Enabling SSL using a new CA-signed certificate

This tutorial shows you how you can enable SSL for ArcGIS Server using a certificate signed by a Certificate Authority (CA). The steps to enable SSL using a CA-signed certificate are:

Create a new self-signed certificate

Steps:
  1. Log in to the ArcGIS Server Administrator Directory: http://gisserver:6080/arcgis/admin.
  2. Navigate to machines > [machine name] > sslcertificates.
  3. Click generate.
  4. Enter values for the parameters on this page:

    Option

    Description

    Alias

    A unique name that easily identifies the certificate.

    Key Algorithm

    Use RSA (the default) or DSA.

    Key Size

    Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.

    Signature Algorithm

    Use the default (SHA1withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA for DSA.

    Common Name

    Use the domain name of your server name as the common name.

    If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.

    If your server will only be accessible on your local area network (LAN) through the URL https://gisserver:6443/arcgis, use gisserver as the common name.

    Organizational Unit

    The name of your organizational unit, for example, GIS Department

    Organization

    The name of your organization, for example, Esri

    City or Locality

    The name of the city or locality, for example, Redlands

    State or Province

    The full name of your state or province, for example, California

    Country Code

    The abbreviated code for your country, for example, US

    Validity

    The total time in days during which this certificate will be valid, for example, 365.

  5. Click Generate to generate the certificate.

Request a CA to sign your certificate

In order for web browsers to accept your certificate as a trusted certificate, it must be verified and counter-signed by a well known Certificate Authority, such as Verisign or Thawte.

Steps:
  1. Open the certificate created in the previous section and click generateCSR. Copy the contents into a file, usually with a *.csr extension.
  2. Submit the CSR to a CA of your choice. You may obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, they will send you a *.crt or *.cer file.
  3. Save the signed certificate received back from the CA to a location on your computer. In addition to the signed certificate, the CA will also issue a CA root certificate. Save the CA root certificate to your computer.
  4. Log in to the ArcGIS Server Administrator Directory: http://gisserver:6080/arcgis/admin.
  5. Click machines > [machine name] > sslcertificates > importRootOrIntermediate to import the CA root certificate. If the CA issued any additional intermediate certificates, import those as well.
  6. Navigate to machines > [machine name] > sslcertificates.
  7. Click the name of the certificate that you submitted to the CA.
  8. Click importSignedCertificate.
  9. Click Browse and navigate to the location where you saved the signed certificate received back from the CA.
  10. Click Submit to import this certificate. This replaces your self-signed certificate with the CA-signed certificate.

Import the CA root certificate into the OS certificate store

Steps:
  1. On a machine hosting ArcGIS Server, open Certificate Manager. You can do this by clicking the Start button, then typing certmgr.msc into the Search box, and then pressing ENTER.‌
  2. In the Certificate Manager dialog box, select the appropriate folder under the Certificates table of contents.
  3. After selecting the folder, click the Action menu, then select All Tasks > Import.
  4. On the Certificate Import Wizard dialog box, click Next, then follow the instructions in the wizard to import the CA's root certificate.
  5. Repeat steps 1-4 for each GIS server machine in your site.
  6. Restart each GIS server machine in your site.

Configure ArcGIS Server to use the CA-signed certificate

NoteNote:

The CRL Distribution Points (CDP) defined in the CA-signed certificate must be valid and accessible from the machine or machines hosting ArcGIS Server. If the CDP defined in the SSL certificate is invalid or inaccessible due to a lack of Internet access, network, or firewall settings, publishing will fail in ArcGIS for Desktop. To work around this issue, follow the steps in problem I can't publish a service to an ArcGIS Server site that uses a CA-issued SSL certificate in the Common problems and solutions topic.

Steps:
  1. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
  2. Browse to machines > [machine name].
  3. Click edit.
  4. Enter the name of the SSL certificate that you want to use in the box for Web server SSL Certificate.
  5. Click Save Edits to apply your change.
  6. On the current page, view the property Web server SSL Certificate to verify that the desired SSL certificate will be used for SSL.

Configure each GIS server in your deployment

If you have a multi-machine deployment of ArcGIS Server, you must obtain and configure a CA-signed certificate for each GIS server that participates in your site.

Enable SSL for your site

Steps:
  1. Log in to the ArcGIS Server Administrator Directory: http://gisserver:6080/arcgis/admin.
  2. Navigate to security > config > update.
  3. For the Protocol parameter, choose the HTTPS Only option then click Update. Your ArcGIS Server site is automatically restarted. In a developer environment, you may also choose to use the HTTP and HTTPS option. With this option, users will be able to access ArcGIS Server through either HTTP or HTTPS.
NoteNote:

If you are using the ArcGIS Web Adaptor with ArcGIS Server, you'll need to reconfigure it with your server. This will update the Web Adaptor's configuration to reflect the changes you made when enabling SSL on your site. For instructions, see Configuring the Web Adaptor after installation.

Access your site using SSL

Once SSL has been configured, ArcGIS Server listens on port 6443 for HTTPS requests. Use the URLs below to securely access ArcGIS Server:

ArcGIS Server Manager

https://gisserver:6443/arcgis/manager

ArcGIS Server Services Directory

https://gisserver:6443/arcgis/rest/services

NoteNote:

If you rename ArcGIS Server while SSL is enabled, you can continue to access ArcGIS Server using SSL; however, you must generate a new SSL certificate and configure ArcGIS Server to use it.

Copyright © 1995-2014 Esri. All rights reserved.
12/18/2014