Changing to a signed server proxy certificate

By default, a self-signed certificate is used to secure communication between the web browser (client) and the Qlik Sense proxy. This results in a warning in the client web browser, such as "The site's security certificate is not trusted" (Chrome) or "This Connection is Untrusted" (Firefox). To resolve this issue, the certificate used for communication between the web browser (client) and the proxy must be replaced with a signed server certificate from a trusted certificate authority (CA).

Примечание: The existing self-signed certificate is secure. The warning is displayed because the web browser does not have enough information to decide whether or not the certificate is secure. By following the procedures described here you remove the warning in the client web browser.

Major steps

The following major steps are required when changing to a signed server proxy. Steps 2-4 have detailed procedures in the subsections.

  1. Obtain a valid signed server certificate matching the proxy node URL, from a trusted CA, such as VeriSign or GlobalSign.
  2. Import the certificate into Windows Local Computer Certificate Store.
  3. Locate the thumbprint for the certificate.
  4. Configure the proxy node to use the certificate.
Примечание: The certificate itself has to contain a private key regardless of the Qlik Sense version. You can verify if a key is present by reviewing the certificate in the Microsoft Management Console (MMC). You should see a confirmation message: "You have a private key that corresponds to this certificate."

Importing the certificate

Выполните следующие действия.

  1. Launch the MMC on the proxy node.
  2. In the MMC, open File > Add / Remove Snap-in....
  3. Select Certificates and click Add.
  4. Select Computer account, click Next, select Local computer and click Finish.
  5. In the MMC, open Certificates (Local Computer)/Personal.
  6. In the MMC, open Actions > All Tasks > Import....
  7. Browse to the certificate file provided by your CA.
  8. Follow the instructions on the screen to import the certificate, including the private key.
  9. Verify that the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key.
  10. Double-click the Certificate > Certification Path and confirm it shows "This certificate is OK".
Предупреждение: You must make sure that the certificate is available for the service account that is running the Qlik Sense services. The best way to do this is to run the MMC as the service account and see if the certificate is visible in Personal > Certificates. If you are running services with local system, you can use a tool such as Psexec to run the MMC as local system and check that the certificate is available.

Configuring the private key permissions for the certificate

When editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate as follows:

  1. Launch the MMC on the proxy node.

  2. In the MMC, open Certificates (Local Computer)/Personal.

  3. Select the certificate provided by your CA.

  4. Open Actions > All Tasks > Manage Private Keys.

  5. In the Permissions pop-up, add read permissions to the group "Qlik Sense Service Users", alternatively, to the specific service user that is running the Qlik Sense services.

  6. Restart the Qlik Sense Proxy Service.

Locating the certificate thumbprint

Выполните следующие действия.

  1. In the MMC, right-click the imported certificate and select Open.
  2. On the Details tab, scroll down and select Thumbprint.
  3. Mark/highlight the thumbprint hash value and press CTRL+C to copy the hash value to the clipboard.
  4. Paste the hash value in a text editor and remove all the spaces.

Configuring the proxy node

Выполните следующие действия.

  1. Open the Qlik Management Console(QMC).
  2. Open Proxies.
  3. Select your proxy and click Edit.
  4. In Properties to the right, select Security.
  5. Scroll down and locate SSL browser certificate thumbprint in the Security section.
  6. Paste the thumbprint hash value for the new certificate (from the text editor).
  7. Click Apply.

You should now be able to access the Qlik Sense proxy without the browser warning.