In this tutorial, you will learn how to install an SSL certificate on Tableau Server. Tableau handles SSL through the Tableau Services Manager (TSM), so the steps are the same on Windows and Linux. You can use either the TSM web interface or the tsm command line.
Generate a CSR code
We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a block of encoded text you submit to a Certificate Authority when you order the certificate. Generating it also creates the private key you will later install on Tableau Server. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Tableau Server.
Keep the private key file safe. Submit the CSR to the Certificate Authority during your order, and once the CA validates it and issues your SSL certificate, continue with the installation below.
Install an SSL certificate on Tableau Server
Step 1: Prepare your certificate files
After validation, the Certificate Authority emails you the certificate files. Download the archive and extract it on the machine you use to reach TSM. You should have:
- yourdomain.crt, your primary SSL certificate.
- yourdomain.ca-bundle, the chain file with the root and intermediate certificates (the CA bundle).
- yourdomain.key, the private key you generated with the CSR.
Tableau Server requires the certificate and chain files to be x509, PEM-encoded, and saved with a .crt extension (not .pem). If your CA delivered a .pem or .cer file, rename the extension to .crt; the contents do not change. The private key must be unencrypted PEM unless you supply its passphrase during setup.
2026 key-size note: Tableau Server 2025.3 and later runs on OpenSSL 3.4.x with Level 2 security, which requires keys of 2048 bits or longer. A 1024-bit key from an older setup will be rejected, so generate a new 2048-bit (or stronger) key pair if needed.
Step 2: Install the certificate with the TSM web interface
Open the Tableau Services Manager in a browser, replacing <tsm-host> with the name of the computer running Tableau Server:
https://<tsm-host>:8850
Sign in with a TSM administrator account, then configure external SSL:
- Open the Configuration tab and select Security > External SSL.
- Under External web server SSL, tick the Enable SSL for server communication checkbox.
- SSL certificate file: upload your primary SSL certificate (the .crt file).
- SSL certificate key file: upload your private key (the .key file).
- SSL certificate key passphrase: leave blank unless your key is passphrase-protected.
- SSL certificate chain file: upload your CA bundle (root and intermediate certificates).
Click Save Pending Changes, then go to the top of the page and click Pending Changes, followed by Apply Changes and Restart. Tableau Server restarts to apply the new certificate.
Step 3 (alternative): Install the certificate with the tsm command line
If you prefer the command line, open a terminal on the Tableau Server node, sign in to TSM if prompted, and run the enable command with the paths to your three files:
tsm security external-ssl enable --cert-file yourdomain.crt --key-file yourdomain.key --chain-file yourdomain.ca-bundle
If your private key has a passphrase, add the –passphrase option. The change is staged but not yet live, so apply it (this restarts Tableau Server):
tsm pending-changes apply
TSM prompts you that a restart will occur. To skip the prompt in a scripted run, append –ignore-prompt. Once the services come back up, your SSL certificate is installed on Tableau Server.
Test your SSL installation
After Tableau Server restarts, open it over HTTPS (port 443) and confirm the browser shows a valid padlock with no warnings. For a deeper check, run an external scan that flags chain or protocol problems. You can read the certificate Tableau serves directly with OpenSSL:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
This prints the issuer, subject, and validity dates of the installed certificate. For a full report on errors or vulnerabilities, use our SSL Checker.
Frequently Asked Questions
No. SSL is managed by the Tableau Services Manager (TSM), so the web interface steps and the tsm command line work the same way on both Windows and Linux. The only difference is how you open a terminal to run the commands.
The TSM administration interface runs on port 8850 over HTTPS, so you reach it at https://<tsm-host>:8850. Tableau Server itself serves user traffic over the standard HTTPS port 443 once external SSL is enabled.
Tableau Server requires the certificate and chain files to be x509, PEM-encoded, and saved with a .crt extension. If your CA sent a .pem or .cer file, rename the extension to .crt. The file contents are identical, so renaming does not change the certificate.
Yes. SSL changes are staged as pending changes and only take effect after a restart. In the web interface you choose Apply Changes and Restart; from the command line you run tsm pending-changes apply, which restarts Tableau Server automatically.
Tableau Server 2025.3 and later uses OpenSSL 3.4.x with Level 2 security, which requires a private key of 2048 bits or longer. Keys shorter than 2048 bits are rejected, so generate a new 2048-bit or stronger key pair if you are upgrading from an older certificate.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


