User Guide Help Center Documentation User Forums Training
Configuring Your SSL Certificate for Proper HTTPS

A default installation of the Looker application uses self-signed SSL certificates for HTTPS. For production environments, we recommend installing an SSL certificate from a trusted vendor.

To use an SSL certificate with Looker, you will need to create a Java keystore with your certificate and key.

We assume you have the following files:

Install the Certificate

These files should all exist in the same directory. The default is /home/looker/looker/.ssl.

  1. Create the new directory and make it the current directory:

    mkdir /home/looker/looker/.ssl
    cd /home/looker/looker/.ssl
  2. Choose a password for the keystore and put it in a file called .keystorepass:

    echo "some_password_here" > .keystorepass
  3. If you have a CA file, append it to the end of your certificate file:

    echo >> looker.pem
    cat ca.pem >> looker.pem
  4. Convert the certificate and key to a pkcs12 keystore:

    openssl pkcs12 -export \
      -in looker.pem       \
      -inkey looker.key    \
      -out importme.p12
  5. You will be prompted for an export password. Use the one you put in the .keystorepass file above.

  6. Convert the pkcs12 keystore to a Java keystore:

    keytool -importkeystore     \
      -srckeystore importme.p12 \
      -destkeystore looker.jks  \
      -srcstoretype pkcs12      \
      -alias 1
  7. You will be prompted for the new keystore password and the pkcs12 keystore password. Keep using the one in the .keystorepass file.

  8. Create a file named lookerstart.cfg in the same directory as your looker.jar. This file will configure the requisite Looker options every time Looker starts. The file should contain:

LOOKERARGS="--ssl-keystore=/home/looker/looker/.ssl/looker.jks --ssl-keystore-pass-file=/home/looker/looker/.ssl/.keystorepass"

Validate the Certificate

Once Looker is running, you can verify that your cert is correctly installed with OpenSSL s_client.

openssl s_client -connect localhost:9999

If your hostname is, you should see a line in the output like this:

subject=/OU=Domain Control Validated/

Another way to check is with wget. This test can be performed from any host which has network access to your Looker instance via HTTPS.

On a Looker using the default self-signed certificate, the output shows the certificate common name

$ wget
--2014-12-31 12:06:03--
Resolving (
Connecting to (||:9999... connected.
ERROR: cannot verify's certificate, issued by ‘/’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘’ doesn't match requested host name ‘’.
To connect to insecurely, use `--no-check-certificate'.

On a Looker using a certificate from a certificate authority, the certificate common name must match the DNS name that clients use to access Looker (or an equivalent wildcard certificate).

Here is an example of a server using a “real” (non-self signed) certificate:

$ wget
--2014-12-31 12:06:47--
Resolving (
Connecting to (||:9999... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2014-12-31 12:06:48--
Connecting to (||:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3491 (3.4K) [text/html]
Saving to: ‘index.html’

100%[====================================================>] 3,491       --.-K/s   in 0.07s

2014-12-31 12:06:48 (50.5 KB/s) - ‘index.html’ saved [3491/3491]

Disabling Insecure SSL Protocols

If you need to remove insecure TLS for security compliance, add this line to your $JAVA_HOME/lib/security/ file:

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

Next Step

After you have setup your SSL certificate you’re ready to add port forwarding for a cleaner URL.