Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Recreating Qlik Sense root CA certificate (manual back-up and removal of existing certificates)

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrew_Delaney
Support
Support

Recreating Qlik Sense root CA certificate (manual back-up and removal of existing certificates)

Last Update:

Sep 24, 2020 6:40:31 AM

Updated By:

Sonja_Bauernfeind

Created date:

Mar 4, 2020 8:21:39 AM

IMPORTANT NOTE: Following steps are applicable for Qlik Sense deployments originally installed with versions prior to the June 2019 release. For Qlik Sense deployments originally installed with the June 2019 or later releases, follow standard steps for patching Qlik Sense and do not perform steps below. If you are not certain about the initially installed version of Qlik Sense, please refer to Validating Qlik Sense root CA certificate for presence of CA:TRUE attribute to check the current certificate for the CA:TRUE attribute.

  1. Stop all services on ALL NODES in the Qlik Sense cluster.
  2. Back up ALL current Qlik Sense certificates from the CENTRAL NODE by follow “Backing up certificates” Help section
NOTE: In steps 11 and 19, if you happen to have more certificates with the same values in Issued To, Issued By and Friendly Name columns and you are unable to identify the correct certificate, please refer to Identifying Qlik Sense root CA and server certificates in certificate store.
  1. Remove current Qlik Sense root CA certificate from CENTRAL NODE by following steps 1 to 10 from “Backing up certificates” help section, then right-click on the certificate, select Delete and confirm with Yes
  2. Remove all current Qlik Sense certificates from NON-CENTRAL NODES by following steps 1 to 10, step 19 and 20 from “Backing up certificates” help section, then right-click on the certificate, select Delete and confirm with Yes
  3. Remove all current Qlik Sense certificates from NON-CENTRAL NODES stored locally, by deleting all files from the following location:

C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates

  1. On ALL NODES navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location) and open Repository.exe.config file.

  2. Make sure Certificates.SelfSignedRoot.BasicConstraintsCA key has value set to true, in example:
<add key="Certificates.SelfSignedRoot.BasicConstraintsCA" value="true" />
If the above key is not present, add it within <appSettings> section, in example:
(…)
<add key="BackgroundWork.CountLimit" value="3" />
<add key="Certificates.SelfSignedRoot.BasicConstraintsCA" value="true" />
<add key="DatabaseCommandTimeout" value="00:01:30" />
(…)

NOTE: If you are installing a patch on November 2018 track, name of the key is:

<add key="CertificatesSelfSignedRootBasicConstraintsCA" value="true" />
  1. On the CENTRAL NODE, start Qlik Sense Repository Database service.
  2. On CENTRAL NODE from an elevated command line navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location) and run:
repository.exe -bootstrap -iscentral
  1. When bootstrap mode has reached Entering main startup phase.., start Qlik Sense Service Dispatcher service and make sure that the Bootstrap mode has terminated. Press ENTER to exit.. final message is shown.

Note: If this message is not shown, open Windows Task Manager, find Qlik Sense Repository Service in the Processes tab and end it by right-clicking on it and selecting End task.

  1. On CENTRAL NODE restart Qlik Sense Service Dispatcher and start all remaining services to make sure new certificate is in use.
  2. On the NON-CENTRAL NODES, depending on the setup, perform either step a) or b) below:

a) Account running the Qlik Sense services has administrator privileges:

  • [Applicable ONLY for April 2019 track]: Delete host.cfg file from C:\ProgramData\Qlik\Sense\ 
  • Start Qlik Sense Repository Service.
  • Open the Qlik Management Console (QMC) and redistribute the certificates according to Redistributing a certificate
  • Restart Qlik Sense Repository Service and start all remaining services on the node to make sure they are using the newly distributed certificates.

b) Account running the Qlik Sense service does not have administrator privileges:

  • [Applicable ONLY for April 2019 track]: Delete host.cfg file from C:\ProgramData\Qlik\Sense\ 
  • in the command prompt, navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location), and run:
repository.exe -bootstrap
  • When the "Waiting for certificates to be installed..." message is displayed, redistribute the certificates according to Redistributing a certificate
  • Once the bootstrap mode has terminated, start the Qlik Sense Service Dispatcher, then start the Qlik Sense Repository Service, and finally the remaining Qlik Sense services.

Related Content:


 

Labels (3)
Contributors
Version history
Last update:
‎2020-09-24 06:40 AM
Updated by: