Skip to main content Skip to complementary content

Certificate Trust

In QlikView Server, if you choose digital authentication, you use certificates for authentication and authorization. A certificate provides trust between servers machines. In addition, dynamic encryption keys are used for sensitive data. The default configuration in QlikView relies on Windows trust (hard-coded cryptographic keys).

Information noteCertificates contain encryption keys so it is vital to keep a backup of the certificates in a safe place. See: Backing up and restoring certificates
Information noteYou must reference the QlikView Server by its machine name, and not by the IP address or fully qualified domain name.


In a QlikView Server installation, certificates authenticate and authorize communication between services running on multiple servers. The certificates include a SecretsKey that handles encryption and decryption of data such as passwords and connection strings.

Configuring certificates in a multiple server deployment within QlikView removes the dependency on a QlikView Administration Group for establishing trust . You can also use certificates to build a trust domain between QlikView services that are located in different domains without having to share an Active Directory (AD) or other user directories.

Information noteThe configuration steps described here only provide a trust domain between the QlikView services. The use of SSL/TLS and certificates for securing end-user communication has to be configured separately.

QlikView Server uses the following digital certificates for authentication and authorization:

Location Issued To Issued By Description
Local Computer / Personal <machine-name> QlikViewCA Server
Local Computer / Personal QVProxy QlikViewCA Client
Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

Certificates are managed from the Microsoft Management Console (MMC).

The architecture is based on the QlikView Management Service (QMS) acting as the certificate manager or Certificate Authority (CA). The QMS can create and distribute certificates to all services in the QlikView installation.

QMS is therefore an important part of the security solution and has to be managed from a secure location to keep the certificate solution secure.

The root certificate for the installation is stored on the QMS server. All servers with QlikView services that are to participate in the installation receive certificates signed using the root certificate when added to the QMS. The QMS (that is, the CA) issues digital certificates that contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by the QlikView services. The certificate enables the QMS to validate the authenticity of the service. This means that the QMS is responsible for saying “yes, this service deployed on this server is a service in my installation”.

After the servers have received certificates, the communication between the QlikView services is encrypted using HTTPS (SSL/TLS encryption). The certificates only secure the communication between the services on the servers. The certificates do not secure the communication with the end user (that is, the certificates are not used for QlikView plug-in, client, or web server communication with the QVS).

The following diagram shows a multi-node QlikView Server deployment where the QMS (the Certificate Authority) distributes the certificates to the machines where the other services are installed.

The QlikView Management Service, with a root certificate and Qlik License Service, connects to the Web Server or Microsoft IIS, Directory Service Connector, QlikView Server, and QlikView Distribution Service, each of which contains multiple Client certificates.

Qlik License Service

In QlikView April 2019 or later, the Qlik License Service is always installed and actively used only when QlikView Server is licensed using a signed key. The Qlik License Service is installed on the machine running the QlikView Management Service (QMS), and handles certificates differently from the other services.

When the QlikView Management Service (QMS) is started for the first time, the Root and Server certificates are automatically exported and made available to the Qlik License Service. The certificates are exported as the following file:

  • root.pem
  • server.pem
  • server_key.pem
    This file contains the Server certificate key.

By default, these files are stored in the following location: %ProgramData%\QlikTech\LicenseService\Exported Certificates.

Information noteWhen you update the certificates for your installation, you must restart the QlikView Management Service (QMS) before the Qlik License Service. Starting the services in this order ensures that the correct set of certificates is exported and made available to the Qlik License Service. You can manage the status of the Qlik License Service by starting and stopping the Qlik Service Dispatcher.


The following requirements must be fulfilled for the certificate trust to function properly:

  • Certificate trust cannot be partially implemented. It is either used by all services in the QlikView installation or not at all.
  • Certificate trust is only supported by Windows Server 2008 and later.
  • Make sure that all machines use QlikView Server 12.00 or later. In QlikView Server 11.20 or earlier, a different method of encryption is used. Old certificates are not compatible with an installation running QlikView 12.00 or later and new certificates need to be generated.
  • If it is an initial installation of QlikView Server, install and configure the QlikView services without any modification. Prior to configuring the use of certificates, start and stop the services on the servers (that is, machines) where the QlikView services are deployed.
  • Section Access management must not be configured in environments where certificate trust is configured.
  • Ensure that you back up the following three certificates on the machine running the QlikView Management Service (QMS) every time they are updated:
  • Certificates
    Location Issued To Issued By Description
    Local Computer / Personal <machine-name> QlikViewCA Server
    Local Computer / Personal QVProxy QlikViewCA Client
    Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

    For more information on how to backup certificates, see: Backing up and restoring certificates.

In addition, the technical requirements described in the following sections also have to be fulfilled.

Certificate ports

This section describes the ports that you need to open when configuring certificate trust.

The ports that are listed in the following table are needed for service to service communication and have to be configured as “open”.

For more information on QlikView ports, see: Ports.

Information noteFirewall configuration changes might be necessary, depending on the location of the QlikView servers within the resulting network and the routing of the QVS communication.
Ports for service to service communication
Service Ports SSL/TSL -enabled Ports
QlikView Server 4747, 4749 4749
QlikView Distribution Service 4720 4720
QlikView Web Server 4750, 80, 443 4750, 443
QlikView Management Service 4780, 4799 4780, 4799
Directory Service Connector 4730 4730

The ports that are listed in the following table are needed for the certificate installation procedure on the local server.

Information noteThe ports are not used for service to service communication.
Ports for certificate installation
Service Ports
QlikView Distribution Service 14720
Directory Service Connector 14730
QlikView Web Server 14750

The following table lists the protocols that are used for communication on the ports that are specified in this section.

Protocols for port communication
Service Ports
QlikView Server QVPX over SSL/TSL
All other services SOAP over SSL/TSL
Information noteTo install the distributed certificates for the respective services, physical access to the console or remote access to the console (for example, using remote desktop functionality) is needed.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Join the Analytics Modernization Program

Remove banner from view

Modernize without compromising your valuable QlikView apps with the Analytics Modernization Program. Click here for more information or reach out: