How to change the certificate used by Qlik Sense Hub and QMC?
By default a self-signed certificate is being used to secure communication between the web browser (client) and the Proxy. This will result in a warning in the client web browser such as " The site's security certificate is not trusted
" (Chrome) or " This Connection is Untrusted
Related information can be found under Changing to a signed server proxy certificate
Also see in Qlik Community: Qlik Sense Hub and QMC with a custom SSL certificate
on our #QlikSupport
Update blog for more detailed steps.Environment:
Qlik Sense all versions
To establish a secure https connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.
A 3rd party certificate can be purchased and installed to use, or issued by a private CA. This certificate does not replace
existing Sense certificates. These steps do NOT require the deletion of any already existing Sense certificates. Deleting the Qlik Sense generated certificates may damage the system
breaking service communication.Note2:
Before getting started, ensure that the new certificate issued by the specific CA is compatible with Qlik Sense. See Qlik Sense: Compatibility information for third-party SSL certificatesNote3:
In addition, it is highly recommended to enable HTTP, at least temporarily, in case any issue breaks HTTPS connections.
To resolve this issue, is recommended that the certificate being used for communication between the web browser (client) and the proxy be replaced with a Signed Server Certificate from a trusted Certificate Authority. The following steps are need to be performed to accomplish this:Note:
If still using the Qlik Sense self-signed certificate, an alternative solution is also documented under General: what does the certificate error(red cross) in browser mean and how to fix it
- Obtain a valid Signed Server Certificate matching the Proxy node URL, from a trusted Certificate Authority (such as VeriSign, GlobalSign or trusted Enterprise CA), or a wild-card certificate (i.e. *.domain.com) matching the domain which is the Proxy node URL -- Warning for iOS, trusted Enterprise CA are not supported ; refer to article iOS devices cannot open QlikSense Apps on the HUB
- Import the above certificate into Windows Local Computer Certificate Store
- Obtain the thumbprint for the above certificate
- Configure the Proxy node to use the above certificate
Note: The certificate itself has to contain private key no matter what Qlik Sense version is, and needs to have been marked as "Exportable". (i.e. setting "Mark this key as exportable...")
You can verify if a key is present by reviewing the certificate in the MMC. It would look like this:
Import the certificate
Log on as the Qlik Service account or switch to the Qlik Service account.
- Launch Microsoft Management Console (mmc.exe) on the Proxy node
- In the MMC, go to File > Add / Remove Snap-in...
- Select Certificates and click Add
- Select Computer account, click Next, select Local computer and click Finish
- In the MMC, go to Certificates (Local Computer)/Personal
- In the MMC, go to Actions > All Tasks > Import...
- Browse to the certificate file provided to you from your CA
- Follow the instructions on the screen to import the certificate, including the private key, a the "certificat store" window select "Automatically select the certificate store based on the type of certificate"
- Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
- Double-click the Certificate > Certification Path and confirm it shows "This certificate is OK"
Warning: You must make sure that the certificate is available for the account that is running Qlik Sense services. The best way to do this is to run/execute the MMC as the service account
(not a local user or admin account) and see if the certificate is visible in Personal > Certificates.
If you are running services with local system, you can use a tool such as Psexec
to execute the MMC as local system and check that the certificate is available.
Locate the Certificate thumbprint
- In the MMC, right-click the imported certificate above and select Open
- On the Details tab, scroll down and select Thumbprint
- Mark/highlight the thumbprint hash and press CTRL+C to copy the hash to the clipboard
- Paste the hash in Notepad
- In some circumstances, there are non Unicode characters which should become apparent when pasting into Notepad
- In some circumstances, you need to remove all spaces in the thumbprint (Use Replace function)
Configure the Proxy node
- Open Qlik Management Console (QMC)
- Go to Proxies
- Select your Proxy and click Edit
- In the right pane, select Security
- Scroll down and locate "SSL browser certificate thumbprint" in the Security section
- Paste the thumbprint for the new certificate from above
- Click Apply