2 Replies Latest reply on May 22, 2020 11:55 AM by Albert Lee

    When to update SAML CRT and Key file.

    Sagar Sidhpura

      Hello All,

       

      We are using same certificate files for both SSL and SAML. Our SSL certificate is expired and we renewed the same with the help of our internal CA team. We received the certificate from our team in .PFX format. Below steps were followed to generate . CRT and .Key file:

       

      - We will get a password protected certificate .PFX file for the Tableau server URL from our internal team.

      - We install the . PFX on our laptop in MMC. Once we see the cert in MMC, we export the certificate as .CER (Base 64 encoded X.509) and save it as .CRT extension

      - To generate the key, we first convert the .PFX file to Standard PEM

      - From the Standard PEM file, we copy everything from -----BEGIN PRIVATE KEY----- till -----END PRIVATE KEY----- and save that in a notepad file as a .key extension.

      - We apply the above generated .crt and .key to configure SSL and restarted the Tableau service and was able to access the URL without any issues with the new certificate.

      - New certificate .crt and .key file was not updated in SAML configuration in TSM.

       

      Question I have is below:

      - When same certificate is used for SSL and SAML, does the certificate (.crt and .key)  in SAML needs to be renewed / updated at the same time when SSL cert is getting updated ?

      - When I pried applying the new certificate .crt and .key file in SAML, have seen issues with Application process not coming up post restart. In the logs, I see key related error. I applied the old .key file in SAML with the new .CRT and then restarted the service and found application process to work fine and also able to access Tableau URL. So curious to know, do we need to generate .key file only once and it can be used with new .CRT files ?

      - Also, in SAML if we use the expired .crt and .key file we have seen Tableau URL to be working fine, is this expected?

        • 1. Re: When to update SAML CRT and Key file.
          Srinidhi Narayan

          Sagar,

           

          has this issue been resolved?

          • 2. Re: When to update SAML CRT and Key file.
            Albert Lee

            Going through the same thing myself now.  What I've found (others please correct me if I'm wrong):

             

            RE: When same certificate....

            1. Tableau SSL and Tableau SAML operate independently.  Therefore, you could use the same certificate/key set for both, or you could use one certificate/key set for SSL and a different one for SAML.  For SAML, you can even use a self-signed certificate with a super-long expiration date Updating SSL certificates? .  Therefore, you do not have to update the SAML and SSL certificates at the same exact time, since they function independently.
            2. That said, if you are definitely using the same certificate for both SAML and SSL and are updating the certificate because it's expiring, then it makes sense to update the SAML side and the SSL side at the same time.  We know an expired certificate used for SSL will throw warnings to web browsers.  I believe the Tableau SP may not be happy with an expired certificate on the SAML side as well (though there are other SAML SP implementations that don't care about expired certificates, the public key being the only relevant factor).

             

            RE: When I pried [sic] applying...

            1. No idea what's going on there.  A certificate CRT file is just a public key in a wrapper that has some additional metadata in it that is generated from a private key (.key file).  If you created a new private key and then generated the certificate (including public key) from the new private key, this certificate (CRT) should NOT work with the old private key.  It's possible you generated a new certificate from the old private key (which is perfectly fine), which would explain why the old key works with the new CRT.  Otherwise, I don't know what's going on.  Bottom line: the CRT file has to be paired with the private key it was generated from.

             

            RE: Also, in SAML if we use the expired .crt and .key file we have seen Tableau URL to be working fine, is this expected?

            1. I don't know what you mean by "Tableau URL to be working fine": does this mean the SSL functionality is working (https://) or that the SAML functionality is working?  SSL does not care about the SAML configuration, so as long as you have a current SSL certificate, you can be using an expired (and therefore different) SAML certificate (and likely break SAML).  I say "likely break SAML" because I do not know for sure how Tableau SP and whatever IdP you are using will behave with an expired SAML certificate.  It would be nice if a Tableau rep would answer this question: can we use an expired certificate for SAML?