This tutorial shows you how to generate a CSR (Certificate Signing Request) and a private key for Tableau Server on both Windows and Linux. Tableau Server has no built-in CSR generator, so you use the OpenSSL binary that ships inside the bundled Apache package. Generate the key and CSR on the Tableau Server node, submit the CSR to your Certificate Authority, and once the signed certificate comes back you import it through the Tableau Services Manager.
What you will need
- Administrator (Windows) or sudo (Linux) access on the Tableau Server node.
- The exact Apache package version bundled with your Tableau Server release. List C:\Program Files\Tableau\Tableau Server\packages\ on Windows or /opt/tableau/tableau_server/packages/ on Linux to find the folder named apache.X.Y.Z. The X.Y.Z portion changes with every Tableau Server release.
- The exact fully qualified domain name (FQDN) Tableau Server will serve, for example tableau.yourdomain.com, plus any additional hostnames you want covered by the same certificate (for the SAN field).
- Your organization’s legal details (country, state, city, organization name) for the CSR’s Distinguished Name.
2026 key-size note. Tableau Server 2025.3 and later runs on OpenSSL 3.4.x with Level 2 security, which rejects RSA keys shorter than 2048 bits. Use 2048-bit RSA as the minimum; 3072 or 4096 bits is a reasonable upgrade for keys you plan to keep for several years. The Tableau documentation itself uses 4096-bit RSA in its example.
Generate a CSR on Tableau Server for Windows
If you have already generated your CSR, skip to submit the CSR to your Certificate Authority and then to install your SSL certificate on Tableau Server.
Step 1: Open an elevated Command Prompt
Press the Windows key, type cmd, then right-click Command Prompt and choose Run as administrator. Elevated privileges are required because the bundled OpenSSL lives under C:\Program Files\.
Step 2: Change to the bundled Apache bin directory
Tableau ships its own OpenSSL inside the Apache package. List the packages folder to confirm the exact version installed on your server:
dir "C:\Program Files\Tableau\Tableau Server\packages"
You will see a folder named apache.X.Y.Z (for example apache.20243.24.1015.1532). Change into its bin directory, substituting your own version code:
cd "C:\Program Files\Tableau\Tableau Server\packages\apache.20243.24.1015.1532\bin"
Step 3: Create the private key
Generate a 2048-bit RSA private key. Replace tableau with whatever filename stem you prefer; the key and CSR will share that stem:
openssl.exe genrsa -out tableau.key 2048
Keep tableau.key safe. This is the private key that pairs with the certificate the CA will issue, and Tableau Server cannot serve TLS without it. The Tableau documentation example uses 4096 instead of 2048; either is accepted by public CAs.
Step 4: Generate the CSR with a SAN extension
Modern browsers and TLS clients validate certificates against the Subject Alternative Name (SAN) extension, not against the Common Name alone, so include the SAN list in the request. Replace the hostnames after DNS: with the FQDNs Tableau Server must answer for:
openssl.exe req -new -key tableau.key -out tableau.csr -addext "subjectAltName=DNS:tableau.yourdomain.com,DNS:viz.yourdomain.com"
If OpenSSL complains that it cannot load the configuration file (a warning about /usr/local/ssl/openssl.cnf on Windows is safe to ignore, but a hard error stops the command), point it explicitly at the OpenSSL config that ships with Tableau by adding -config ..\conf\openssl.cnf:
openssl.exe req -new -key tableau.key -out tableau.csr -config ..\conf\openssl.cnf -addext "subjectAltName=DNS:tableau.yourdomain.com,DNS:viz.yourdomain.com"
Step 5: Fill in your organization details
OpenSSL prompts for the fields that go into the CSR’s Distinguished Name. Use exact, legal values: public Certificate Authorities reject mismatches against business records.
- Country Name (2 letter code): the two-letter ISO code for your country, for example US, GB, DE.
- State or Province Name: the full name of the state or province where your organization is registered, for example California. Do not use a two-letter abbreviation.
- Locality Name: the full city name, for example San Francisco.
- Organization Name: the full legal name of your company, for example Your Company LLC. For domain-validated (DV) certificates, leave this field blank.
- Organizational Unit Name: deprecated and no longer issued by public CAs. Press Enter to skip.
- Common Name: the exact FQDN that users will type to reach Tableau Server, for example tableau.yourdomain.com. List the same value as your first SAN entry.
- Email Address: a valid contact email, or press Enter to skip.
- A challenge password and An optional company name: leave both blank. Public CAs ignore these fields.
When the prompts finish, OpenSSL writes the CSR to tableau.csr in the current directory. Continue with verify the CSR below.
Generate a CSR on Tableau Server for Linux
Step 1: Find the bundled Apache bin directory
Tableau Server on Linux ships its own OpenSSL inside /opt/tableau/tableau_server/packages/apache.X.Y.Z/bin. List the packages folder to find the exact version installed on your server:
ls /opt/tableau/tableau_server/packages/ | grep apache
You will see a directory named apache.X.Y.Z (for example apache.20243.24.1015.1532). Use that exact name in the commands below. You do not need to cd into the bin directory; the examples call the bundled OpenSSL with its absolute path so you can run them from your home directory.
Step 2: Create the private key
Generate a 2048-bit RSA private key, calling the bundled OpenSSL binary by its absolute path. Replace the version code with your own:
sudo /opt/tableau/tableau_server/packages/apache.20243.24.1015.1532/bin/openssl genrsa -out tableau.key 2048
Keep tableau.key safe and readable only by the user that will run the import. The Tableau documentation example uses 4096 instead of 2048; either is accepted by public CAs.
