Skip to main content Skip to complementary content
Qlik Resources

Setting Up Qlik Replicate Server HTTPS support

The Qlik Replicate Server which runs on both Windows and Linux uses the OpenSSL HTTPS implementation. The Qlik Replicate Server automatically generates a self-signed certificate server but it allows you to replace it with a server certificate signed by a trusted certificate authority. This section describes how to accomplish this on Linux and Windows.

Replacing the self-signed SSL certificates on Linux

When Qlik Replicate Server starts for the first time, it checks the <product-dir>/ssl/data directory for the presence of certificates. If the ssl folder is not found, it will then check the <product-dir>/<data-directory>/ssl/data directory (or directories when running multiple Linux instances) for the certificates.

If there are no certificates, it will create the following self-signed certificates:

  • agent-ca.pem - The CA certificate
  • agent-certificate.pem - The public certificate
  • agent-private-key.pem - The private key data
  • agent-private-key-passphrase.dat - The private key passphrase
Information note

When working with multiple instances, instead of creating a separate set of certificates for each instance in <product-dir>/<data-directory>/ssl/data, you can create a single set of certificates in <product-dir>/ssl/data. This way, instead of managing multiple sets of certificates for each instance, you only need to create/manage a single set of certificates.

You can replace the default self-signed certificates with you own, as follows:

  1. Stop the Qlik Replicate Server service.
  2. Create the required certificates using names that are identical to the certificates listed above.
  3. Copy the certificates to the ssl/data directory (<product-dir>/<data-directory>/ssl/data by default).

  4. Edit the agent-private-key-passphrase.dat file as follows:

    /clear:PRIVATE_KEY_PASSWORD

    Example:  

    /clear:12345

    When Qlik Replicate Server starts it will scramble the private key passphrase as shown in Examples of the Scrambled Private Key Password.

  5. Start the Qlik Replicate Server service.

For information on stopping and starting Qlik Replicate Server, see Setting up Qlik Replicate on Windows and Setting up Qlik Replicate on Linux.

Examples of the Scrambled Private Key Password

The scrambled private key passphrase stored in the agent-private-key-passphrase.dat file will look similar to this:

{S:DEA326D0DF190430975DE44CFBD6FDFD21883C10E7651081B3B5A0A7404BB97DB520876F60390B51300C831C82DE871CF8BA22393D8DD9B359DD5A93C5956710AD2546E188155482452235C5D91B430D151E3DDA7381CA3E}

Replacing the self-signed certificate on Windows

The instructions below are intended for organizations who wish to replace the self-signed certificate generated by the Replicate UI Server on Windows with their own certificate. This is achieved by removing the self-signed certificate and then importing the new certificate.

See also Setting Up Qlik Replicate console HTTPS support.

Before starting, make sure that the following prerequisites have been met:

  • The replacement certificate must be a correctly configured SSL PFX file containing both the private key and the certificate.
  • The common name field in the certificate must match the name browsers will use to access the machine.

To remove the self-signed certificate created by Qlik Replicate:

  1. Stop the Qlik Replicate Server and Qlik Replicate UI Server services.

  2. Open a command prompt (using the "Run as administrator" option) and change the path to the Replicate bin directory. The default path is:

    C:\Program Files\Qlik\Replicate\bin.

  3. Run the following command:

    RepUiCtl.exe certificate clean

To create and import your own certificate, open a command prompt and do the following:

  1. Create the private key file:

    openssl genpkey -algorithm RSA -out private.key -outform PEM

  2. Create the .crt file based on the private key file created earlier:

    openssl req -new -addext "subjectAltName = DNS:SSL-TEST.exampledomain.com" -key private.key -x509 -days 365 -out cert.crt

  3. Create the .pfx file based on the above:

    openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey private.key -in cert.crt -out cert.pfx
    Information note

    When prompted for the Organizational Unit Name and the Common Name, make sure to specify the same DNS that was used to create the .crt. To view the DNS, run the following command:

    nslookup %computername%

  4. Import the .pfx certificate into the My certificate store (Personal certificates):

    netsh http del sslcert ipport=0.0.0.0:443
    netsh http add sslcert ipport=0.0.0.0:443 certhash=<certificate thumbprint> appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here