Adding client certificate to connect to remote server

Applies to: Denodo 8.0 , Denodo 7.0 , Denodo 6.0
Last modified on: 13 May 2020
Tags: SSL Server configuration

Download document

You can translate the document:


This document describes how to establish connections between Denodo Platform servers to remote servers through secure channels.


Client certificates can be configured for each tool in the Denodo Platform.  To obtain a certificate the java utility called keytool must be used.  This utility is included with the Denodo Platform in the internal Java Runtime Environment. Keytool manages databases of public/private key pairs, used to allow clients to access the server. This database is called KeyStore .

Keytool can also manage databases (TrustStores) that contain certificates from trusted certification authorities (CA). When an SSL connection is established, the server sends its public key  certificate  to the client. Then, the client decides if it trusts the server by checking if a trusted certification authority has issued the certificate. A certification authority is trusted if its certificate is included in the TrustStore of the client.

The easiest way to add a certificate so it is used by all the components of the Denodo Platform is to add it to the JVM used to run the Denodo servers and tools. If using the default embedded JVM the certificate can be added to the cacerts file under <DENODO_HOME>/jre/lib/security/cacerts. To do so, run the following command:

“<DENODO_HOME>/jre/bin/keytool" -keystore <DENODO_HOME>/jre/lib/security/cacerts -importcert -alias serverkey -file serverkey-perm.cer

When prompted to trust this certificate, respond by typing y. In this example serverkey is the alias for the certificate and serverkey-pem.cer is the certificate file.  

The password of the trustStore needs to be provided. The default password of the <DENODO_HOME>/jre/lib/security/cacerts trustStore is changeit.

Run the following command to make sure that the certificate has been successfully imported:

“<DENODO_HOME>/jre/bin/keytool" -list -keystore <DENODO_HOME>/jre/lib/security/cacerts

After adding the certificate in this way it will be possible to connect to the remote server using a secure connection.


  • SSLHandshakeException: This error (or a similar one) is shown in the log when trying to establish a connection to a source: PKIX path building failed

This error can be solved by adding the source certificate to the JVM used to run the Denodo servers and tools, as it is described above.


Denodo Platform Installation Guide: Enable SSL/TLS Connections in the Denodo Platform Servers.

Denodo Platform Installation Guide: Obtaining and Installing a SSL/TLS Certificate

Denodo Platform Installation Guide: Enabling SSL in Denodo Platform Tools

Java key and Certificate Management Tool  for Windows

Java key and Certificate Management Tool  for Unix


Ask a question
You must sign in to ask a question. If you do not have an account, you can register here

Featured content


Ready for more? Great! We offer a comprehensive set of training courses, taught by our technical instructors in small, private groups for getting a full, in-depth guided training in the usage of the Denodo Platform. Check out our training courses.