community
cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx connect Knowledge Base

Definitive answers from Connect experts.

How To: Import a PFX Certificate

Alteryx
Alteryx
Created on

How To: Import a PFX Certificate

 

In a previous article, I wrote about enabling SSL using the Installer. Currently, the Connect installer only supports self-signed certificates. This article is a guide on how to import a Certificate Authority (CA) signed certificate after enabling SSL with the Installer.

 

Prerequisites 

 

  • Alteryx Connect
    • ≥ 2019.1

  • a PFX file containing both private key and public key.
    • The icon of the file should contain little key similar to this one:  icon_privateKey.png
    • If the file has this icon_publicCert.pngicon  it does not contain the private key and cannot be used.

 

  • If you do not have a PFX file (the keys are separate files) see Common issues.
    • To follow these instructions to create a PFX file, you will need OpenSSL installed on your machine.

 

In this guide, the following values are assumed. If the values on your configuration are different, modify the commands in the instructions accordingly:

  • The path to Alteryx Connect folder:
    c:\Program Files\AlteryxConnect
  • The keystore filename:
    connect.keystore
  • The keystore password:
    password
  • The pfx filepath:
    c:\mycerts\pkcs12\ServerName.pfx
  • The pfx password:
    servername

 

Procedure

 

  1. Enable SSL as described in How To: Enable SSL in the Connect Installer (just the first part + you don't need to create the CSR file).

  2. Be sure your Connect instance is able to start and run using the https protocol.

  3. Open the command line and navigate to the folder containing keytool.exe:
    cd "c:\Program Files\AlteryxConnect\jre\bin"
    In order to manipulate a file in Program files, you may have to Run the Command Prompt as Administrator to have the elevated permissions.

  4. List all keys in your keystore:
    keytool.exe -list -keystore "c:\Program Files\AlteryxConnect\connect.keystore"  -storepass password

    You can see there are 2 certificates in my keystore:
    1. alias 'ca' of type 'trustedCertEntry'  - public key of the CA that signed my certificate
    2. alias 'mycert' of type 'PrivateKeyEntry' - the private key that is used to run the SSL
      01_listKeys.pngInitial content of the keystore
  5. In order to use a different private key, we have to remove the self-signed one first. Before removing, backup the keystore:
    copy "c:\Program Files\AlteryxConnect\connect.keystore" "c:\Program Files\AlteryxConnect\connect_bckp.keystore"
  6. Remove the PrivateKeyEntry using the alias as identification:
    keytool.exe -delete -alias mycert -keystore "c:\Program Files\AlteryxConnect\connect.keystore" -storepass password
  7. Verify the certificate has been removed by listing the content of the keystore as demonstrated in step #4.

    02_listKeysNoPrivate.pngRemoved self-signed private key
  8. Import your *.pfx file.
    1. The file is most likely password protected, so don't forget to change the value of 'srcstorepass' and 'deststorepass' parameters
    2. You may need to change the 'scralias' as your key might have a different one. The easiest way would be to omit both 'scralias' and 'destalias' and list keystore - the alias will likely remain the same.
      keytool.exe -importkeystore -srckeystore "c:\mycerts\pkcs12\ServerName.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program Files\AlteryxConnect\connect.keystore" -deststoretype JKS -srcalias 1 -destalias mypfx -srcstorepass servername -deststorepass password
  9. Again, verify that the certificate has been imported successfully - it has to have type of 'PrivateKeyEntry'
    (you can keep the 'ca' certificate in the keystore)
    03_importedPfx.pngImported PFX
  10. Be aware - the certificate password must match the keystore's password, otherwise Tomcat will not be able to read it, so if you used different values for 'srcstorepass' and  'deststorepass' parameters as I did, you have to change the certificate password. 
    keytool.exe -keypasswd -alias mypfx -keystore "c:\Program Files\AlteryxConnect\connect.keystore"
    You have to provide:
    1. Keystore password
    2. Password for the certificate
    3. New password for the certificate
    4. Re-type new password for the certificate
      04_changePassword.pngCertificate password change
  11. Restart the Alteryx Connect service - Connect should start using the new certificate from the PFX file

 

 

Common Issues

 

You don't have *.pfx file

 

  1. Download and install OpenSSL (e.g. from https://slproweb.com/products/Win32OpenSSL.html)
  2. Open Command Prompt and navigate to OpenSSL installed folder/bin
    cd c:\OpenSSL-Win64\bin
  3. create pfx file out of private key and public key (modify the filepaths to your files)
    openssl pkcs12 -export -out c:\mycerts\pkcs12\ServerName.pfx -inkey c:\mycerts\pkcs12\ServerName.key -in c:\mycerts\pkcs12\ServerName.crt
    You will be asked to provide password for such file - to avoid password change, use the same password as for your keystore
  4. The keystore must contain also the certificate of your CA - if you already have such key, you can import it into the pfx file as well, just add parameter 'certfile'
    openssl pkcs12 -export -out c:\mycerts\pkcs12\ServerName.pfx -inkey c:\mycerts\pkcs12\ServerName.key -in c:\mycerts\pkcs12\ServerName.crt -certfile c:\mycerts\myca\myCA.crt