Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Connect Knowledge Base

Definitive answers from Connect experts.

How To: Import a PFX Certificate

VojtechT
Alteryx
Alteryx
Created

How To: Import a PFX Certificate

 

A separate article covers enabling SSL using the Installer. Currently, the user interface of the Connect installer only supports self-signed certificates. This article is a guide on how to import a Certificate Authority (CA)-signed certificate after enabling SSL with the Installer.  If you need to replace certificates that are about to expire with new ones, you can use this procedure to do so.

This article uses the term SSL to refer to what is more properly the TLS (Transport Layer Security) cryptographic protocol that has replaced the older SSL.  Please be assured that references to SSL are just familiar, widely-used terminology.  This article refers to the private and public key components interchangeably as "certificates."  Also, Connect will use the contents of the keystore to enable https regardless of whether the keystore is PKCS12 or JKS format.  

 

Prerequisites

 

  • Alteryx Connect
    • 2019.1
       
  • a PFX file containing both private key and public key.
    • The icon of the file should contain a little key similar to this one:icon_privateKey.png
    • If the file has this icon_publicCert.png icon it does not contain the private key and cannot be used as a .pfx (although the Certificate Authority's root certificate will likely be of this form).
    • If you do not have a PFX file (the keys are separate files) see Common issues:  To follow those instructions to create a PFX file, you will need OpenSSL installed on your machine.

 

In this guide, the following values are assumed.  Generally, the words immediately after dashes are parts of the commands (flags or attributes) and the words without dashes are the values you specify for your installation.  If the values differ on your configuration, modify the commands in the instructions accordingly.  If you wish, you can leave off the -storepass storePassword and -deststorepass password portions of the commands to be prompted to enter the passwords without displaying them.

  • The path to Alteryx Connect folder:
    c:\Program Files\AlteryxConnect\
  • The keystore filename:
    connect.keystore
  • The starting keystore password (set through the installer UI or with the original .pfx cert):
    storePassword
  • The pfx filepath:
    c:\myPath\connectServerName.pfx
  • The pfx password:
    password

 

Procedure

 

 

  1. Enable SSL as described in How To: Enable SSL in the Connect Installer (just the first part -- you don't need to create the CSR file).
     
  2. Be sure your Connect instance is able to start and run using the https protocol.
     
  3. Open the command line as an administrator and navigate to the folder containing keytool.exe.  (In order to manipulate a file in Program files, you must Run the Command Prompt as Administrator to have the elevated permissions.):
    cd "c:\Program Files\AlteryxConnect\jre\bin"
  4. List all keys in your keystore:
    keytool.exe -list -keystore "c:\Program Files\AlteryxConnect\connect.keystore"  -storepass storePassword

    You can see there are 2 certificates in my keystore: 
     
    1. alias 'root' of type 'trustedCertEntry' - public key of the CA that signed my certificate
    2. alias 'selfsignedcert' of type 'PrivateKeyEntry' - the certificate/private key that is used for 
      image.pngimage.pngInitial content of the keystore
  5. In order to use a different certificate/private key, we have to remove the self-signed or expiring one first. Before removing, backup the keystore:
    copy "c:\Program Files\AlteryxConnect\connect.keystore""c:\Program Files\AlteryxConnect\connect_bckp.keystore"
    

     
  6. Remove the old PrivateKeyEntry using the alias as identification:
    keytool.exe -delete -alias selfsignedcert -keystore "c:\Program Files\AlteryxConnect\connect.keystore" -storepass storePassword
    

     
  7. Verify the certificate has been removed by listing the content of the keystore as demonstrated in step #4.
    keytool.exe -list -keystore "c:\Program Files\AlteryxConnect\connect.keystore"  -storepass storePassword

    image.pngimage.pngRemoved self-signed private key
     
  8. Import your *.pfx file.
    keytool.exe -importkeystore -srckeystore "c:\myPath\connectServerName.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program Files\AlteryxConnect\connect.keystore" -deststoretype JKS  -srcstorepass password -deststorepass storePassword

