folder. Default command is cd C:\OpenSSL-Win64\bin. Files will be created in this folder, then you will move them into the final folder.
  3. To create the self-signed certificate run the following command:
    openssl req -newkey rsa:4096 -nodes -keyout NPrinting.key -x509 -days 365 -out NPrinting.crt


    • req is the PKCS#10 certificate request and generating utility.
    • The -x509 option tells req to create a self-signed certificate.
    • The -days 365 option specifies that the certificate will be valid for 365 days.

    To skip the interactive questions, use the -subj followed by your domain information within quotation marks.

    For example:

    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/".

Warning noteThe private key should not be disclosed to anyone, nor sent to the certificate authority. Back it up and store it in a safe place.

You can distribute only the public key file.

Buying a certificate from a certification authority

Your certificates must be signed by a certification authority (CA) if you need to avoid security warnings in case your web server is publicly reachable via web browsers,. There are numerous certification authorities. The CA you choose will have their own specific instructions to follow. Some steps on generating and implementing CA-signed certificates are common to all certification authorities. The following sections outline these common steps.

Generating a certificate signing request

To obtain a CA-signed certificate, you must generate a certificate signing request (CSR). A CSR contains your public key and other additional information. This information will be included in the signed certificate. A CSR never contains the private key.

Do the following:

  1. To generate the CSR and the private key run the following command:

    openssl req -new -newkey rsa:4096 -nodes -keyout NPrinting.key -out NPrinting.csr

  2. You will be prompted to answer the interactive questions.
    To skip the interactive questions, use the -subj followed by your domain information within quotation marks.

    For example:

    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/".

For any custom procedure needed for creating the CSR, refer to the certification authority's instructions .

Common Name field

The name in the Common Name field (CN) must be the Fully Qualified Domain Name (FQDN) of the host that will use the certificate.

For example:

  • If the URL of your NewsStand is, the FQND is (the port is not part of the FQDN).
  • The URL is considered different from If you want both URL addresses to be valid host names, you must generate two certificates, one containing the FQDN, and one containing the FQDN

Merging signed certificates with server certificates

When using a certificate signed by a certification authority (CA), you must create a PEM file certificate bundle containing the server certificate, any intermediates, and the CA-signed certificate. Once you have created the certificate bundle, use it together with your private key to set up the proxy. Files containing a certificate and matching private key for the server must be provided.

Do the following:

  1. You can create a certificate bundle file by concatenating the CA-signed certificate for your domain, the server certificate, and any intermediates. All certificates including the root certificate must be concatenated.
  2. Make sure to apply the following order for the concatenation:

    • Domain certificate
    • Intermediate certificates (one or multiple)
    • Root certificate

    For example:

    more < NPrinting.crt >> NPrinting.public.crt
    more < RSADomainValidationSecureServerCA.crt >> NPrinting.public.crt
    more < RSAAddTrustCA.crt >> NPrinting.public.crt
    more < AddTrustExternalCARoot.crt >> NPrinting.public.crt


    • NPrinting.crt is the domain certificate.
    • NPrinting.public.crt is the certificate bundle that will be used to set up the proxy.
    • RSADomainValidationSecureServerCA.crt and RSAAddTrustCA.crt are intermediate certificates.
    • AddTrustExternalCARoot.crt is the root certificate.
  3. Use NPrinting.public.crt as a certificate file and the private key to set up the proxy.