Skip to main content

Changing a proxy certificate

In Qlik Sense, all communication between services and the Qlik Sense web clients is based on web protocols. The web protocols use Secure Sockets Layer (SSL) for the following:

  • Encryption and exchange of information and keys
  • Certificates for authentication of the communicating parties

After a standard Qlik Sense installation, the Qlik Sense Proxy Service (QPS) includes a module that handles the encryption of traffic from the browser to the proxy. The certificate for communication between the web browser and the proxy can be replaced.

Information noteThird-party certificates are bound to the Qlik Sense Proxy Service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate.
Information noteWhen editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate, (see Changing to a signed server proxy certificate).
Information noteAn admin needs to add read access to the certificate's private key for the group 'Qlik Sense service users' when the proxy is running with a user without admin privileges, otherwise the proxy cannot access the certificate.

This flow describes changing proxy certificate:

Example workflow for using/changing server proxy certificates. First the certificate is manually installed, and then the admin logs into QMC, finds the Select Proxies dialog, finds the desired proxy node, and adds a thumbprint selection. Installed certificate will then be used for communication between browser and proxy

Do the following:

  1. Install the new server certificate:

    1. Note down the thumbprint for the new certificate.
    2. Install the new server certificate on the proxy node, in the Windows Certificate Store in Local Machine/Personal.
    Information noteTo be valid, the certificate must contain a private key. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Information noteWhen using a third-party certificate, it is required that the certificate is trusted in Windows, and that the private key is stored with the certificate in the Windows certificate store. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Information noteQlik Sense supports the same certificates as Windows certificate store, depending on the certificates allowed by the Windows server configuration. Typically, this includes signing algorithms based on SHA-1 and SHA-2 (SHA-256 and SHA-384). It is recommended to use at least one of the SHA-2 variants.
  2. Open the QMC: https://<QPS server name>/qmc

  3. Select Proxies on the QMC start page or from the StartArrow down drop-down menu to display the overview.

  4. Find the relevant proxy in the overview and select Edit.
  5. Edit the SSL browser certificate thumbprint found in the Security property group by adding the thumbprint of the installed server certificate, from step 1 in this procedure.

  6. Click Apply in the action bar to apply and save your changes.

    Successfully updated is displayed at the bottom of the page.

  7. Restart proxy.

The installed certificate is now used for communication between the web browser and the proxy. A green padlock (or similar icon depending on browser) is displayed when entering the address of the QMC in your Internet browser. This means that the browser trusts the certificate and has identified the server machine. By default, the QMC address is https://<QPS server name>/qmc.

Information noteFor troubleshooting of the SSL certificates, see Qlik Sense: Compatibility information for third-party SSL certificates to use with HUB/QMC.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!