Changing a proxy certificate

In Qlik Sense, all communication between services and the Qlik Sense web clients is based on web protocols. The web protocols use Secure Sockets Layer (SSL) for the following:

  • Encryption and exchange of information and keys
  • Certificates for authentication of the communicating parties

After a standard Qlik Sense installation, the Qlik Sense Proxy Service (QPS) includes a module that handles the encryption of traffic from the browser to the proxy. The certificate for communication between the web browser and the proxy can be replaced.

Примечание: Third-party certificates are bound to the Qlik Sense Proxy Service HTTPS port (443). Communication via the API port (4243) always uses the Qlik Sense server certificate.
Примечание: When editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate, (see Changing to a signed server proxy certificate).
Примечание: An admin needs to add read access to the certificate's private key for the group 'Qlik Sense service users' when the proxy is running with a user without admin privileges, otherwise the proxy cannot access the certificate.

This flow describes changing proxy certificate:

Выполните следующие действия.

  1. Install the new server certificate:

    1. Note down the thumbprint for the new certificate.
    2. Install the new server certificate on the proxy node, in the Windows Certificate Store in Local Machine/Personal.
    Примечание: To be valid, the certificate must contain a private key. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Примечание: When using a third-party certificate, it is required that the certificate is trusted in Windows, and that the private key is stored with the certificate in the Windows certificate store. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.
    Примечание: Qlik Sense supports certificates that are made to use signing algorithms based on SHA-1 or SHA-256.
  2. Log into the QMC.

  3. Select Proxies on the QMC start page or from the StartS drop-down menu to display the overview.

  4. Find the relevant proxy in the overview and select Edit.
  5. Edit the SSL browser certificate thumbprint found in the Security property group by adding the thumbprint of the installed server certificate, from step 1 in this procedure.

  6. Click Apply in the action bar to apply and save your changes.

    Successfully updated is displayed at the bottom of the page.

  7. Restart proxy.

The installed certificate is now used for communication between the web browser and the proxy. A green padlock (or similar icon depending on browser) is displayed when entering the address of the QMC in your Internet browser. This means that the browser trusts the certificate and has identified the server machine. By default the QMC address is https://<QPS server name>/qmc.