Inspire EMEA 2022 On-Demand is live! Watch now, and be sure to save the date for Inspire 2023 in Las Vegas next May.

Alteryx Connect Knowledge Base

Definitive answers from Connect experts.

How To: Import a PFX Certificate


How To: Import a PFX Certificate

In a previous article, I wrote about enabling SSL using the Installer. Currently, the Connect installer only supports self-signed certificates. This article is a guide on how to import a Certificate Authority (CA) signed certificate after enabling SSL with the Installer.


  • Alteryx Connect
    • 2019.1

  • a PFX file containing both private key and public key.
    • The icon of the file should contain little key similar to this one:icon_privateKey.png
    • If the file has this icon_publicCert.pngicon it does not contain the private key and cannot be used.

  • If you do not have a PFX file (the keys are separate files) see Common issues.
    • To follow these instructions to create a PFX file, you will need OpenSSL installed on your machine.

In this guide, the following values are assumed. If the values on your configuration are different, modify the commands in the instructions accordingly:

  • The path to Alteryx Connect folder:
    c:\Program Files\AlteryxConnect
  • The keystore filename:
  • The keystore password:
  • The pfx filepath:
  • The pfx password:


  1. Enable SSL as described inHow To: Enable SSL in the Connect Installer(just the first part + you don't need to create the CSR file).

  2. Be sure your Connect instance is able to start and run using the https protocol.

  3. Open the command line and navigate to the folder containing keytool.exe:
    cd "c:\Program Files\AlteryxConnect\jre\bin"
    In order to manipulate a file in Program files, you may have to Run the Command Prompt as Administrator to have the elevated permissions.

  4. List all keys in your keystore:
    keytool.exe -list -keystore "c:\Program Files\AlteryxConnect\connect.keystore"  -storepass password

    You can see there are 2 certificates in my keystore:
    1. alias 'ca' of type 'trustedCertEntry' - public key of the CA that signed my certificate
    2. alias 'mycert' of type 'PrivateKeyEntry' - the private key that is used to run the SSL
      Initial content of the keystoreInitial content of the keystore
  5. In order to use a different private key, we have to remove the self-signed one first. Before removing, backup the keystore:
    copy "c:\Program Files\AlteryxConnect\connect.keystore""c:\Program Files\AlteryxConnect\connect_bckp.keystore"
  6. Remove the PrivateKeyEntry using the alias as identification:
    keytool.exe -delete -alias mycert -keystore "c:\Program Files\AlteryxConnect\connect.keystore" -storepass password
  7. Verify the certificate has been removed by listing the content of the keystore as demonstrated in step #4.

    Removed self-signed private keyRemoved self-signed private key
  8. Import your *.pfx file.
    1. The file is most likely password protected, so don't forget to change the value of 'srcstorepass' and 'deststorepass' parameters
    2. You may need to change the 'scralias' as your key might have a different one. The easiest way would be to omit both 'scralias' and 'destalias' and list keystore - the alias will likely remain the same.
      keytool.exe -importkeystore -srckeystore "c:\mycerts\pkcs12\ServerName.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program Files\AlteryxConnect\connect.keystore" -deststoretype JKS -srcalias 1 -destalias mypfx -srcstorepass servername -deststorepass password
  9. Again, verify that the certificate has been imported successfully - it has to have type of 'PrivateKeyEntry'
    (you can keep the 'ca' certificate in the keystore)
    Imported PFXImported PFX
  10. Be aware - the certificate password must match the keystore's password, otherwise Tomcat will not be able to read it, so if you used different values for 'srcstorepass' and 'deststorepass' parameters as I did, you have to change the certificate password.
    keytool.exe -keypasswd -alias mypfx -keystore "c:\Program Files\AlteryxConnect\connect.keystore"
    You have to provide:
    1. Keystore password
    2. Password for the certificate
    3. New password for the certificate
    4. Re-type new password for the certificate
      Certificate password changeCertificate password change
  11. Restart the Alteryx Connect service - Connect should start using the new certificate from the PFX file

Common Issues

You don't have *.pfx file

  1. Download and install OpenSSL (e.g. from
  2. Open Command Prompt and navigate to OpenSSL installed folder/bin
    cd c:\OpenSSL-Win64\bin
  3. create pfx file out of private key and public key (modify the filepaths to your files)
    openssl pkcs12 -export -out c:\mycerts\pkcs12\ServerName.pfx -inkey c:\mycerts\pkcs12\ServerName.key -in c:\mycerts\pkcs12\ServerName.crt
    You will be asked to provide password for such file - to avoid password change, use the same password as for your keystore
  4. The keystore must contain also the certificate of your CA - if you already have such key, you can import it into the pfx file as well, just add parameter 'certfile'
    openssl pkcs12 -export -out c:\mycerts\pkcs12\ServerName.pfx -inkey c:\mycerts\pkcs12\ServerName.key -in c:\mycerts\pkcs12\ServerName.crt -certfile c:\mycerts\myca\myCA.crt

No ratings
  • Before creating backup of .keystore file and deleting old certificate, it is necessary to stop Alteryx Connect service (point 5 and 6).
  • It might be necessary to reopen web browser and clear browser cache to make new certificate works.