Skip to main content Skip to complementary content

Setting a root Certificate Authority chain between Talend Administration Center webserver and client applications

A secured HTTPS connection between Talend Administration Center webserver and client applications (Studio, Nexus/artifactory, GIT, etc.) can be achieved through a certificate chain that provides a common and long-term (>10 years) certification.

About this task


  1. Generate a certificate .cer file following various sub-steps:
    1. Prepare the below values according to your configuration:
      • server IP: serverIP
      • SAN IP:serverIP or additional domain names (if available)
      • Keystore password: changeit
      • Server Pretty Name: serverPrettyName
    2. In Powershell, generate the private key with the appropriate values.
      keytool -genkey -alias serverIP -keyalg RSA -keysize 4096 -keystore talendKey.jks -dname "CN=serverIP, OU=name of the organizational unit/department, O=name of the company/organization, ST=name of the region or state , C=name of the country" -keypass changeit -storepass changeit -ext SAN=ip:serverIP,dns:serverPrettyName
    3. Perform the Certificate Signing Request with the appropriate values, to obtain a .csr file.
      keytool -certreq -file serverIP.csr -keystore talendKey.jks -storepass changeit -alias serverIP -ext SAN=ip:serverIP,dns:serverPrettyName
    4. Countersign the .csr file using a Certificate Authority.
    5. Download the approved certificate in OpenSSL format.
    6. Extract the first certificate content from the above file and paste it in serverIP.cer file, through a text editor tool.
    7. In case of a change in certificate chain or first installation, the certificate needs to be added to the truststore.
      Extract the first server-related entry from the serverIP.cer file and paste it to the chain.cer file. The chain should include the root and intermediate signatures. keytool -import -file /opt/talend/talend-version/truststore/Talend_certificate/chain.cer -keystore /opt/talend/talend-version/truststore/BitTalend -alias chain
      Information noteNote: If you have set self-signed certificates instead of a common Certificate Authority certificate, you can use the certificate chain to initialise the java keystore by importing all certificates. For more information, see the corresponding section Configuring SSL for Talend Administration Center.
  2. Merge the downloaded serverIP.cer file with the key p12 file that is currently available in the JKS store:
    1. Convert JKS to PKCS format using keytool: keytool -importkeystore -srckeystore talendKey.jks -destkeystore talendKey.p12 -deststoretype PKCS12
    2. Extract the key file from PKCS and create a separate key file: openssl pkcs12 -in talendKey.p12 -nodes -nocerts -out talendKey.key
  3. Combine the certificate, the key file and the certificate chain into a new p12 file:
    openssl pkcs12 -export -in <serverIP>.cer -inkey talendKey.key -out certificate.p12 -chain -CAfile chain.cer -name <serverIp>
  4. Convert p12 file to the keystore using java keytool
    Nexus: keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore

    Talend Administration Center:keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore /opt/talend/talend-version/truststore/BitTalend

  5. If you are using Nexus, store the generated keystore (and truststore) in nexusinstall>etc>ssl subfolder. To implement the changes, stop Nexus and restart it.
  6. Make sure that keynames/passwords are correct in etc/jetty/jetty-https.xml file.
  7. To configure the SSL connection:
    • If the certificate is set on Tomcat webserver, enter the following command: /opt/talend/talend-version/truststore/Talend_SSL/Talend_TAC_QA" keystorePass="keystore pass".
      Then configure Tomcat: open the <TomcatPath>/conf/server.xml file, uncomment and edit the SSL part as follows:
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="true" sslProtocol="TLS" 
      	truststorePass=<trustStorePassword> />
    • If the certificate is only set on the webapp itself, see this section and enter the following command: keytool -delete -alias tomcat -keystore /opt/talend/talend-version/truststore/BitTalend -storepass changeit


Restart Talend Administration Center service.

Enter Talend Administration Center URL: https://localhost:8080/org.talend.administrator in a browser. The application is now displayed together with a green padlock icon: .

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!