Skip to content

How to add a certificate chain file for SSL configuration

This guide describes how to configure your Matillion ETL instance to recognize a certificate chain file to your Matillion SSL Setup. This is often useful if you need it to recognize an intermediate certificate.

Note

As of version 1.69, Matillion ETL's Apache Tomcat version has been updated from 8.5.75 to version 10.1.5.

tomcat8 commands are now tomcat.

Note

Key files for SSL certificate chains must be unencrypted and not password protected.

Apache Tomcat SSL configuration

Here is the configuration parameter: SSLCertificateChainFile

  1. Gain an SSH session and switch to the root user.

  2. Take a backup of the current SSL configuration.

    cp -rp /etc/tomcat/localhost.crt /etc/tomcat/localhost.crt.bak

    cp -rp /etc/tomcat/localhost.key /etc/tomcat/localhost.key.bak

    cp -rp /etc/tomcat/server.xml /etc/tomcat/server.xml.bak

  3. Copy the private key and certificates to the following locations.

    cp /your/key/file /etc/tomcat/localhost.key

    cp /your/cert/file /etc/tomcat/localhost.crt

    cp /your/intermediates/file /etc/tomcat/localhost-chain.crt

  4. Update the file ownership and permissions.

    chown tomcat:tomcat /etc/tomcat/localhost*

    chmod 775 /etc/tomcat/localhost*

  5. Locate the file /etc/tomcat/server.xml and edit the following section:

    <Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
<SSLHostConfig>
<Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key"/>
</SSLHostConfig>
</Connector>

  6. Make the following changes to add an SSLCertificateChainFile property and value (and point to your chain file):

    <Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
<SSLHostConfig>
<Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key" certificateChainFile="${catalina.base}/conf/localhost-chain.crt" />
</SSLHostConfig>
</Connector>

  7. Restart Tomcat.

    systemctl restart tomcat

  8. Validate the connection to the Matillion ETL HTTPS endpoint.

  9. Check the file /var/log/tomcat/catalina.out for any errors.

Video

The below video produced by our solution architects team also references certificate chain files.