A third party certficiate was configured in the Qlik Sense Proxy, but is not being used.The connection isn't private" NET::ERR_CERT_COMMON_NAME_INVALID
may be displayed on HUB access. Environment:
Qlik Sense all versions
Qlik Sense Enterprise uses self-signed and self-generated certificates to protect communication between services, as well user web traffic against the Hub and QMC. You can also use a third-party issued SSL certificate to protect client web traffic, as using the self-signed certificate will cause a certificate warning to be displayed in your browser (such as Google Chrome or Internet Explorer). Third party certificates are not supported by Qlik.
If your third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or if it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. You may also notice the following error in your Proxy Security logs:
Example from: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt
No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE])
Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE]
Reverting to default Qlik Sense SSLCertificate
Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser
In order for Qlik Sense Enterprise to correctly recognise the third-party certificate as valid, the certificate will have to meet the following requirements:
Certificates that we know work well with Qlik Sense have the following attributes:
- Certificates that are x509 version 3
- Use signature algorithm sha256RSA
- Use signature hash algorithm sha256
- Signed by a valid, and os/browser configured , CA
- Are valid according to date restrictions (valid from/valid to)
- Key in format CryptoAPI (not in CNG)
- Note: The certificate itself has to contain private key no matter what Qlik Sense version.
One thing that could be double-checked is if the CA certificate, and any relevant intermediate CA certificates, are correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.