Welcome to the Alteryx Knowledge Base

Configuring Alteryx Server for SSL: Obtaining and Installing Certificates
user

Created/Edited - 4/21/2026 by Kevin Powney | Alteryx

Environment

Alteryx Server

Procedure

Recently, we have had a number of questions regarding SSL certificates, how to install them, and how to configure the Alteryx Server to use them. While the Alteryx Server Installation and Configuration Guide does cover enabling SSL for Alteryx Server, it doesn’t cover obtaining a certificate, or how to install that certificate so it can be used by the server.

 

There are a number of tools and methods you can use to obtain an SSL certificate to use with the Alteryx Server. In this article we will be focusing on using OpenSSL to create a Certificate Signing Request (CSR) to send to a Certificate Authority (CA), generating a self-signed certificate, installing the certificate, and configuring Alteryx Server to use the certificate.

 

Note: If you don’t have OpenSSL installed on your server you can download a precompiled Win32 or Win64 binary from https://slproweb.com/products/Win32OpenSSL.html. Please keep in mind that OpenSSL is not developed, or maintained by Alteryx. That we have no affiliation with the OpenSSL project or the provider of this precompiled binary. As such feel free to use whichever implementation of OpenSSL you are comfortable with.

 

Creating a Certificate Signing Request with OpenSSL:

Important notes:

1. For production deployments, Alteryx and MongoDB recommend using valid certificates generated and signed by a certificate authority. Self-signed certificates are only recommended for development or test environments*

2. Ensure that the Subject Alternative Name (SAN) in the certificate is filled out with all the related URLs (e.g. FQDN, DNS alias, IP address) to avoid browser errors such as "Connection is not secure".


To generate a CSR, open an administrator command prompt on your server and navigate to the directory containing your OpenSSL.exe and configuration file. From there run the following command:

 

openssl.exe req -config openssl.cfg -out ServerName.csr -new -newkey rsa:2048 -nodes -keyout ServerName.key

 

This will prompt you to answer a number of questions related to your organization and the server. You can use the included screenshot for your reference, but keep in mind the responses should be based on your organization and server information.

 

SSL_ScreenShot01.png

 

This command will create two files in the same directory with a .csr and .key extension. These files will need to be provided to your CA in order to have your certificate created. This can be either an internal CA or a public CA such as; Verisign, GeoTrust, DigiCert, Entrust, StartCom, etc. The CA will provide you with a signed certificate in return as a .crt, .cer, .pem, or .pfx file.

 

Creating a Self-Signed Certificate with OpenSSL:

 

You can also use OpenSSL to generate a self-signed certificate. While this isn’t recommended for production environments there may be a number of reasons why you would want to create one. Some possible reasons include dev or lab environments, and testing to confirm functionality before purchasing a certificate from a public CA. Regardless of your reason, you can do so with the following procedure:

 

  • Open an administrator command prompt and navigate to your OpenSSL directory. Once there, run these commands:
openssl.exe req -config openssl.cfg -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout ServerName.key -out ServerName.crt -addext "subjectAltName=DNS:example.com,DNS:example.net"
openssl.exe pkcs12 -export -out ServerName.pfx -inkey ServerName.key -in ServerName.crt


If you are using OpenSSL 3.0.0 or later, and the second command above does not work, use the following for the second command:

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey ServerName.key -in ServerName.crt -out ServerName.pfx

Self-signed certs using OpenSSL older than 3.4 may also produce an error at import into MMC, with either no-password or a valid password; is so, please refer to the 'PBE-SHA1-3DES' openssl command above to create PFX before import into MMC:

Important: In a change from older versions, OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting the .pfx file. This may not be handled properly in some environments.
 



The -addext "subjectAltName" parameter has been added to the command above to avoid the self-signed SSL certificate throwing up an invalid error.
The subjectAltName should match your FQDN.

If your Gallery URL is HTTP://Localhost/gallery, set your subjectAltName to localhost


The first command generates a signed certificate (.crt file) and private key (.key file). The second command creates a combined certificate and key file in a .pfx format from the generated certificate and key. Please keep in mind you will be asked the same or similar questions as you would if you were generating a CSR. Please reference the screenshots below:

 

SSL_ScreenShot02.png

 

SSL_ScreenShot03.png

 

Note: As previously stated we do not recommend using self-signed certificates in production environments.

 

Installing the Certificate:


Click here for our instructions on the Help docs or use the instructions below with the screenshots as a visual aid.

Once we have received the signed certificate from the CA or generated a self-signed certificate we need to install it. To install the certificate we need to open a Microsoft Management Console (MMC) to access the Certificates snap-in by following these steps:

 

  1. Click Start and then click Run.
  2. In the command line, type MMC and then click OK.
  3. In the Microsoft Management Console (MMC), on the File menu, click Add/Remove Snap-in.
  4. In the Add Remove Snap-in dialog box, click Add.
  5. In the Add Standalone Snap-in dialog box, select Certificates and then click Add.
  6. In the Certificates snap-in dialog box, select the Computer account radio button because the certificate needs to be made available to all users, and then click Next.
  7. In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
  8. In the Add Standalone Snap-in dialog box, click Close.
  9. In the Add/Remove Snap-in dialog box, click OK.