     
  9. Again, verify that the certificate has been imported successfully - it must show its type as 'PrivateKeyEntry'

    image.pngimage.pngImported PFX
     
  10. If the new certificate/private key has a new password, you must set the keystore password to match the password of the .pfx certificate.  You can do that with the following command:   (Be sure to update your records with the new keystore password.)
    keytool.exe -storepasswd -new password -keystore "c:\Program Files\AlteryxConnect\connect.keystore" -storepass storePassword

     
  11. The keystore must contain also the certificate of your CA, often referred to as the Root Certificate.  Usually, Certifying Authorities have them on their website ready for download. The certificate must be in X.509 format, i.e. it should have an extension of either .cer, .crt, .pem, or .der.  If it was included in your .pfx file you can skip this step.  (Sometimes there is also an Intermediate Certificate.)   There are two options on how to do this.  One is to use commands of the form
    keytool -importcert -file "C:\mypath\authorityCertificate.cer" -keystore "C:\Program Files\AlteryxConnect\connect.keystore" -alias root -storepass password

    The other is to import these through the UI.  See Part 2 - Import the Signed Certificate section within How To: Enable SSL in the Connect Installer for images.
    1. Run the Connect installer again,
    2. Select Enable SSL and click Next.
    3. Check the box for Set up SSL and the button for Upload existing certificate, then click Next
    4. Enter the same information about the keystore as before but with the new keystore password that you set in step 10, and click Next. 
    5. Then you can skip the self-signed cert steps (click Skip twice).
    6. On the Import certificates page: 
      1. If you are importing the Root cert, set the Alias to something like 'root' and browse to the correct certificate file.  (Once you browse to and select the desired file, its name will appear in the file name field.)  Click on Import and make sure that you see a green message indicating that the certificate imported successfully. 
      2. If you have another certificate to import at this point do the same steps again on this page. 
      3. When you have imported and installed the certificates, click Next.
     

     

  12. Restart the Alteryx Connect service - Connect should start using the new certificate from the PFX file, and you should be able to browse using https: and log in.

 

Common Issues

You don't have a .pfx file; you have a separate certificate and key files

  1. Download and install OpenSSL (e.g. from https://slproweb.com/products/Win32OpenSSL.html)
  2. Open Command Prompt and navigate to OpenSSL installed folder/bin
    cd c:\OpenSSL-Win64\bin
  3. If you are using OpenSSL version 1.x.x, create .pfx file out of the private key (.key) and public key (.crt) using the command format below.  Modify the paths and names appropriately.
    openssl.exe pkcs12 -export -out "c:\myPath\connectServerName.pfx" -inkey "c:\myPath\connectServerName.key" -in "c:\myPath\connectServerName.crt"
    You will be asked to provide a password for the file.  To avoid password change, use the same password as for your keystore.
    OR
    If you are using OpenSSL version 3.x.x, create .pfx file out of the private key (.key) and public key (.crt) using the command format below.  Modify the paths and names appropriately.
    openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey "c:\myPath\connectServerName.key" -in "c:\myPath\connectServerName.crt" -out "c:\myPath\connectServerName.pfx"
    You will be asked to provide a password for the file.  To avoid password change, use the same password as for your keystore.

     

  4. The keystore must also contain the certificate of your CA.  If you already have it, you can import it into the pfx file as well; just add the parameter 'certfile'
    openssl.exe pkcs12 -export -out "c:\myPath\connectServerName.pfx" -inkey "c:\myPath\connectServerName.key" -in "c:\myPath\connectServerName.crt" -certfile "c:\myPath\myCA.crt"
    OR
    openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey "c:\myPath\connectServerName.key" -in "c:\myPath\connectServerName.crt" -out "c:\myPath\connectServerName.pfx" -certfile "c:\myPath\myCA.crt"

     



Additional Resources

Comments
JanSnaur
Alteryx
Alteryx
  • Before creating backup of .keystore file and deleting old certificate, it is necessary to stop Alteryx Connect service (point 5 and 6).
  • It might be necessary to reopen web browser and clear browser cache to make new certificate works.