This section describes how the Qlik Sense Repository Service (QRS) on the central node in a Qlik Sense site handles the certificates when a Qlik Sense service starts.
Client certificate
The client certificate is located in the following place in the Microsoft Windows certificate store:
Current User>Personal>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no client certificate is found, creates a new certificate.
- If only one client certificate is found, checks if it is valid. If the certificate is not valid, deletes the certificate and creates a new one. In addition, logs that an invalid certificate was found and deleted.
- If more than one client certificate is found, deletes all certificates and creates a new one. Duplicates are not allowed. In addition, logs the number of valid and invalid certificates that were found and deleted.
Server certificate
The server certificate is located in the following place in the Microsoft Windows certificate store:
Local Computer>Personal>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no server certificate is found, creates a new certificate.
- If only one server certificate is found, checks if it is valid. If the certificate is not valid, deletes the certificate and creates a new one. In addition, logs that an invalid certificate was found and deleted.
- If more than one server certificate is found, deletes all certificates and creates a new one. Duplicates are not allowed. In addition, logs the number of valid and invalid certificates that were found and deleted.
Root certificate
The root certificate is located in the following places in the Microsoft Windows certificate store:
Current User>Trusted Root Certification Authorities>Certificates
Local Computer>Trusted Root Certification Authorities>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no root certificate is found, creates a new certificate.
- If only one root certificate is found, checks if it is valid. If the certificate is valid, does nothing. If it is not valid, logs a fatal error that an invalid root certificate was found, which means that the Qlik Sense service is shut down and that the administrator manually has to delete any unwanted certificates. In addition, logs information on the certificates that are affected by this.
- If more than one root certificate is found, logs a fatal error that an invalid root certificate was found, which means that the Qlik Sense service is shut down and that the administrator manually has to delete any unwanted certificates. In addition, logs information on the certificates that are affected by this.
Definition of invalid certificate
The definition of an invalid certificate is as follows:
- The operating system considers the certificate to be too old or the certificate chain is incorrect or incomplete.
- The Qlik Sense certificate extension (OID “1.3.6.1.5.5.7.13.3”) is missing or does not reflect the location of the certificate:
- Current User/Personal certificate location: Client
- Local Machine/Personal certificate location: Server
- Local Machine/Trusted Root certificate location: Root
- Current User/Trusted Root certificate location: Root
- The server, client, and root certificates on the central node do not have a private key that the operating system allows them to access.
- The server and client certificates are not signed by the root certificate on the machine.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!