 

Next, we need to actually import the certificate. To do this:

 

  • Expand Certificates > Personal.
  • Right-click on certificates under personal.
  • Select All Tasks > Import.

 

SSL_ScreenShot04.png

 

This will open the certificate import wizard.

 

SSL_ScreenShot05.png

 

  • Click Next.

 

SSL_ScreenShot06.png

 

  • Browse to the certificate file provided by your CA, or the pfx file generated in the self-signing instructions.
  • Click Next.

 

If you are using a self-signed certificate, or your CA issued a certificate that includes the private key you will be prompted for the password/phrase. Otherwise, this step will be skipped by the import wizard.

 

SSL_ScreenShot07.png

 

  • Enter the password.
  • Check the box to mark this key as exportable.
  • Click Next.

 

The next screen will ask you to confirm where you want to place the certificate. This should have the Certificate store set to ‘Personal’ already.

 

SSL_ScreenShot08.png

 

  • Set the Certificate store to Personal if needed.
  • Click next.
  • On the next screen click Finished.

 

If you are installing a self-signed certificate we need to repeat these steps in order to establish the local server as a trusted authority. To do this install the certificate a second time following the same steps as above. Except for this time we are going to install it to the Trusted Root Certificate Authorities store instead of the Personal store. You can do this by expanding Trusted Root Certificate Authorities, right-clicking on certificates, and choosing All Tasks > Import, or by changing the Certificate store at the end of the import wizard.

 

SSL_ScreenShot09.png

 

SSL_ScreenShot10.png

 

Configuring Alteryx Server to Use the Certificate:

 

At this point, you can follow the detailed instructions from Step 2 of the Configure Server SSL/TLS Help page  to complete the configuration. Alternatively (and for completeness), you can continue with these simplified instructions.

 

First, you need to collect the certificate thumbprint for the certificate you installed above. You can do this from MMC > Certificates > Personal > Certificates by right-clicking on the installed certificate and choosing open. This will open a certificate dialog for the certificate you installed. From there, select the Details tab and find the Thumbprint field. Copy the value and remove all spaces from it (e.g. ‎74d4ca722e2954cd225f9b4697d2fc7f6747194c).

 

SSL_ScreenShot11.png

 

Next, you need to check if there is any current certificate bind to the HTTP port 443

netsh http show sslcert


If there is and it does not match the thumbprint value for the app, it can be deleted as follows

netsh HTTP delete sslcert ipport=0.0.0.0:443


You can now proceed to bind HTTP port 443 to the certificate.
To do so, open your administrator command prompt again. Then run the following command, making sure to replace the cert hash with the thumbprint value you captured:

 

 

netsh http add sslcert ipport=0.0.0.0:443 certhash=‎74d4ca722e2954cd225f9b4697d2fc7f6747194c appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}

 

SSL_ScreenShot12.png

 


This is the default appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67} for Alteryx


To check that the binding is correct, you can run the following command:

 

netsh http show sslcert

 

SSL_ScreenShot13.png

 

Note: When renewing an expired or expiring certificate, you will need to delete the current binding (netsh HTTP delete sslcert ipport=0.0.0.0:443), capture the thumbprint of the new certificate, and rebind the certificate using the instructions above.

 

For the final step, you will need to configure the Gallery service to use SSL. To do this open Alteryx System Settings and click Next until you reach Gallery > General. Once there find the Base Address section and check the box to Enable SSL. Then click Next, Finished, or Done as appropriate to apply the settings change and restart the Alteryx Service.

 

SSL_ScreenShot14.png

 

Note: The URL must also match the name the certificate was issued to. As such, if the certificate was issued to the server's fully qualified domain name (e.g. hostname.domain.TLD), your URL needs to match this by using https://hostname.domain.tld/gallery/. If the certificate was issued to just the hostname, you would need to use https://hostname/gallery/. If the URL doesn’t match the certificate the service will fail to start properly. This applies for the Base Address, Web API Address, Canonical Base Address, and Canonical Web API Address, where available and applicable.

 

Troubleshooting 

Error 1

The parameter is incorrect.

image.png

Errors when binding a certificate to the HTTPS port: "The parameter is incorrect" and "A specified logon session does not exist. It may have already been terminated" (KB)

 

Error 2

SSL Certificate Add Failed, Error: 1312
A specified logon session does not exist. It may have already been terminated.

Errors when binding a certificate to the HTTPS port: "The parameter is incorrect" and "A specified logon session does not exist. It may have already been terminated" (KB)

 

Additional Information
Was this article helpful?