Additional Note: If you create a CSR and the CA doesn't return a file that contains the combined key and certificate then you will need to create a .pfx file that contains both the certificate and the key. You can do this in the same manner as directed under the self-signed certificate section. Just use the key created when you create the CSR, and the certificate file received back from your CA with the following command:

openssl.exe pkcs12 -export -out ServerName.pfx -inkey ServerName.key -in ServerName.crt

Once you have a valid .pfx file with the CA signed certificate and key you can import it and bind it to the HTTP service using the information above.

Also, if you install the certificate and it doesn't have an associated key you will get the following error when trying to bind the certificate to the HTTP service port:

The error message is SSL Certificate add failed, Error: 1312

Great article @KevinP! Thank you for the detailed instructions!!

Great post, thanks a lot. One additional comment: if you are running server on multiple nodes, make sure you have the same certificate installed on all of them.

Hi,

I've just tried this guide and have a minor update for it.

My problem was that Gallery was up and running on https, while the service was starting, but the service didn't manage to finish the starting and stopped. What might be the reason is that there is the "Certificate not trusted" warning somewhere in the background, which you can "Accept" in browser, but not during the service start up. 

So according to this article, you need to add another parameter, so before you generate your certificate, edit the openssl.cfg to contain these lines

[SAN]
subjectAltName=DNS:localhost

or any other domain name you want to run at. 

Then there is one new obstacle - for some reason the Properties of such imported certificate looks completely different, so to obtain the fingerprint you need to find it out from the command line

openssl x509 -noout -fingerprint -sha1 -inform pem -in ServerName.crt

(and this time instead of deleting spaces, delete colons).

Even though I expected the browser to stop asking about the certificate, it still asks, but the service starts and keeps running.

* this article

@VojtechT Thanks for bringing up the SAN (Subject Alternative Name) configuration. When I initial wrote this article the SAN field wasn't required by browsers and the certificate would be trusted as long as the signing certificate authority was and the CN (Common Name) matched. Best practice of course is to use a SAN to also define any alternate or alias names, but it wasn't required at the time. It also makes things a bit more complicated when using OpenSSL to generate a CSR or Cert. Modern browsers all now require that the SAN be present even if you aren't using an alternative or alias name in order to trust the certificate.

As for Designer and Server we still don't hard require the SAN field, but we do require the cert to be trusted (i.e. the URL must match the CN or a SAN if available, and the signing CA must be trusted) for a connection to be established. If the certificate isn't trusted the connection will fail. This includes the service's internal connection to Gallery on startup, and as such can cause the service to fail to start properly. I do plan to update/replace this article with a more comprehensive and updated version as soon as I have some time. Maybe I will even get a chance to cover elliptical curve keys as well as RSA, and generating CSR's and certificate with different tools.

Hi @KevinP ,

yes, I might have been to rush to jump to conclusion. My certification wasn't signed, thus not trusted and I was under impression that the presence of SAN was the solution, but apparently there are two:

• either have SAN in the certificate
• or have it trusted AND match the names.

Hello @KevinP 

This document is of great help. Thank you.

I followed the document and was able to configure SSL but when I try to start the Alteryx Service after make the changes in Gallery, the service does not start or it would start but shuts down in few seconds.

I unchecked the SSL option in gallery and it works again. Any thoughts?

@kbs2018 Use the appid listed in the document. Its a generic Alteryx ID.

You can guide me to a video or lin. I checked https://www.youtube.com/watch?v=Nk6HIV-rDL8 but it shows how to get appid for windows. Another link https://4sysops.com/archives/find-the-product-guid-of-installed-software-with-powershell/  shows to go to uninstall but can not see Alteryx there, Also tried to look in 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID    <Executable_name>       AppID = {AppID_GUID} 

Does it need to be Alteryx appID or Windows APP ID?

@AnilD , do you still have that issue with Alteryx Server service not being able to start up? You might check my first comment in this article since I had a similar issue and I am describing there what helped me to solve the problem.

@kbs2018  Yes, I experienced the same issue. I am glad you were able to resolve.

@VojtechT The issue I had was with the SAN's in the certificate. I was able to resolve it. Thank you.

Hi @KevinP ,

Are there any special considerations for installing on a multi node instance? e.g. does the ssl certificate need to be installed on a particular node?

