Skip to main content

Changing a proxy certificate

In Qlik Sense, all communication between services and the Qlik Sense web clients is based on web protocols. The web protocols use Secure Sockets Layer (SSL) for the following:

  • Encryption and exchange of information and keys
  • Certificates for authentication of the communicating parties

After a standard Qlik Sense installation, the Qlik Sense Proxy Service (QPS) includes a module that handles the encryption of traffic from the browser to the proxy. The certificate for communication between the web browser and the proxy can be replaced.

Note: Third-party certificates are bound to the Qlik Sense Proxy Service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate.
Note: When editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate, (see Changing to a signed server proxy certificate).
Note: An admin needs to add read access to the certificate's private key for the group 'Qlik Sense service users' when the proxy is running with a user without admin privileges, otherwise the proxy cannot access the certificate.

This flow describes changing proxy certificate:

Example workflow for using/changing server proxy certificates. First the certificate is manually installed, and then the admin logs into QMC, finds the Select Proxies dialog, finds the desired proxy node, and adds a thumbprint selection. Installed certificate will then be used for communication between browser and proxy

Do the following:

  1. Install the new server certificate:

    1. Note down the thumbprint for the new certificate.
    2. Install the new server certificate on the proxy node, in the Windows Certificate Store in Local Machine/Personal.
    Note: To be valid, the certificate must contain a private key. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Note: When using a third-party certificate, it is required that the certificate is trusted in Windows, and that the private key is stored with the certificate in the Windows certificate store. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Note: Qlik Sense supports certificates that are made to use signing algorithms based on SHA-1 or SHA-256.
  2. Open the QMC: https://<QPS server name>/qmc

  3. Select Proxies on the QMC start page or from the StartArrow down drop-down menu to display the overview.

  4. Find the relevant proxy in the overview and select Edit.
  5. Edit the SSL browser certificate thumbprint found in the Security property group by adding the thumbprint of the installed server certificate, from step 1 in this procedure.

  6. Click Apply in the action bar to apply and save your changes.

    Successfully updated is displayed at the bottom of the page.

  7. Restart proxy.

The installed certificate is now used for communication between the web browser and the proxy. A green padlock (or similar icon depending on browser) is displayed when entering the address of the QMC in your Internet browser. This means that the browser trusts the certificate and has identified the server machine. By default, the QMC address is https://<QPS server name>/qmc.