Step 3: Generate the CSR with a SAN extension
Include the Subject Alternative Name list directly on the command line. Replace the hostnames after DNS: with the FQDNs Tableau Server must answer for:
sudo /opt/tableau/tableau_server/packages/apache.20243.24.1015.1532/bin/openssl req -new -key tableau.key -out tableau.csr -addext "subjectAltName=DNS:tableau.yourdomain.com,DNS:viz.yourdomain.com"
If OpenSSL refuses to start because it cannot load the default configuration, point it at the OpenSSL config that ships with Tableau by adding the -config flag:
sudo /opt/tableau/tableau_server/packages/apache.20243.24.1015.1532/bin/openssl req -new -key tableau.key -out tableau.csr -config /opt/tableau/tableau_server/packages/apache.20243.24.1015.1532/conf/openssl.cnf -addext "subjectAltName=DNS:tableau.yourdomain.com,DNS:viz.yourdomain.com"
Step 4: Fill in your organization details
OpenSSL prompts for the same Distinguished Name fields as on Windows. Use exact, legal values:
- Country Name (2 letter code): the two-letter ISO country code, for example CA.
- State or Province Name: the full name of the state or province, for example Ontario.
- Locality Name: the full city name, for example Ottawa.
- Organization Name: the full legal name of your company, for example Your Company LLC. For domain-validated (DV) certificates, leave this field blank.
- Organizational Unit Name: deprecated. Press Enter to skip.
- Common Name: the exact FQDN Tableau Server will serve, for example tableau.yourdomain.com. List the same value as your first SAN entry.
- Email Address: a valid contact email, or press Enter to skip.
- A challenge password and An optional company name: leave both blank.
OpenSSL writes the CSR to tableau.csr in the directory you ran the command from.
Verify the CSR before you submit it
Catch typos in the Distinguished Name or missing SAN entries before the CA validates them. Print the CSR with the same bundled OpenSSL. On Linux:
sudo /opt/tableau/tableau_server/packages/apache.20243.24.1015.1532/bin/openssl req -noout -text -in tableau.csr
On Windows, from the same Apache bin directory:
openssl.exe req -noout -text -in tableau.csr
Confirm three things in the output: the Subject shows your exact DN, the X509v3 Subject Alternative Name block lists every hostname you need, and the Public-Key size matches what you generated. You can also paste the CSR into our CSR Decoder for the same check in a browser.
Submit the CSR to your Certificate Authority
Open tableau.csr in a text editor. The file is plain text, starting with —–BEGIN CERTIFICATE REQUEST—– and ending with —–END CERTIFICATE REQUEST—–. Copy the entire block, including those header and footer lines, and paste it into the CSR field during checkout with your CA.
If you prefer to skip the manual editor step, our CSR Generator can produce a CSR and private key in the browser using the same OpenSSL defaults, ready to paste into your CA’s checkout flow.
Install the signed certificate on Tableau Server
Once the CA validates your request and emails you the signed certificate plus chain (CA bundle), you import all three files (certificate, private key, chain) through the Tableau Services Manager. You can use either the TSM web interface at https://<tsm-host>:8850 under Configuration > Security > External SSL, or the tsm command line, for example:
tsm security external-ssl enable --cert-file tableau.crt --key-file tableau.key --chain-file tableau.ca-bundle
tsm pending-changes apply
Tableau Server restarts to load the new certificate. For the full procedure (file formats, passphrase handling, post-install verification), see our how to install an SSL certificate on Tableau Server guide.
Frequently Asked Questions
No. Tableau Services Manager imports certificates and keys but does not create them. Tableau Server bundles an Apache build that includes OpenSSL, so you generate the private key and CSR with that bundled OpenSSL on the Tableau Server node, submit the CSR to a Certificate Authority, and then import the signed certificate plus chain back through TSM.
On Windows, the binary is C:\Program Files\Tableau\Tableau Server\packages\apache.X.Y.Z\bin\openssl.exe. On Linux, it is /opt/tableau/tableau_server/packages/apache.X.Y.Z/bin/openssl. The X.Y.Z portion changes with every Tableau Server release, so list the packages directory to find the exact folder name on your server.
The bundled OpenSSL is built to look for /usr/local/ssl/openssl.cnf, which does not exist on a Tableau Server install. A warning is safe to ignore; a hard error means OpenSSL needs the config file pointed out explicitly. Add -config ..\conf\openssl.cnf on Windows (when you have cd‘d into the Apache bin directory) or -config /opt/tableau/tableau_server/packages/apache.X.Y.Z/conf/openssl.cnf on Linux. The config file ships with Tableau and is already configured for the bundled OpenSSL.
Tableau Services Manager accepts both unencrypted and passphrase-protected private keys. The commands in this guide call openssl genrsa without -aes256, which produces an unencrypted PEM key that TSM can import without prompting for a passphrase. If you prefer a passphrase-protected key, add -aes256 to the genrsa command and supply the same passphrase to TSM (either in the SSL certificate key passphrase field in the web UI, or with –passphrase on the tsm security external-ssl enable command line). Note that a passphrase-protected key cannot be reused for SAML.
Yes, but only if you also move the private key. The CSR and the private key are a pair: the CA signs the CSR, and the signed certificate only works with the matching private key. If you generate the key and CSR on a workstation, copy both files to the Tableau Server node over a secure channel before importing the signed certificate through TSM. Tableau Server itself does not generate keys, so where the keypair is created does not matter as long as you also hand the key to TSM at install time.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


