Skip to main content

Changing a proxy certificate

In Qlik Sense, all communication between services and the Qlik Sense web clients is based on web protocols. The web protocols use Secure Sockets Layer (SSL) for the following:

  • Encryption and exchange of information and keys
  • Certificates for authentication of the communicating parties

After a standard Qlik Sense installation, the Qlik Sense proxy service (QPS) includes a module that handles the encryption of traffic from the browser to the proxy. The certificate for communication between the web browser and the proxy can be replaced.

Information noteThird-party certificates are bound to the Qlik Sense proxy service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate.
Information noteWhen editing a proxy certificate as a user without admin privileges, you need to run the repository in bootstrap mode before the changes take effect. See: Services
Information noteAn admin needs to add read access to the certificate's private key for the group 'Qlik Sense service users' when the proxy is running with a user without admin privileges, otherwise the proxy cannot access the certificate.

This flow describes changing proxy certificate:

Do the following:

  1. Install the new server certificate:

    1. Note down the thumbprint for the new certificate.
    2. Install the new server certificate on the proxy node, in the Windows Certificate Store in Local Machine/Personal.
    Information noteTo be valid, the certificate must contain a private key. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense proxy service.
    Information noteWhen using a third-party certificate, it is required that the certificate is trusted in Windows, and that the private key is stored with the certificate in the Windows certificate store. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense proxy service.
    Information noteQlik Sense supports certificates that are made to use signing algorithms based on SHA-1 or SHA-256.
  2. Log into the QMC.

  3. Select Proxies on the QMC start page or from the StartS drop-down menu to display the overview.

  4. Find the relevant proxy in the overview and select Edit.
  5. Edit the SSL browser certificate thumbprint found in the Security property group by adding the thumbprint of the installed server certificate, from step 1 in this procedure.

  6. Click Apply in the action bar to apply and save your changes.

    Successfully updated is displayed at the bottom of the page.

  7. Restart proxy.

The installed certificate is now used for communication between the web browser and the proxy. A green padlock (or similar icon depending on browser) is displayed when entering the address of the QMC in your Internet browser. This means that the browser trusts the certificate and has identified the server machine. By default the QMC address is https://<QPS server name>/qmc.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!