Skip to content

SSL Configuration FAQ

Overview

This article is designed to help you troubleshoot typical errors that you may encounter while configuring SSL for Matillion ETL.

Matillion will continue to add and update the information in this article, to help you investigate, diagnose, and fix any issues. If you can't find the answer to your question here, please visit our Getting Support page.

Where is the private key stored?

The private key is stored on the Matillion ETL server at:

/etc/tomcat/localhost.key

Where is the certificate stored?

The SSL certificate is stored on the Matillion ETL server at:

/etc/tomcat/localhost.crt

How do I add a Trusted Certification Authority (CA) certificate to Matillion ETL?

All Matillion ETL supported Cloud Data Warehouses now use public certificate authorities (CA) that are trusted by our systems. This change means that you will no longer need to manually renew your SSL certificates. However, errors can occur when connecting to products to pull data into the intended Data Warehouse, and if your version of Matillion ETL requires an update. For more information, read this article.

Where is the Java keystore?

The Java keystore is stored on the Matillion ETL server at:

/usr/lib/jvm/jre/lib/security/cacerts

When creating the Certificate Signing Request, do I need to specify a Subject Alternative Name?

Yes you do. Some of the major browsers no longer require a Common Name (CN) but do require a Subject Alternative Name (SAN).

How do I create a Certificate Signing Request with a SAN in it?

To create a Certificate Signing Request (CSR) with a Subject Alternative Name (SAN), follow these steps.

  1. Log in to the Matillion ETL server.
  2. Go to /tmp, or any other directory you have created for this purpose.
  3. Create a file named san.cnf containing the following information, substituting your own information for each value:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (e.g. your company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = additional DNS 
DNS.2   = additional DNS
DNS.3   = additional DNS

In the [alt_names] section enter any additional DNS you are using.

  1. Save the file.
  2. Execute the following OpenSSL command:
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

This will create sslcert.csr and private.key files in the present working directory.

  1. Send sslcert.csr to your certificate signing authority so they can provide you a certificate with SAN.