Use a Custom Domain with Tableau Cloud


Starting August 2025, you can use a custom domain to redirect traffic to your Tableau Cloud site. A custom domain allows site administrators to configure a subdomain, like analytics.example.com, enabling you to embed and access published content without exposing Tableau site details. With a custom domain, you can efficiently route stakeholders to content, offering an organization-specific URL that introduces brand identity.

This topic describes how to configure a custom domain in Tableau Cloud site settings. For information about configuring a custom domain using the Tableau REST API, see Tableau REST API OpenAPI Endpoints(Link opens in a new window).

Before you begin

To add a custom domain to Tableau Cloud, you must meet the following user and TLS certificate requirements.

User requirements

  • Administrator access to your Tableau Cloud site. You must have administrator access to the Tableau Cloud site on which you want to add a custom domain.

  • Administrator privileges to the DNS configuration of the parent domain. You must have administrator privileges to add CNAME records to the DNS configuration of the parent domain.

    A parent domain is the primary domain at the top of the DNS hierarchy, containing child domains (or subdomains) beneath it. For example, “example.com” is a parent domain, with subdomains like “abc.example.com” or “xyz.example.com” connected to it.

TLS certificate requirements

Acquire a valid TLS certificate chain file and private key from a trusted authority (for example, Verisign, Thawte, Comodo, GoDaddy). You can’t use an internal certificate issued by your company.

When acquiring a TLS certificate for the custom domain, follow these guidelines and requirements:

  • TLS certificate that includes the full certificate chain. The TLS certificate must include the full certificate chain in the order of identity certificate > intermediate certificate > root certificate.

  • Valid PEM-encoded x509 certificates. All certificate files must be valid PEM-encoded x509 certificates.

  • SHA-256 is used as the signing algorithm. Certificate files must use the SHA-2 (256 bit or 512 bit) signature hash.

  • RSA is used as the encryption algorithm. Certificate files must use the RSA encryption algorithm.

  • Common Name that matches the custom domain. The certificate Common Name (CN) must match the custom domain entered on the Tableau Cloud Settings page. Tableau doesn’t check the Subject Alternate Name (SAN) field.

  • Expiration within 90 days to 365 days. The certificate expiration date must be within 90 days to 365 days from the issue date.

  • Valid RSA private key file. In addition to the certificate file, you must upload a corresponding TLS certificate key file. The key file must be a valid RSA private key with extension .key and have a bit length of 2048 bits or higher.

PEM-encoded file example

Here’s an example of the format for PEM-encoded certificate and private key files. The content has been shortened for illustration purposes and your files will be longer.

Important: The certificate chain file must start with -----BEGIN CERTIFICATE-----. Additionally, don’t include comments between the -----END and -----BEGIN sections of the certificate chain file.

Certificate chain file 

-----BEGIN CERTIFICATE-----
MIIGiTCCBHGgAwIBAgIIY5dpPr2gQjowDQYJKoZIhvcNAQENBQAwgYsxCzAJBgNV
...
A7jcIyoWtoPP1rZ3VjP4LIVVro8pce7MNtD9CzUYN8kQk1iftBKWjcCd20Km
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGqzCCBJOgAwIBAgIIYifB1rX/1pAwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNV
...
g+qyDLoAy/td0D8ha8SlWt5ee2cAF9Xu7Y9jNe21Ug==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDpjCCAyugAwIBAgIQDTYMRISRziTtCzVA2HCg3TAKBggqhkjOPQQDAzBhMQsw
...
7LX35CV+ypuVTbKZkjATTvROgmL5AgTbsAg=
-----END CERTIFICATE-----

Private key file 

-----BEGIN PRIVATE KEY-----
MIIEpAIBAAKCAQEAgN9TePjxsgvjZ8QERQILf3YbofaBHGks5E3k9dRP0cx7sw1O
...
xpAh+dRkr0vjsj/ZnJyYfaUQDcV4wslFcn6eKoINEQrtBj40P1iqig==
-----END PRIVATE KEY-----

Compatibility with custom OAuth connections

When configuring a new OAuth client, use your custom domain for the Redirect URL. For example, if your custom domain is "analytics.example.com", the Redirect URL will be "https://analytics.example.com/auth/add_oauth_token". Existing workbooks will continue to function as expected, regardless of your custom domain configuration. For more information about custom OAuth clients, see OAuth Connections.