@paul_houghton The SSL certificate only applies to the Gallery web ui. As such in a multi-node environment it only needs to be installed on the server or servers running Gallery. If you have more than one gallery node you should ensure each nodes fqdn and any necessary aliases are included in the certificate as subject alternative names (SAN). For example if you have two gallery nodes as server1.domain.tld and server2.domain.tld and users will be access them as gallery-us.domain.tld and gallery-uk.domain.tld the certificate's SAN values should include all 4 names (e.g. server1.domain.tld, server2.domain.tld, gallery-us.domain.tld, and gallery-uk.domain.tld).

Hello everyone, 

SAML Configuration

I installed the certificate with success but when I try to bind it, I get:

C:\Windows\system32>netsh http add sslcert ipport=0.0.0.0:443 certhash=6065c875ac38f3704ffca3827eae43a615010b51 appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}

SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.

And I just can't seem to be able to go through this... has anyone been faced with this ? Googling didn't really help me much 😞

@jforte please see the very first comment I made on this thread. It provides an additional note about this exact error, what causes it, and how to fix it.

Hi all

In our environment we need a Server-Certificate with minimum 3072 Bit Key Length.

Can I use the Open SSL by changing it to:

openssl.exe req -config openssl.cfg -out ServerName.csr -new -newkey rsa:3072 -nodes -keyout ServerName.key

Does Altery work with it ?

Many thanks

Steffen

@chvizda The key length for RSA keys shouldn't matter to our server. As such deploying with a 2048, 3072, 4096, or even higher keys should work without issue. I frequently deploy key lengths at 4096 bit lengths as they are considered more secure with an acceptable performance impact.

Please note it is also possible to use elliptical curve keys instead of RSA keys. If you are going to use an ECC key I highly recommend using a 256 or 384 bit curve for the key, and the matching sha256 or sha384 algorithm for the signature hash. This is because Chrome does not currently support secp521 curves, or sha512 combined with ECC keys. If you would prefer an ECC key The following commands can be used to generate an ECC key and associated CSR that would work with the Alteryx Server and is supported by all major browsers.

openssl ecparam -out ServerName.key -name secp384r1 -genkey

openssl req -config openssl.cfg -new -nodes -sha384 -key ServerName.key -out ServerName.csr

Great @KevinP 

@KevinP, I think it would be useful to add a comment regarding the appid within the article so that the users are aware of it right away instead of reading through the comments. And thank you @AnilD for the comment on that.

I'm having an issue were when I go to the netsh-console and paste the line:

netsh http add sslcert ipport=0.0.0.0:443 certhash=‎74d4ca722e2954cd225f9b4697d2fc7f6747194c appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}

 When I substitute the certhash with the certificates thumbprint I get the following error message: "netsh the following command was not found". Am I doing something obviously wrong?

Managed to get the line working after all!

@Esko  (and anyone else having this problem)

Sometimes there is a non-display character between the equals sign and the condensed thumbprint.  If you go in and explicitly backspace from the first character of the thumbprint through the equals sign and then type the equals sign and the first character back in, it may work better.

Hi All,

Some great help in here but unfortunately not enough to get me across the line. 

We have a simple installation on a 2019 server. The server also hosts another app which is consuming port 443. 

We have followed the steps in this doc to add a certificate from ZeroSSL and it has installed just fine. 

We have modified the runtime settings file to change our port to port 82

We have modified the gallery url setting in the alteryx settings program. to read //alteryx.ourdomain.com:82/gallery

Our service will not start.

log file states "Gallery Service failed to start in a timely fashion, exiting."

I noticed that while the serive is starting it does establish a listener on port 82. When i try to hit it from my browser as its starting i get "

Just wanted to save anyone else the headaches I just went through to resolve the "SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated." error as mine had nothing to do with a private key not being present.  Instead, the system itself did not have access to the file corresponding to the container in the Machine Keys folder.  In CMD run the following command:

certutil -v -store my [insert the thumbrint] 

In the output find the value next to  "Unique container name"

Go to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder

look for the container name from the certutil output, right click it and select "properties"

Check the "Security" tab and make sure/add "SYSTEM" to the Group or username field (edit button, add button, apply) then click "Apply"

I hope this helps someone!!

To add to the resolutions regarding the 1312 error, this worked for me:
1. From Command Prompt with Admin privileges run:
certutil -importPFX <certname>.pfx

2. After the above command, try running the command below and check to see if you're now able to see your certificate:
certutil -store my

3. Re-run the command to bind HTTP port 443 to the certificate:
netsh http add sslcert ipport=0.0.0.0:443 certhash=<Thumbprint> appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}