This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
It's the most wonderful time of the year - Santalytics 2020 is here! This year, Santa's workshop needs the help of the Alteryx Community to help get back on track, so head over to the Group Hub for all the info to get started!
Recently, we have had a number of questions regarding SSL certificates, how to install them, and how to configure Alteryx Server to use them. While the Alteryx Server Installation and Configuration Guide does cover enabling SSL for Alteryx Server, it doesn’t cover obtaining a certificate, or how to install that certificate so it can be used by the server.
There are a number of tools and methods you can use to obtain a SSL certificate to use with Alteryx Server. In this article we will be focusing on using OpenSSL to create a Certificate Signing Request (CSR) to send to a Certificate Authority (CA), generating a self-signed certificate, installing the certificate, and configuring Alteryx Server to use the certificate.
Note: If you don’t have OpenSSL installed on your server you can download a precompiled Win32 or Win64 binary from https://slproweb.com/products/Win32OpenSSL.html. Please keep in mind that OpenSSL is not developed, or maintained by Alteryx. That we have no affiliation with the OpenSSL project, or the provider of this precompiled binary. As such feel free to use which ever implementation of OpenSSL you are comfortable with.
Creating a Certificate Signing Request with OpenSSL:
To generate a CSR, open an administrator command prompt on your server and navigate to the directory containing your OpenSSL.exe and configuration file. From there run the following command:
This will prompt you to answer a number of questions related to your organization and the server. You can use the included a screenshot for your reference, but keep in mind the responses should be based on your organization and server information.
This command will create two files in the same directory with a .csr and .key extension. These files will need to be provided to your CA in order to have your certificate created. This can be either an internal CA, or a public CA such as; Verisign, GeoTrust, DigiCert, Entrust, StartCom, etc. The CA will provide you with a signed certificate in return as a .crt, .cer, .pem, or .pfx file.
Creating a Self-Signed Certificate with OpenSSL:
You can also use OpenSSL to generate a self-signed certificate. While this isn’t recommended for production environments there maybe a number of reasons why you would want to create one. Some possible reasons include dev or lab environments, and testing to confirm functionality before purchasing a certificate from a public CA. Regardless of your reason you can do so with the following procedure:
Open an administrator command prompt and navigate to your OpenSSL directory. Once there, run these commands:
The first command generates a signed certificate (.crt file) and private key (.key file). The second command creates a combined certificate and key file in a .pfx format from the generated certificate and key. Please keep in mind you will be asked the same or similar questions as you would if you were generating a CSR. Please reference the screenshots below:
Note: As previously stated we do not recommend using self-signed certificates in production environments.
Installing the Certificate:
Once we have received the signed certificate from the CA or generated a self-signed certificate we need to install it. To install the certificate we need to open a Microsoft Management Console (MMC) to access the Certificates snap-in by following these steps:
Click Start and then click Run.
In the command line, type MMC and then click OK.
In the Microsoft Management Console (MMC), on the File menu, click Add/Remove Snap-in.
In the Add Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates and then click Add.
In the Certificates snap-in dialog box, select the Computer account radio button because the certificate needs to be made available to all users, and then click Next.
In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
Next, we need to actually import the certificate. To do this:
Expand Certificates > Personal
Right click on certificates under personal
Select All Tasks > Import.
This will open the certificate import wizard.
Browse to the certificate file provided by your CA, or the pfx file generated in the self-signing instructions
If you are using a self-signed certificate, or your CA issued a certificate that includes the private key you will be prompted for the password/phrase. Otherwise this step will be skipped by the import wizard.
Enter the password
Check the box to mark this key as exportable
The next screen will ask to confirm where you want to place the certificate. This should have the Certificate store set to ‘Personal’ already.
Set the Certificate store to Personal if needed
On the next screen click Finished
If you are installing a self-signed certificate we need to repeat these steps in order to establish the local server as a trusted authority. To do this install the certificate a second time following the same steps as above. Except this time we are going to install it to the Trusted Root Certificate Authorities store instead of the Personal store. You can do this by expanding Trusted Root Certificate Authorities, right clicking on certificates, and choosing All Tasks > Import, or by changing the Certificate store at the end of the import wizard.
Configuring Alteryx Server to Use the Certificate:
First you need to collect the certificate thumbprint for the certificate you installed above. You can do this from MMC > Certificates > Personal > Certificates by right clicking on the installed certificate and choosing open. This will open a certificate dialog for the certificate you installed. From there, select the Details tab and find the Thumbprint field. Copy the value and remove all spaces from it (e.g. 74d4ca722e2954cd225f9b4697d2fc7f6747194c).
Next, you need to bind http port 443 to the certificate. To do so, open your administrator command prompt again. Then run the following command, making sure to replace the certhash with the thumbprint value you captured:
To check that the binding is correct, you can run the following command:
netsh http show sslcert
Note: When renewing an expired or expiring certificate, you will need to delete the current binding (netsh http delete sslcert ipport=0.0.0.0:443), capture the thumbprint of the new certificate, and rebind the certificate using the instructions above.
For the final step, you will need to configure the Gallery service to use SSL. To do this open Alteryx System Settings and click Next until you reach Gallery > General. Once there find the Base Address section and check the box to Enable SSL. Then click Next, Finished, or Done as appropriate to apply the settings change and restart the Alteryx Service.
Note: The URL must also match the name the certificate was issued to. As such, if the certificate was issued to the server's fully qualified domain name (e.g. hostname.domain.tld), your URL needs to match this by using https://hostname.domain.tld/gallery/. If the certificate was issued to just the hostname, you would need to use https://hostname/gallery/. If the URL doesn’t match the certificate the service will fail to start properly.