Add a custom domain to your site

To add a custom domain to your Tableau Cloud site, use the steps in the following sections.

Add domain name

  1. Sign in to the Tableau Cloud site as an administrator and select Settings.

  2. On the General tab, scroll to Custom Domain.

  3. Enter a domain name for your site. The value must be a subdomain. Tableau doesn't support parent domains, such as "example.com", for the custom domain.

  4. Click Save.

Validate CNAME

  1. Using the Tableau Created Domain displayed in Step 1, create a CNAME record in your DNS configuration. This step is performed outside Tableau Cloud and requires network administrator access in your organization. CNAME validation expires 24 hours after adding the custom domain, at which point you must restart the process.

    Tip: We recommend a time to live (TTL) value of 30-60 minutes for the CNAME record.

  2. Select the checkbox to confirm you’ve created a CNAME record from the chosen custom domain to the Tableau CNAME in your DNS configuration.

  3. Click Validate.

Upload TLS certificate and private key

  1. Upload the full certificate chain and private key files associated with the custom domain. The certificate chain must include root, intermediate, and end-user certificates. For more information about certificate requirements, see TLS certificate requirements.

  2. Click Save.

After the files are successfully uploaded, provisioning your domain can take up to 60 minutes. The Tableau Cloud UI displays a status notification while provisioning and will disappear when the custom domain is available.

What to expect when using a custom domain

There are a few user interface changes to consider when using a custom domain, that is, following the custom domain link to the Tableau Cloud site and interacting with content.

  • The URL in the address bar shows the custom domain instead of the Tableau Cloud pod hosting your site. This change doesn’t affect sign-in, as users can still access the site from https://online.tableau.com(Link opens in a new window).

  • The Share dialog link and embed code point to the custom domain instead of the Tableau Cloud pod hosting your site. This change is expected as the dialog populates fields using information from the current URL. For content that was shared or embedded previously, the URL continues to reference the Tableau Cloud pod. To use the custom domain instead, you must manually update previous links using the new Share dialog values. For more information about sharing Tableau content, see Share Web Content(Link opens in a new window) in Tableau Desktop help.

  • For users who are members of multiple sites, the site picker isn’t available when accessing content with a custom domain. To switch sites, sign out and authenticate to the desired site.

Replace or update TLS certificate

You eventually must replace the TLS certificate and key files as they near expiration or as required by operational changes in your organization. The certificate expiration date is displayed in the Custom Domain section of the Settings page.

To replace the TLS certificate and private key files:

  1. Sign in to the Tableau Cloud site as an administrator and select Settings.

  2. On the General tab, scroll to Custom Domain.

  3. Select Replace Certificate and follow the steps listed in Upload TLS certificate.

Remove the custom domain

When you remove a custom domain, the URLs used to share and embed content will no longer be available. To mitigate the impact, users can update URLs for bookmarks and embedded content to use the name of the Tableau Cloud pod hosting their site before removing the custom domain. For the list of Tableau Cloud pods, see Salesforce Trust(Link opens in a new window).

To remove the custom domain from your site:

  1. Sign in to the Tableau Cloud site as an administrator and select Settings.

  2. On the General tab, scroll to Custom Domain.

  3. Select Remove Domain > Remove.

Troubleshooting

Delayed DNS propagation when adding a CNAME record

If you experience a delay while adding the CNAME record to your DNS configuration, make sure that the CNAME reflects the expected mapping. You can use command-line tools such as dig and nslookup to verify the CNAME mapping.

Certificate errors

To correct certificate errors, follow the on-screen instructions and verify the certificate meets the TLS certificate requirements.

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!