When a client does not have a 3rd party or private CA certificate the browser will show "Not Secure" as in this screenshot:
After a client implements a 3rd party or private CA certificate and they attempt to access the QMC or HUB remotely they will see the following type of view showing "Secure":
If the client implements the new certificate and still receives the error ERR_CERT_COMMON_NAME_INVALID
, it is possible that the expected domain in the certificate and the domain listed in the URL do not match.Environment:
- Qlik Sense Enterprise all versions
Check that the URL being used and ensure that it matches the Fully Qualified Domain Name (FQDN) issued to the certificate.
For example, if a certificate is issued to qliksense.company.com, users can still access the QMC / Hub using the servername only (qliksense) but the web browser will produce a warning about a mismatch between qliksense and qliksense.company.com.
If you are concerned about whether a certificate is correctly bound, then inspect the Security_Proxy log in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace. An example of a success binding of a certificate to the Proxy will look like:
Domain\qs_admin Set certificate 'CN=*.company.com, OU=PremiumSSL Wildcard, O=ACME, STREET="88 Broadway, Bldg 14", L=New York, S=ON, PostalCode=90213, C=CA' (D09777777738C5A799999994F9555AFF588888) as SSL certificate presented to browser, which is a 3rd party SSL certificate
Another important cause of this error is: the URL used in browser does not match "Subject Alternative Name" in the certificate.
In most browsers, when verifying website's identity, SubjectAlternativeName(SAN) is used first. If absent, then it falls back to Subject(or known as "Common Name" which is typically the same as "Issue to").
Since Google Chrome v58, this falling back behavior is dropped
. So if an SAN does not match URL, or SAN does not exist at all, ERR_CERT_COMMON_NAME_INVALID error will happen.
- Use the FQDN which align with the certificate
- Acquire a new certificate to include the appropriate SAN to match the URL which users will use to access Qlik Sense