Changing to a signed server proxy certificate
By default, a self-signed certificate is used to secure communication between the web browser (client) and the Qlik Sense proxy. This results in a warning in the client web browser, such as "The site's security certificate is not trusted" (Chrome) or "This Connection is Untrusted" (Firefox). To resolve this issue, the certificate used for communication between the web browser (client) and the proxy must be replaced with a signed server certificate from a trusted certificate authority (CA).
Major steps
The following major steps are required when changing to a signed server proxy. Steps 2-4 have detailed procedures in the subsections.
- Obtain a valid signed server certificate matching the proxy node URL, from a trusted CA, such as VeriSign or GlobalSign.
- Import the certificate into Windows Local Computer Certificate Store.
- Locate the thumbprint for the certificate.
- Configure the proxy node to use the certificate.
Importing the certificate
Do the following:
- Launch the MMC on the proxy node.
- In the MMC, open File > Add / Remove Snap-in....
- Select Certificates and click Add.
- Select Computer account, click Next, select Local computer and click Finish.
- In the MMC, open Certificates (Local Computer)/Personal.
- In the MMC, open Actions > All Tasks > Import....
- Browse to the certificate file provided by your CA.
- Follow the instructions on the screen to import the certificate, including the private key.
- Verify that the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key.
- Double-click the Certificate > Certification Path and confirm it shows "This certificate is OK".
Configuring the private key permissions for the certificate
When editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate as follows:
-
Launch the MMC on the proxy node.
-
In the MMC, open Certificates (Local Computer)/Personal.
-
Select the certificate provided by your CA.
-
Open Actions > All Tasks > Manage Private Keys.
-
In the Permissions pop-up, add read permissions to the group "Qlik Sense Service Users", alternatively, to the specific service user that is running the Qlik Sense services.
-
Restart the Qlik Sense Proxy Service.
Locating the certificate thumbprint
Do the following:
- In the MMC, right-click the imported certificate and select Open.
- On the Details tab, scroll down and select Thumbprint.
- Mark/highlight the thumbprint hash value and press CTRL+C to copy the hash value to the clipboard.
- Paste the hash value in a text editor and remove all the spaces.
Configuring the proxy node
Do the following:
-
Open the QMC: https://<QPS server name>/qmc
- Open Proxies.
- Select your proxy and click Edit.
- In Properties to the right, select Security.
- Scroll down and locate SSL browser certificate thumbprint in the Security section.
- Paste the thumbprint hash value for the new certificate (from the text editor).
- Click Apply.
You should now be able to access the Qlik Sense proxy without the browser warning.