This is an easy guide on how to install a self-signed certificate on Tableau Server that requires just 1 config file and 2 commands. It can also be applied to Windows machines (just make sure to add the OpenSSL directory to your PATH variable).
I will also show you how to install that certificate on a client computer (MacOS and Windows), to make it to trust the certificate while browsing Tableau’s GUI.
Self signed SSL certificates should only be used for testing or development purposes.
So, why bother? Well, there are a number good reasons why you might need to quickly generate and test SSL certificates (topic for a non-lockdown beer?), but it also gets rid of that annoying “Your Connection is Not Private” message, so it does feels good :P
Any external-facing Tableau Server must run over an encrypted SSL channel (ideally behind a Reverse Proxy / Load Balancer), but another time when you might want to install a quick self-signed cert is when building an app with Tableau embedded, otherwise you’ll get into an infinite SSO sign-in loop, more info here.
1. Generate a self-signed certificate
1.1 Create an OpenSSL configuration file (example req.conf).
Change CN and IP.1 to your Tableau Server’s IP Address (example 127.0.0.1)
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = req_ext
prompt = no[req_distinguished_name]
C = US
CN = 127.0.0.1
L = SomeCity
O = MyCompany
OU = MyDivision
ST = VA[req_ext]
subjectAltName = @alt_names[v3_req]
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[alt_names]
IP.1 = 127.0.0.1
Note: If you are accessing Tableau over a proper domain, say www.company.com (you may also add multiple domain aliases), change these parts on the config file:
CN = www.company.com[alt_names]
DNS.1 = www.company.com
DNS.2 = [domain]
1.2 Create the self-signed certificate
The next command will generate the following two files:
- cert.key — a certificate private key file (You will use this to self-sign the certificate)
- cert.crt — The actual self signed certificate
You can also specify the certificate validity (e.g. 365 days). We used the OpenSSL config file (req.conf) to specify all other parameters of our certificate.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-config req.conf \
-keyout cert.key -out cert.crt
2. Configure SSL for External HTTP Traffic to and from Tableau Server
Finally, let’s configure Tableau Server to use SSL for inbound and outbound traffic by importing the two files generated in the previous step (private key and certificate). This step may also be executed from the TSM GUI, more info here.
tsm security external-ssl enable --cert-file cert.crt --key-file cert.keytsm pending-changes apply --ignore-prompt
3. Optionally add the certificate to your client Windows or Mac OS Trusted store
In order for browsers to show a valid and trusted certificate, it’s necessary to import the certificate manually on all client computers (of course, we will only do this on test machines, as in production we would never use a self-signed certificate)
- Transfer the certificate (e.g. cert.crt) to your Mac
- Double-click on it to automatically start the import wizard from the Keychain Access tool .
- Add it to the System keychain
- Find for the newly added certificate and change it to “Always Trust”
- Now you can browse Tableau Server over HTTPS without any issues :D
- Transfer the certificate (e.g. cert.crt) to your Windows computer
- Double-click on it to automatically start the import wizard from the Certificate Import Wizard, then click “Install Certificate”
- Choose “Local Machine”
- Place the certificate into the “Trusted Root Certification Authority”
- You can confirm the certificate has been imported by opening Windows Certificate Manager Tool
4. Browse to Tableau Server with HTTPS and a valid Certificate :D
Because our Computer now “Trusts” this certificate, browsers will also trust and show that the certificate is valid and we’re good to go!