Hello everyone! This video aims a walking through how to resolve
common web browser certificate issues and how to change the certificate used by Qlik
Sense Hub and QMC. Qlik Sense uses a self-signed certificate
by default. So a certificate error is experienced when
logging on to QMC and Hub from a computer other than the server. The specific error code displayed by all major
browsers will indicate an invalid CA, or in the case of FireFox, an UNKNOWN_ISSUER. Issuer meaning the Certificate Authority,
which is abbreviated as CA. The reason for these errors being that the
Certificate Authority (CA), which is the Qlik Sense server in this case, is not trusted
by the client's browsers. The user may click on "Advanced" for the option
of bypassing the error as a temporary workaround. However, in a production environment a fully
trusted connection will most likely be needed. In some scenarios such as in testing or non-production,
administrators may choose to install the Qlik Sense root CA self-signed certificate on the
client computers. The Qlik Sense self-signed certs have a two
level trust structure as it can be seen in the Certification Path, so we can use the
root certificate to make the Qlik Sense CA trusted by the client and resolves the error
related to a unknown or invalid CA. The Qlik Sense root CA certificate can be
found under the following location in .pem format. (C:\ProgramData\Qlik\Sense\Repository\Exported
Certificates\.Local Certificates) It can also be exported as a Windows format
.cer file via QMC under Certificates. Another alternative is to manually export
it via the MMC. Next, copy the file to the client computer
so it can be installed. Open the MMC and add the Certificate snap-in
for managing the Computer account. Under Certificates (Local Computer), right-click
"Trusted Root Certification Authorities", All Tasks, then Import. Go through the steps to import the certificate,
then confirm that the certificate gets listed under the Trusted Root Certification Authority
store. Then, confirm that you no longer receive the
error in the Web Browser when accessing QMC or Hub. For Firefox, the certificate needs to be imported
directly to the browser's certificate repository. It is located under Options, Privacy & Security,
then scroll down to Certificates and click on View Certificates, where the Qlik Sense
root CA certificate can be imported under Authorities. Then confirm the error no longer occurs. Note that if clients access the Qlik Sense
server using a different hostname in the URL than the one stated in the certificate presented
to clients, a different browser certificate error may be displayed. For example, let's say users are only able
to access the Hub via the and external DNS record name qlikserver10.domain.local, which
is added to the Virtual Proxy configuration for allowed hosts. This is a common scenario when the Qlik Sense
server is behind a network device or simply registered with a different DNS record than
what is used by the client. The user may observe the web browser error
code displayed here indicating an invalid certificate Common Name in Microsoft Edge,
Google Chrome, and Internet Explorer browsers. Firefox's error code is different indicating
an invalid cert domain name. However, this also means that the FQDN used
in the URL does not match the Common Name in the certificate presented by the server. The certificate Common Name can be found in
the certificate's "Issued To" field, as well as in the "Subject" field. The same and additional strings may be listed
under the "Subject Alternative Name" (SAN) field as a DNS Name entry. In this case in order to resolve this particular
issue, the certificate used by the server would need to include either a wildcard DNS
entry or the additional DNS name entry in the Subject Alternative Name field. Note that this may not be suitable for when
the additional DNS name entry is a public one, as the internal DNS name entries would
be exposed via the certificate presented to the client. This new certificate or any other customized
cert needs to be issued by a trusted Public or Private Certificate Authority as Qlik Sense
does not issue certificates. The following are requirements for the certificate
to be issued as of September 2020 newest release: it must contain the private key and not be
not an expired certificate, it must be a X.509 version 3 certificate,
use Signature hash algorithms SHA256 or SHA-1, and Signature algorithm sha256RSA,
the certificate must be Signed by a Certificate Authority (CA) that is or can be made trusted
by both the client and server, and must be a CryptoAPI format certificate,
not CNG. When changing to use the new cert, Qlik Sense
should automatically rolls back to the default server certificate in case of issues with
the new one. However, before changing the certificate,
