Enabling SSL using a self-signed certificate

This tutorial shows you how you can enable SSL for ArcGIS Server using a self-signed certificate. The following steps enable SSL using a self-signed certificate:

Create a new self-signed certificate

Steps:
  1. Log in to the ArcGIS Server Administrator Directory: http://gisserver.domain.com:6080/arcgis/admin.
  2. Navigate to machines > [machine name] > sslcertificates.
  3. Click generate.
  4. Enter values for the parameters on this page:

    Option

    Description

    Alias

    A unique name that easily identifies the certificate.

    Key Algorithm

    Use RSA (the default) or DSA.

    Key Size

    Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.

    Signature Algorithm

    Use the default (SHA1withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used for DSA: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA.

    Common Name

    Use the domain name of your server name as the common name.

    If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.

    If your server will only be accessible on your local area network (LAN) through the URL https://gisserver.domain.com:6443/arcgis, use gisserver as the common name.

    Organizational Unit

    The name of your organizational unit, for example, GIS Department.

    Organization

    The name of your organization, for example, Esri.

    City or Locality

    The name of the city or locality, for example, Redlands.

    State or Province

    The full name of your state or province, for example, California.

    Country Code

    The abbreviated code for your country, for example, US.

    Validity

    The total time in days during which this certificate will be valid, for example, 365.

    Subject Alternative Name

    The subject alternative name (SAN) is an optional parameter that defines alternatives to the common name (CN) specified in the SSL certificate. If no SAN is defined, a web site can only be accessed (without SSL certificate errors) by using the common name in the URL. Using SAN, an SSL certificate allows the use of different URLs to access the same web site. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the SSL certificate is created using the following parameter values:

    CN=www.esri.com

    SAN=DNS:esri, IP:10.60.1.16

  5. Click Generate to generate the certificate.

Configure ArcGIS Server to use the SSL certificate

To specify the SSL certificate that ArcGIS Server should use:

Steps:
  1. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
  2. Browse to machines > [machine name].
  3. Click edit.
  4. Enter the name of the SSL certificate that you want to use in the box for Web server SSL Certificate.
  5. Click Save Edits to apply your change.
  6. On the current page, view the property Web server SSL Certificate to verify that the desired SSL certificate will be used for SSL.

Configure each GIS server in your deployment

If you have a multiple-machine deployment of ArcGIS Server, you must create a new self-signed certificate for each GIS server that participates in your site and configure that GIS Server to use the certificate.

Enable SSL for your site

Steps:
  1. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
  2. Browse to security > config > update.
  3. For the Protocol parameter, choose the HTTP and HTTPS option and click Update. This will automatically restart your ArcGIS Server site.
  4. After your site is restarted, verify that you are able to access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the specified SSL certificate. Check your SSL certificate and configure ArcGIS Server to use a new or different SSL certificate.
  5. If you are able to access the URL https://gisserver.domain.com:6443/arcgis/admin, browse to security > config > update.
  6. For the Protocol parameter, choose the HTTPS Only option and click Update.
NoteNote:

It takes the Web Adaptor one minute to recognize changes to the communication protocol of your site.

LegacyLegacy:

In previous versions, you were required to reconfigure the ArcGIS Web Adaptor after updating the communication protocol of ArcGIS Server. At 10.2.2, this is no longer necessary.

Access your site using SSL

Once SSL has been configured, ArcGIS Server listens on port 6443 for HTTPS requests. Use the URLs below to securely access ArcGIS Server:

ArcGIS Server Manager

https://gisserver.domain.com:6443/arcgis/manager

ArcGIS Server Services Directory

https://gisserver.domain.com:6443/arcgis/rest/services

NoteNote:

If you rename ArcGIS Server while SSL is enabled, you can continue to access ArcGIS Server using SSL; however, you must generate a new SSL certificate and configure ArcGIS Server to use it.

Import the certificate into the OS certificate store

For ArcGIS services such as the PrintingTools service to work with an SSL-enabled ArcGIS Server, the server's SSL certificate must be installed as a trusted certificate:

Steps:
  1. Log in to the ArcGIS Server Administrator Directory.
  2. Browse to machines > [machine name] > sslcertificates.
  3. Click the SSL certificate being used by ArcGIS Server and click export. Save the file to a location on your computer.
  4. Open Certificate Manager. You can do this by clicking the Start button, typing certmgr.msc into the search box, and pressing the Enter key.
  5. In the Certificate Manager window, click Trusted Root Certificate Authorities and click Certificates.
  6. On the top menu, click Action and select All Tasks > Import.
  7. On the Certificate Import Wizard dialog box, click Next and follow the instructions in the wizard to import the certificate.
  8. Repeat the above steps for each GIS server in your site.
9/1/2015