Certificates used by the Qlik Sense Proxy Service

The Qlik Sense Proxy Service uses certificates to establish HTTPS connections to the Qlik Sense Hub and Management Console.

Common errors

As part of the Certificate Transparency (CT) framework employed by modern web browsers for enhanced security, error messages related to certificates and potential communication blocks are displayed to inform users about the legitimacy of a site. For more information, see What is Certificate Transparency?.

Some common errors are related to the certificate authority. For example, if there is no certificate authority or if the certificate has expired, the default level of security in most browsers will stop communication with a message about "unsigned certificates", "expired certificates", or similar terms. If your security administrators know that the certificate is still good, you can create an exception so the error is ignored for that certificate.

Other common errors are related to how the domain is named. For example, companyname.com is a different domain from www.companyname.com, and localhost is a different domain from a server name. A fully qualified domain name is an unambiguous name for a domain. For example, a server at companyname.com might be named mktg-SGK, and can be referred to that way, but the fully qualified domain name is mktg-SGK.companyname.com.

Encryption and keys

The kind of encryption used in certificates in Qlik products requires a pair of keys (asymmetric encryption). One key, the public key, is shared. The other key, the private key, is used only by the owner.

PEM is an ASCII text format for public certificates. It is portable across platforms.

You can get certificates and key pairs from certificate authorities or you can generate them. To get a certificate signed, you will need to also generate a signing request.

Adding third-party certificates

By default, Qlik Sense uses a self-signed certificate to enable HTTPS access across both the Hub (https://<your_sense_server>/hub) and the Management Console (https://<your_sense_server>/qmc). However, self-signed certificates cannot be validated or trusted by web browsers and tend to prompt a warning message.

To establish a secure HTTPS connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing certificate authority (CA) is not trusted, hence no certificates generated by the certificate authority are trusted.

For the installation of a trusted certificate to be used with the Qlik Sense Hub and Management Console, an additional signed certificate is required, along with a brief (5-minute) downtime of the Qlik Sense Proxy. For more details, including a video, see How to change the certificate used by the Qlik Sense Proxy to a custom third party certificate on Qlik Community.

Choosing a suitable certificate

There are three potential types of certificates:

A certificate purchased from and signed by a trusted certificate authority like VeriSign, Thawte, or Geotrust.
A certificate provided and signed by your own enterprise certificate authority.
A self-signed certificate created by various applications, such as Microsoft IIS. These certificates are typically recommended for testing purposes only. They might unintentionally lead users to disregard browser warnings, which is not desirable.

The certificate must:

Meet the requirements listed in Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use with HUB/QMC.
Contain a private key.

Verify that the certificate comes bundled with a private key.
Have an up-to-date valid from/valid to date range.
Be signed by an officially recognized certificate authority that is recognized and pre-configured by the operating system or the web browser.

The certificate authority will have instructions for where to get a certificate and how to do a Certificate Signing Request (CSR). To obtain a self-signed certificate or one from your corporation's certificate authority, a local administrator can provide the certificate to you. In either case, generating a CSR is necessary to submit to your certificate authority. Various tools are available for this task, such as Microsoft's certreq. More information about Certificate Signing Requests can be found in this article: What is a CSR (Certificate Signing Request)?

Installing the certificate

When you have the certificate, the next step is to install it and activate it in Qlik Sense. This includes importing the certificate and retrieving the certificate thumbprint to provide it to the Qlik Sense Proxy.

Do the following:

On the Qlik Sense node running the Qlik Sense Proxy, log in with the user running the Sense services.
Import the certificate.

If the certificate provided from your CA was saved in .pfx format:
- Double click the certificate file, and then follow the prompts to import the certificate into the Personal store.
To import the certificate manually:
1. Open the Microsoft Management Console (mmc.exe) on the proxy node.
2. Go to File > Add/Remove Snap-in.
3. Select Certificates and click Add.
4. Select Computer account and click Next.
5. Select Local computer, click Finish, and then click OK.
6. Under Certificates (Local Computer), select Personal.
7. Go to Actions > All Tasks > Import.
8. Browse to locate your certificate file, and then follow the prompts to import the certificate including the private key to the Personal store.
Verify that the certificate was correctly installed.
1. Open the Microsoft Management Console (mmc.exe) on the proxy node.
2. Under Certificates (Local Computer), select Personal.
3. Verify that the new certificate is imported into Certificates (Local Computer)/Personal > Personal > Certificates and that it contains a private key.
4. Double-click the certificate to open the Certificate dialog.
5. On the Certification Path tab, confirm that the Certificate status says "This certificate is OK".
Copy the certificate thumbprint.
1. In the Microsoft Management Console, double-click the certificate to open the Certificate dialog.
2. On the Details tab, locate Thumbprint in the list.
3. Copy the thumbprint and paste it somewhere, for example, in a notepad, to be used in the next step.
Configure the Qlik Sense Proxy Service.
1. Open the Qlik Management Console (QMC).
2. Go to Proxies.
3. Double-click the proxy you want to use.
4. On the Edit proxy page, under Security, paste the certificate thumbprint in the SSL browser certificate thumbprint field.
5. Click Apply.
  
  The Qlik Sense Proxy Service will now restart. During the restart, Windows API calls are used to correctly bind the new certificate to its SSL ports.
Verify that the certificate was accepted.

When you open the Qlik Sense Hub or Qlik Management Console, the certificate will be shown in the browser.

In Google Chrome, for example, you can verify the certificate by clicking on the padlock icon to the left of the URL. (The appearance may vary depending on the web browser you are using.)
Make sure that the information displayed about the certificate matches the properties of the installed certificate, which you can find in the Microsoft Management Console on the General tab in the Certificate dialog.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here