Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

How to configure a .pfx certificate for use with the Qlik NPrinting Web Console and NewsStand

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
pbr
Employee
Employee

How to configure a .pfx certificate for use with the Qlik NPrinting Web Console and NewsStand

Last Update:

Mar 3, 2023 4:25:02 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 12, 2017 10:47:16 AM

How to configure to use a new .pfx certificate for use with Qlik NPrinting Web Console and/or the NewsStand after converting it to the .key and .crt format

CNG-type certificates are not supported for use with NPrinting Server. See Requirements(help.qlik.com).


Items Needed:

  • A certificate with the Private Key that can be extracted (PFX files are the easiest)
  • Import the Password for the PFX certificate
  • OpenSSL (3rd Party free software- see disclaimer at end of this article) to extract the certificate and gather the .crt and .key files. See Installing OpenSSL

Please review this information with your internal Certificate Authority or appropriate IT team that would provide the certificate and follow their guidelines if it differs from the steps here. If a new certificate cannot be issued for the Qlik NPrinting server, a workaround for the issue may be found under General: what does the certificate error(red cross) in browser mean and how to fix it.

All the steps below can be performed automatically with one click using a third-party tool called NPrinting Certificate Configurator, which can be downloaded from the Releases section. Keep in mind that Qlik does NOT support the 3rd party software mentioned and used in this documentation. Please use them at your own discretion and, if concerned, contact the proper IT team within your company to verify the ability to use non-Qlik related software in the environment.

Before proceeding to the following steps, you must first install Open SSL. See Installing OpenSSL.

 

Extract the .CRT and .KEY files

  1. Using an administrative command prompt, navigate to the Open SSL/bin folder on your NPrinting computer and extract the .crt file from the .pfx file.

    1.png

    Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -clcerts -nokeys -out C:\NPCerts\QS3.crt
    Example Command: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

    Note: The Import Password is determined by the CA when the certificate is exported/created. This is to help protect the Private Key. It should be supplied with the certificate from the 3rd Party SSL CA  / Internal CA. If you do not have this password, you will not be able to use the certificate.


  2. Extract the .key file from the .pfx file.

    2.png

    Test Command: openssl pkcs12 -in C:\NPCerts\QS3Cert.pfx -nocerts -out C:\NPCerts\QS3.key
    Example Command:  openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    Note: The PEM passphrase is used to protect the new .key file you’ve created.

  3. Decrypt the .key file. (Qlik NPrinting CANNOT have a passphrase on the .key file)

    3.png

    T
    est Command: openssl rsa -in C:\NPCerts\QS3.key -out C:\NPCerts\QS3.key
    Example Command:  openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

    Note: At this stage, we’re removing the pass phrase from the .key, unencrypting it for Qlik NPrinting to read it.

    In the Test Command, we’re overwriting the same file in the command. This works, but if you want a separate copy of the encrypted and decrypted Key you’ll need to make them different file names or locations.  


NPrinting Web Console

  1. Place the extracted .crt and .key files in the webconsoleproxy folder and update the app.conf file.

    4.png
     
  2. Edit the Qlik NPrinting Web Console proxy configuration file: %ProgramData%\NPrinting\webconsoleproxy\app.conf.
    1. Uncomment by removing the # and change or add the following lines to:
  3. http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt. Change the certificate file name if necessary.
  4. http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key. Change the private key file name if necessary.
    1. ${ProgramData} is the Windows ProgramData environment variable with the notation for the configuration file. As an alternative, you can insert your full path, for example, C:\ProgramData\NPrinting\webconsoleproxy\NPrinting.crt.
  5. SAVE the app.conf file to preserve the changes

 

Qlik NPrinting Newsstand

  1. Place the new .crt / .key files in the newsstandproxy folder and update the app.conf  file.

    5.png

  2. SAVE the app.conf file to preserve the changes

 

Finalize

Restart the Qlik NPrinting Web Engine and check the nprinting_webengine.log to verify there’s no issues with new certificate information.

6.png

Note:  The above is an example of a clean start of the Web Engine. Default location for those logs are located: "C:\ProgramData\NPrinting\Logs"

Verify the Certificates

Verify that the certificate is being used in the browser.

7.png
 
Note: In this example, the certificate is correctly being presented to the browser under the URL of qlikserver3.domain.local. With this certificate, it’s the ONLY name that this certificate will trust.

8.png
 
Note: This is the result using the servername instead of the FQDN. You can access the URL, but it presents a “Not secure” message, but shows the correctly installed certificate. The reason for this is that the server recognizes the name, but the certificate only allows qlikserver3.domain.local. If you want multiple URL/Aliases, they need to be added in the certificate. 

 

Related Content:

Securing the NPrinting Web Console with 3rd party certificates 

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Labels (1)
Version history
Last update:
‎2023-03-03 04:25 AM
Updated by: