bg-tutorials

How to Install an SSL Certificate on Tableau Server

In this tutorial, you will learn how to install an SSL certificate on Tableau Server. Tableau handles SSL through the Tableau Services Manager (TSM), so the steps are the same on Windows and Linux. You can use either the TSM web interface or the tsm command line.

Generate a CSR code

We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a block of encoded text you submit to a Certificate Authority when you order the certificate. Generating it also creates the private key you will later install on Tableau Server. You have two options:

Keep the private key file safe. Submit the CSR to the Certificate Authority during your order, and once the CA validates it and issues your SSL certificate, continue with the installation below.

Install an SSL certificate on Tableau Server

Step 1: Prepare your certificate files

After validation, the Certificate Authority emails you the certificate files. Download the archive and extract it on the machine you use to reach TSM. You should have:

  • yourdomain.crt, your primary SSL certificate.
  • yourdomain.ca-bundle, the chain file with the root and intermediate certificates (the CA bundle).
  • yourdomain.key, the private key you generated with the CSR.

Tableau Server requires the certificate and chain files to be x509, PEM-encoded, and saved with a .crt extension (not .pem). If your CA delivered a .pem or .cer file, rename the extension to .crt; the contents do not change. The private key must be unencrypted PEM unless you supply its passphrase during setup.

2026 key-size note: Tableau Server 2025.3 and later runs on OpenSSL 3.4.x with Level 2 security, which requires keys of 2048 bits or longer. A 1024-bit key from an older setup will be rejected, so generate a new 2048-bit (or stronger) key pair if needed.

Step 2: Install the certificate with the TSM web interface

Open the Tableau Services Manager in a browser, replacing <tsm-host> with the name of the computer running Tableau Server:

https://<tsm-host>:8850

Sign in with a TSM administrator account, then configure external SSL:

  • Open the Configuration tab and select Security > External SSL.
  • Under External web server SSL, tick the Enable SSL for server communication checkbox.
  • SSL certificate file: upload your primary SSL certificate (the .crt file).
  • SSL certificate key file: upload your private key (the .key file).
  • SSL certificate key passphrase: leave blank unless your key is passphrase-protected.
  • SSL certificate chain file: upload your CA bundle (root and intermediate certificates).

Click Save Pending Changes, then go to the top of the page and click Pending Changes, followed by Apply Changes and Restart. Tableau Server restarts to apply the new certificate.

Step 3 (alternative): Install the certificate with the tsm command line

If you prefer the command line, open a terminal on the Tableau Server node, sign in to TSM if prompted, and run the enable command with the paths to your three files:

tsm security external-ssl enable --cert-file yourdomain.crt --key-file yourdomain.key --chain-file yourdomain.ca-bundle

If your private key has a passphrase, add the –passphrase option. The change is staged but not yet live, so apply it (this restarts Tableau Server):

tsm pending-changes apply

TSM prompts you that a restart will occur. To skip the prompt in a scripted run, append –ignore-prompt. Once the services come back up, your SSL certificate is installed on Tableau Server.

Test your SSL installation

After Tableau Server restarts, open it over HTTPS (port 443) and confirm the browser shows a valid padlock with no warnings. For a deeper check, run an external scan that flags chain or protocol problems. You can read the certificate Tableau serves directly with OpenSSL:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, subject, and validity dates of the installed certificate. For a full report on errors or vulnerabilities, use our SSL Checker.

Frequently Asked Questions

Does installing SSL on Tableau Server differ between Windows and Linux?

No. SSL is managed by the Tableau Services Manager (TSM), so the web interface steps and the tsm command line work the same way on both Windows and Linux. The only difference is how you open a terminal to run the commands.

What port does the TSM web interface use?

The TSM administration interface runs on port 8850 over HTTPS, so you reach it at https://<tsm-host>:8850. Tableau Server itself serves user traffic over the standard HTTPS port 443 once external SSL is enabled.

Why do my certificate files need a .crt extension?

Tableau Server requires the certificate and chain files to be x509, PEM-encoded, and saved with a .crt extension. If your CA sent a .pem or .cer file, rename the extension to .crt. The file contents are identical, so renaming does not change the certificate.

Do I have to restart Tableau Server after installing the certificate?

Yes. SSL changes are staged as pending changes and only take effect after a restart. In the web interface you choose Apply Changes and Restart; from the command line you run tsm pending-changes apply, which restarts Tableau Server automatically.

What key size does Tableau Server require?

Tableau Server 2025.3 and later uses OpenSSL 3.4.x with Level 2 security, which requires a private key of 2048 bits or longer. Keys shorter than 2048 bits are rejected, so generate a new 2048-bit or stronger key pair if you are upgrading from an older certificate.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.