Changing a proxy certificate
In Qlik Sense, all communication between services and the Qlik Sense web clients is based on web protocols. The web protocols use Secure Sockets Layer (SSL) for the following:
- Encryption and exchange of information and keys
- Certificates for authentication of the communicating parties
After a standard Qlik Sense installation, the Qlik Sense Proxy Service (QPS) includes a module that handles the encryption of traffic from the browser to the proxy. The certificate for communication between the web browser and the proxy can be replaced.
This flow describes changing proxy certificate:
Do the following:
-
Install the new server certificate:
- Note down the thumbprint for the new certificate.
- Install the new server certificate on the proxy node, in the Windows Certificate Store in Local Machine/Personal.
Information noteTo be valid, the certificate must contain a private key. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.Information noteWhen using a third-party certificate, it is required that the certificate is trusted in Windows, and that the private key is stored with the certificate in the Windows certificate store. The certificate should be installed to the Local Computer / Computer Account > Personal portion of MMC for the user account that is used to run the Qlik Sense Proxy Service.Information noteQlik Sense supports the same certificates as Windows certificate store, depending on the certificates allowed by the Windows server configuration. Typically, this includes signing algorithms based on SHA-1 and SHA-2 (SHA-256 and SHA-384). It is recommended to use at least one of the SHA-2 variants. -
Open the QMC: https://<QPS server name>/qmc
-
Select Proxies on the QMC start page or from the Start drop-down menu to display the overview.
- Find the relevant proxy in the overview and select Edit.
-
Edit the SSL browser certificate thumbprint found in the Security property group by adding the thumbprint of the installed server certificate, from step 1 in this procedure.
-
Click Apply in the action bar to apply and save your changes.
Successfully updated is displayed at the bottom of the page.
- Restart proxy.
The installed certificate is now used for communication between the web browser and the proxy. A green padlock (or similar icon depending on browser) is displayed when entering the address of the QMC in your Internet browser. This means that the browser trusts the certificate and has identified the server machine. By default, the QMC address is https://<QPS server name>/qmc.