as a precaution, it is recommended that plain HTTP is enabled in case the system is not
able to recover from an issue that may lead to a lockout situation. This can be done under the Qlik Sense Proxy
Ports configuration by checking the Allow HTTP box. Move forwards, as an example we have obtained
a certificate from a private Certificate Authority with both DNS entry names mentioned for qlikserver1
and qlikserver10. The next step is to install it on the Qlik
Sense server. Make sure to logon to the Qlik Sense server
using a local server administrator account. Then open the MMC for Certificates (Local
Computer) as done previously in this video, and import the certificate to the Personal
store. Refresh the MMC to inspect the new certificate
and confirm that all the certificates in the Certification Path have the status "This certificate
is OK". In this case it does not. This is due to the server not having the CA
root certificate installed in the "Trusted Root Certification Authorities" store. Note that if the certificate trust structure
had an intermediate CA, the certificate from that specific CA would also need to be installed. It is usually installed under the "Intermediate
Certification Authorities" store. After installing the root CA certificate and
confirming it was placed under Trusted Root Certifications Authorities, we can see that
the root certificate status states "This certificate is OK". We can also see here that the "Subject Alternative
Name" field holds both records for qlikserver1 and qlikserver10. Please note that if the Qlik Sense service
account is not a local admin, the following additional steps are required. Right-click the new certificate, then go to
All Tasks and Manage Private Keys. Make sure the local user group "Qlik Sense
Service Users" has Read permissions. This group should already have the Qlik Sense
service account as a member. Now we need to tell Qlik Sense to use the
new production certificate. Open the new certificate and under the certs
Details tab, scroll down and copy the cert's Thumbprint field string. It is recommended that the thumbprint string
is pasted into a text editor and inspected for an invisible character in the front of
the string. This character can be seen if the text format
is changed to ANSI. Alternatively, this can be done by pressing
delete and backspace when the cursor is in front of the string. Also remove any spaces. Then copy this string. With this said, note that in newer releases
of Qlik Sense such as September 2020, the string can be directly pasted in the Proxy
SSL browser certificate thumbprint field under the Security section. Once applied QMC will prompt for a Proxy service
restart, or will displayed the following if the service account is not a local administrator. This means that the repository service needs
to be run in bootstrap mode for changes to take effect. Stop all Qlik Sense services except for the
Qlik Sense Repository Database and Qlik Sense Service Dispatcher services. Open the command prompt as Administrator,
and run the following command on the Qlik Sense Central node. (repository.exe -bootstrap
-iscentral) Once completed, start back all the Qlik Sense
services starting with the Repository Service. The Proxy Trace Security logs found in this
location should register that the new certificate is being used. So when accessing Qlik Sense QMC or Hub using
the hostname qlikserver10, no certificate error should be displayed as long as the root
CA certificate has been installed on the client as well. We can also confirm the certificate presented
to the client is the new one with the two DNS name entries. Note that if there are multiple Qlik Sense
RIM nodes with enabled Proxy service, the same process needs to be performed for each
node. If the Qlik Sense service account is not a
local admin on those nodes, the bootstrap command without the -iscentral parameter needs
to be used as well. For certificates, a common practice is to
either add the additional RIM nodes DNS names to the certificate as shown in this example,
issue separate certificates, or use a wildcard certificate. Here's an example where the client is presented
with a certificate that contains a wildcard DNS name entry in the Subject Alternative
Name field. This will match any hostname used when accessing
any of the Qlik Sense servers as long as it is followed by the domain name. If you’d like more information,
search for answers using the unified search tool on the Support Portal. It searches across the support knowledge base,
Qlik Community, Qlik Help site, and Qlik YouTube channels. Take advantage of the expertise of peers,
product experts, and technical support engineers by asking a question in a Qlik Product Forum
on Qlik Community. And don’t forget to subscribe to the Support
Updates Blog. Thanks for watching!
