By default, Qlik Sense uses a self-signed certificate to enable HTTPS access across both the Hub and the Management Console. But self-signed certificates cannot be validated or trusted by web browsers and tend to prompt a warning message.
To establish a secure HTTPS connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.
The steps on how to apply a third-party (and trusted) certificate can be found in: How to change the certificate used by the Qlik Sense Proxy to a custom third party certificate.
However, if your Service Account does not have administrative permissions, you will see the Proxy reverting back to the old certificate or otherwise not behave as expected.
These error messages may be seen in the Proxy Security log:
Certificate 'CN=<servername>' (2F66E692BBC9DCB5EF43853248A667EAD7CB27B2) is invalid because it was not signed correctly by 'CN=<servername>-CA'
or
Unkown error when accessing the private key for certificate
or
No private key found for certificate
or
Couldn't find a valid ssl certificate with thumbprint
or
Reverting to default Qlik Sense SSLCertificate
The Qlik Sense Proxy System log may register the following:
INFO <servername> System.Proxy.Proxy.Core.QPSMain 8 40e67960-d393-4881-a7c8-efafe089ef0f <serviceAccount> Settings has been updated but will not take effect until bootstrap mode has been run on the repository
Resolution
- Verify that the certificate follows Qlik's requirements: Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL certificates to use ...
- Give access to the Private Key in the certificate store to the user running the services. See How to manage Certificate Private Key for details.
- Stop the Qlik Sense services except of the Qlik Sense Repository Database and Qlik Sense Service Dispatcher services.
- Open an elevated command prompt and run repository.exe -bootstrap (If this is the central node, add the iscentral flag). Review Changing the user account to run Qlik Sense services for details.
- Start Qlik Sense services.
Reviewing the Qlik Sense Proxy Security logs should now result in the certificate being properly used:
QlikServer1 Security.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester DOMAIN\_service Setting crypto key for log file secure signing: success
QlikServer1 Security.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey DOMAIN\_service retrieving symmetric key from cert: success
QlikServer1 Security.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey DOMAIN\_service setting crypto key: success
QlikServer1 Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 'CN=localhost' (08C871933A58E072FED7AD65E2DB6D5AD3EAF9FA) as SSL certificate presented to browser, which is a 3rd party SSL certificate
Environment:
Qlik Sense Enterprise on Windows, all versions
