ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificateArticle Number: 000030388 | Last Modified: 2019/12/18
After a client implements a 3rd party or private CA certificate and they attempt to access the QMC or HUB remotely they will see the following type of view showing "Secure":
If the client implements the new certificate and still receives the error ERR_CERT_COMMON_NAME_INVALID, it is possible that the expected domain in the certificate and the domain listed in the URL do not match.
- Qlik Sense Enterprise all versions
For example, if a certificate is issued to qliksense.company.com, users can still access the QMC / Hub using the servername only (qliksense) but the web browser will produce a warning about a mismatch between qliksense and qliksense.company.com.
If you are concerned about whether a certificate is correctly bound, then inspect the Security_Proxy log in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace. An example of a success binding of a certificate to the Proxy will look like:
Another important cause of this error is: the URL used in browser does not match "Subject Alternative Name" in the certificate.
In most browsers, when verifying website's identity, SubjectAlternativeName(SAN) is used first. If absent, then it falls back to Subject(or known as "Common Name" which is typically the same as "Issue to").
Since Google Chrome v58, this falling back behavior is dropped. So if an SAN does not match URL, or SAN does not exist at all, ERR_CERT_COMMON_NAME_INVALID error will happen.
- Use the FQDN which align with the certificate
- Acquire a new certificate to include the appropriate SAN to match the URL which users will use to access Qlik Sense
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.Submit a case
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.