Skip to main content

Managing keys and certificates

Qlik NPrinting encryption requires a X.509 certificate file in PEM format. You can generate a self-signed certificate, or get one signed from a certification authority (CA). A single certificate covers both the NewsStand and the Qlik NPrinting web console, because they have the same domain name.

Limitations

  • Certificates generated using CNG compatible algorithms are not compatible with the On-Demand Add-on.

Generating a public and private RSA key pair in PEM format

Do the following:

  1. Open a Windows command line prompt.

  2. Move to the OpenSSL binary folder. Default command is: cd C:\OpenSSL-Win64\bin

    You can customize the folder if it is necessary. Files will be created in this folder, then you will move them into the final folder.

  3. Run the command: openssl genrsa -out NPrinting.key 4096.

    genrsa is the option to generate an RSA private key. 4096 is the size of the generated private key in bits.

  4. If you only want to export the public certificate in PEM format, run the command: openssl rsa -in NPrinting.key -outform PEM -pubout -out NPrintingPublic.pem.

    pubout is the OpenSSL option to extract the public key from and RSA private key.

    Warning: The certificate key must not be passphrase protected.
    Warning: The private key should not be disclosed to anyone, nor sent to the certificate authority. Back it up and store it in a safe place. You can distribute the public key file if needed.
  5. Before sharing your public key file, we suggest that you visually inspect it to be sure that you are sending the correct file:

    1. Open the file NPrinting.key in a text editor. NPrinting.key is your private key and it starts with: -----BEGIN RSA PRIVATE KEY-----. Keep it secret.

    2. Open the file NPrintingPublic.pem in a text editor. NPrintingPublic.pem is your public key and it starts with: -----BEGIN PUBLIC KEY-----. You can share this file.

Private key security

Qlik NPrinting operates 24/7. This means that the private key must be stored on the file system unencrypted. Protecting the private key with a password is not feasible because an administrator must enter the password every time the service is restarted. You can protect the private key file by giving access rights only to the administrators. The private key file is only used for TLS and it never leaves the server.

Generating a self-signed certificate

A self-signed certificate is an identity certificate that is signed by the entity owning the certificate. This entity uses its own private key to certify its identity. Using a self-signed certificate lets you sign your certificate by yourself.

You can use a self-signed certificate if:

  • You intend to use HTTPS (HTTP over TLS) to secure your web servers.
  • You do not require that your certificates are signed by a certificate authority (CA).

For example, you can use a self-signed certificate if your web servers are used only inside your local network.

Do the following:

  1. Open a Windows command line prompt.
  2. Move to the OpenSSL binary folder. Default command is cd C:\OpenSSL-Win64\bin. Files will be created in this folder, then you will move them into the final folder.
  3. To create the self-signed certificate run the following command:
    openssl req -newkey rsa:4096 -nodes -keyout NPrinting.key -x509 -days 365 -out NPrinting.crt

    Where:

    • req is the PKCS#10 certificate request and generating utility.
    • The -x509 option tells req to create a self-signed certificate.
    • The -days 365 option specifies that the certificate will be valid for 365 days.

    To skip the interactive questions, use the -subj followed by your domain information within quotation marks.

    For example:

    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=mywebsitedomain.com".

Warning: The private key should not be disclosed to anyone, nor sent to the certificate authority. Back it up and store it in a safe place.

You can distribute the public key file.

Buying a certificate from a certification authority

Your certificates must be signed by a certification authority (CA) if you need to avoid security warnings in case your web server is publicly reachable via web browsers. There are numerous certification authorities. The CA you choose will have their own specific instructions to follow. Some steps on generating and implementing CA-signed certificates are common to all certification authorities. The following sections outline these common steps.

Generating a certificate signing request

To obtain a CA-signed certificate, you must generate a certificate signing request (CSR). A CSR contains your public key and other additional information. This information will be included in the signed certificate. A CSR never contains the private key.

Do the following:

  1. To generate the CSR and the private key run the following command:

    openssl req -new -newkey rsa:4096 -nodes -keyout NPrinting.key -out NPrinting.csr

  2. You will be prompted to answer the interactive questions.
    To skip the interactive questions, use the -subj followed by your domain information within quotation marks.

    For example:

    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=mywebsitedomain.com".

For any custom procedure needed for creating the CSR, refer to the certification authority's instructions .

Common Name field

The name in the Common Name field (CN) must be the Fully Qualified Domain Name (FQDN) of the host that will use the certificate.

For example:

  • If the URL of your NewsStand is https://yourcompany.com:4994, the FQND is yourcompany.com (the port is not part of the FQDN).
  • The URL https://www.yourcompany.com:4994 is considered different from https://yourcompany.com:4994. If you want both URL addresses to be valid host names, you must generate two certificates, one containing the FQDN www.yourcompany.com, and one containing the FQDN yourcompany.com.

Merging signed certificates with server certificates

When using a certificate signed by a certification authority (CA), you must create a PEM file certificate bundle containing:

  • the server certificate

  • any intermediates

  • the CA-signed certificate

Make sure to apply the following order for the concatenation:

  1. Domain certificate
  2. Intermediate certificates (one or multiple)
  3. Root certificate

Once you have created the certificate bundle, use it together with your private key to set up the proxy. Files containing a certificate and matching private key for the server must be provided.

Do the following:

In this example, the certificate for your domain is NPrinting.crt.

  1. Open a Windows command line and enter the following:

  2. more NPrinting.crt >> NPrinting.public.pem
    more RSADomainValidationSecureServerCA.crt >> NPrinting.public.pem
    more RSAAddTrustCA.crt >> NPrinting.public.pem
    more AddTrustExternalCARoot.crt >> NPrinting.public.pem

    Where:

    • NPrinting.crt is the domain certificate.
    • NPrinting.public.pem is the certificate bundle that will be used to set up the proxy.
    • RSADomainValidationSecureServerCA.crt and RSAAddTrustCA.crt are intermediate certificates.
    • AddTrustExternalCARoot.crt is the root certificate.
  3. Use NPrinting.public.pem as a certificate file and the private key to set up the proxy.