Backing up and restoring certificates

Backing up certificates

It is vital that you back up your certificates and keep them in a secure location. If the certificates are lost, your sensitive data will be lost.

Service failure due to undecryptable data.

Here is a list of the three QlikView certificates that you must backup on the server running the QlikView Management Service (QMS):

Location Issued To Issued By Description
Local Computer / Personal <machine-name> QlikViewCA Server
Local Computer / Personal QVProxy QlikViewCA Client
Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

Since the QlikView Management Service (QMS) creates and distributes certificates to all services in the QlikView installation, it is optional to back up the certificates on the servers running the other services. If certificates are missing for any of these services, the QMS distributes new certificates to the machines that are part of the deployment.

Use the MMC (Microsoft Management Console) to backup the certificates to your chosen location. For more information on the MMC, see: Using Microsoft Management Console.

To backup certificates:

  1. Open the MMC.
  2. Click File, and then click Add/Remove Snap in.
  3. Select Certificates and then click Add.
  4. Select Computer account, and click Next.
  5. Select Local computer. Click Finish and then click OK on the main window.
  6. Expand the Certificates node, and select the following certificate folders:
    • Personal
    • Trusted Root certificate Authorities
  7. Right click the certificate that you want to back up, click All Tasks, and then click Export.
  8. In the Certificate Export Wizard, select Yes, export private key, and click Next.
  9. Select Export all extended properties and Include all certificates in the certification path if possible. Then, click Next.
  10. Note: Make sure you export the private key and export all extended properties.
  11. Enter and confirm a password. Then click Next.

  12. Enter a file name, and choose a location for your backup, then click Next.
  13. Click Finish to create the backup.

For more information on locating your certificates, and how to back them up, see Certificate Trust.

Restoring certificates

If the certificates are missing for any reason, the services will close down and information can be found in the log files. If certificates were previously backed up, they can be restored using the MMC (Microsoft Management Console) on the machine running the QlikView Management Service. If there is no backup to use for restoring, the inaccessible data (the protected secret information) has to be cleared and later on reentered.

The following tab lists the three certificates that need to be restored:

Location Issued To Issued By Description
Local Computer / Personal <machine-name> QlikViewCA Server
Local Computer / Personal QVProxy QlikViewCA Client
Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

To restore the certificates:

  1. Open the MMC.
  2. Click File, and then click Add/Remove Snap in.
  3. Select Certificates and then click Add.
  4. Select Computer account, and click Next.
  5. Select Local computer. Click Finish and then click OK on the main window.
  6. Expand the Certificates node, and select the following certificate folders:
    • Personal
    • Trusted Root certificate Authorities
  7. Right click the Certificates folder under Trusted Root Certification Authorities, click All Tasks, and then click Import.
  8. In the Certificate Import Wizard, browse to the location where you stored the certificates backup. To visualize the certificates files, select Personal Information Exchange (*.pfx;*.p12) format in the drop-down menu next to File name.
  9. Select the Root certificate and click Open. Then, click Next.
  10. Enter the password that was created when the certificates were exported. Select Mark this key as exportable and Include all extended properties. Click Next.

  11. In the following windows, click Next and then Finish.
  12. If the import was successful, the certificate is now listed in the MMC.
  13. Repeat steps 7 to 12 to import Server and Client certificates in the Certificates folder under Personal.

Services failure due to missing certificates

If the QMS service fails, a new set of certificates with a new random SecretsKey is created at startup. The QMS may now be asked for certificates by other services.

If any of the other services fails, the service starts in a special mode where the service can handle certificates from the QMS. You need to browse to a certain port on the local machine and enter a password presented by the QlikView Management Console. After this, the service must be restarted and will then run in its normal mode, using the newly received certificates and keys.

Service failure due to undecryptable data

Restoring certificates when migrating a QlikView Server installation

When you migrate a QlikView Server installation that uses certificates, some settings are encrypted. These settings cannot be decrypted if QlikView cannot access the certificates originally used for the encryption. Restoring the certificates from your current machine to the target machine for the migration allows you to decrypt the migrated settings. Once decrypted, these settings are encrypted again using the encryption key stored in the certificates from the target machine.

For more information on migrating a QlikView Server installation, see: Upgrading and migrating QlikView Server.

Removing certificates

We recommend to never remove your certificates. If certificates are lost, your sensitive data will be lost. However, you have to remove certificates in very specific situations, like when you upgrade QlikView Server from 11.20 to November 2017 or later.

Use the Microsoft Management Console (MMC) to remove the certificates. See: Using Microsoft Management Console.

  1. Open the MMC.
  2. Click File, and then click Add/Remove Snap in.
  3. Select Certificates and then click Add.
  4. Select Computer account, and click Next.
  5. Select Local computer. Click Finish and then click OK on the main window.
  6. Expand the Certificates node, and select the following certificate folders:
    • Personal
    • Trusted Root certificate Authorities
  7. Delete only the following certificates:
  8. Location Issued To Issued By Description
    Local Computer / Personal <machine-name> QlikViewCA Server
    Local Computer / Personal QVProxy QlikViewCA Client
    Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root
Warning: Make sure you delete only the certificates listed above.

Configuration files

The following table lists the location of each of the configuration files that may need editing.

Service Default Path
QMS C:\Program Files\QlikView\Management Service\QVManagementService.exe.config
DSC C:\Program Files\QlikView\Directory ServiceConnector\QVDirectoryServiceConnector.exe.config
QDS C:\Program Files\QlikView\Distribution Service\QVDistributionService.exe.config
QVWS C:\Program Files\QlikView\Server\Web Server\QVWebServer.exe.config
IIS

C:\Program Files\QlikView\Server\Web Server Settings\QVWebServerSettingsService.exe.config

C:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax\web.config

QVS C:\ProgramData\QlikTech\QlikViewServer\Settings.ini

Using Microsoft Management Console

Certificates can be visually confirmed in the QlikView Management Console with the certificate snap-in added. The QlikView certificates are located in the Personal>Certificates and Trusted Root Certification Authorities>Certificates folders.

The figures below show properly installed certificates in a QlikView Server configuration. Within the QlikView Management Console, all QlikView services on servers have certificates deployed as shown in the figures.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?