Skip to main content Skip to complementary content
Qlik Resources

Setting Up Qlik Replicate Server HTTPS support

The Qlik Replicate Server which runs on both Windows and Linux uses the OpenSSL HTTPS implementation. The Qlik Replicate Server automatically generates a self-signed certificate server but it allows you to replace it with a server certificate signed by a trusted certificate authority. This section describes how to accomplish this on Linux and Windows.

Replacing the self-signed SSL certificates on Linux

When Qlik Replicate Server starts for the first time, it checks the <product-dir>/ssl/data directory for the presence of certificates. If the ssl folder is not found, it will then check the <product-dir>/<data-directory>/ssl/data directory (or directories when running multiple Linux instances) for the certificates.

If there are no certificates, it will create the following self-signed certificates:

  • agent-ca.pem - The CA certificate
  • agent-certificate.pem - The public certificate
  • agent-private-key.pem - The private key data
  • agent-private-key-passphrase.dat - The private key passphrase
Information note

When working with multiple instances, instead of creating a separate set of certificates for each instance in <product-dir>/<data-directory>/ssl/data, you can create a single set of certificates in <product-dir>/ssl/data. This way, instead of managing multiple sets of certificates for each instance, you only need to create/manage a single set of certificates.

You can replace the default self-signed certificates with you own, as follows:

  1. Stop the Qlik Replicate Server service.
  2. Create the required certificates using names that are identical to the certificates listed above.
  3. Copy the certificates to the ssl/data directory (<product-dir>/<data-directory>/ssl/data by default).

  4. Edit the agent-private-key-passphrase.dat file as follows:

    /clear:PRIVATE_KEY_PASSWORD

    Example:  

    /clear:12345

    When Qlik Replicate Server starts it will scramble the private key passphrase as shown in Examples of the Scrambled Private Key Password.

  5. Start the Qlik Replicate Server service.

For information on stopping and starting Qlik Replicate Server, see Setting up Qlik Replicate on Windows and Setting up Qlik Replicate on Linux.

Examples of the Scrambled Private Key Password

The scrambled private key passphrase stored in the agent-private-key-passphrase.dat file will look similar to this:

{S:DEA326D0DF190430975DE44CFBD6FDFD21883C10E7651081B3B5A0A7404BB97DB520876F60390B51300C831C82DE871CF8BA22393D8DD9B359DD5A93C5956710AD2546E188155482452235C5D91B430D151E3DDA7381CA3E}

Replacing the self-signed certificate on Windows

The instructions below are intended for organizations who wish to replace the self-signed certificate generated by the Replicate UI Server on Windows with their own certificate. This is achieved by removing the self-signed certificate and then importing the new certificate.

See also Setting Up Qlik Replicate console HTTPS support.

Before starting, make sure that the following prerequisites have been met:

  • The replacement certificate must be a correctly configured SSL PFX file containing both the private key and the certificate.
  • The common name field in the certificate must match the URL name that browsers will use to access the Replicate Console.
  • The Certificate Subject Alternative Name must match the URL name that browsers will use to access the Replicate Console.

Removing the self-signed certificate created by Qlik Replicate

To remove the self-signed certificate created by Qlik Replicate:

  1. Stop the Qlik Replicate Server and Qlik Replicate UI Server services.

  2. Open a command prompt (using the "Run as administrator" option) and change the path to the Replicate bin directory. The default path is:

    C:\Program Files\Qlik\Replicate\bin.

  3. Run the following command:

    RepUiCtl.exe certificate clean

Creating your own certificate

To create and import your own certificate, open a command prompt and do the following:

  1. Create the private key file:

    openssl genpkey -algorithm RSA -out private.key -outform PEM

  2. Create the .crt file based on the private key file created earlier:

    openssl req -new -addext "subjectAltName = DNS:SSL-TEST.exampledomain.com" -key private.key -x509 -days 365 -out cert.crt

  3. Create the .pfx file based on the above:

    openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey private.key -in cert.crt -out cert.pfx
    Information note

    When prompted for the Organizational Unit Name and the Common Name, make sure to specify the same DNS that was used to create the .crt. To view the DNS, run the following command:

    nslookup %computername%

Importing your certificate

To import your own certificate:

  1. Run mmc.exe to open the Microsoft Management Console.

  2. From the File menu, select Add/Remove Snap-in.

    The Add or Remove Snap-ins dialog box opens.

  3. In the left pane, double-click Certificates.

    The Certificates snap-in wizard opens.

  4. Select Computer account and then click Next.
  5. In the Select Computer screen, make sure that Local computer is selected and then click Finish.
  6. Click OK to close the Add or Remove Snap-ins dialog box.
  7. In the left pane, expand the Certificates folder. Then, right-click the Personal folder and select All Tasks>Import.

  8. In the File to Import screen, select your PFX certificate file.

    Information noteBy default, the Open dialog box displays CER files. In order to see your PFX files, you need to select Personal Information Exchange from the drop-down list in the bottom right of the dialog box.
  9. Click Next and enter the private key password.
  10. Continue clicking Next until you reach the Completing the Certificate Import Wizard screen. Then click Finish to exit the wizard.

  11. In the Personal > Certificates folder, double-click the newly imported certificate.

    The Certificate dialog box opens.

  12. Scroll down the Details tab until you see the Thumbprint details and copy them to the clipboard.

  13. Open a command prompt and run the following commands:

    Syntax:

    ¢ netsh http add sslcert ipport=0.0.0.0:443 certhash=[YOUR_CERTIFICATE_THUMBPRINT_WITHOUT_SPACES] appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

    Example:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=5f6eccba751a75120cd0117389248ef3ca716e61 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

    Syntax:

    ¢ netsh http add sslcert ipport=[::]:443 certhash=[YOUR_CERTIFICATE_THUMBPRINT_WITHOUT_SPACES] appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

    Example:

    netsh http add sslcert ipport=[::]:443 certhash=5f6eccba751a75120cd0117389248ef3ca716e61 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

  14. Close the command prompt and Microsoft Management Console.
  15. Start the Qlik Replicate Server and Qlik Replicate UI Server services.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here