Optional: Replacing the ArcGIS GeoEvent Processor for Server self-signed certificate
Some organizations may have their own certificate authority (CA) or have purchased a certificate from a commercial CA to avoid having multiple users go through the process of trusting a self-signed certificate.
The steps below will guide you through replacing the ArcGIS GeoEvent Processor for Server self-signed certificate.
Prerequisites include the following:
- You will need access to a machine with the Java Development Kit (JDK) keytool utility.
Note:This utility comes bundled with ArcGIS GeoEvent Processor for Server on Windows and defaults to C:\Program Files\ArcGIS\Server\GeoEventProcessor\jre\bin\keytool.exe. If you are on Linux, you will typically find it under %JAVA_HOME%\jre\bin\keytool. To proceed, make sure the directory keytool resides in your path.
- Log in as a user with administrative privileges.
Location of Java KeyStore containing certificate | Windows: %ProgramData%\ESRI\GeoEventProcessor\certs\geoEventSSLCertificate.jks Linux: ~/.esri/GeoEventProcessor/config.[HOST-NAME].esri.com.10.2/certs/geoEventSSLCertificate.jks |
Alias for certificate and private key | geoEventCertificate |
Keystore password | changeit |
- To create a new keystore, open the command prompt and run the following command.
keytool -genkey -alias geoEventCertificate -keyalg RSA -keysize 2048 -keystore geoEventSSLCertificate.jks
- When prompted for the keystore password, type changeit.
- When prompted for your first and last name, type the domain that clients will use to connect to your server. The fully qualified domain is preferred.
- At the end, when prompted for the key password for <geoEventCertificate>, press Enter to use the same password as the keystore.
- To create the Certificate Signing Request (CSR) that will be sent to a CA, issue the following command:
keytool -certreq -alias geoEventCertificate -keyalg RSA -file geoEventCertRequest.csr -keystore geoEventSSLCertificate.jks
- When prompted for a password (and all future passwords), type changeit.
After the command exits, you will have a file named geoEventCertRequest.csr whose first line will be -----BEGIN NEW CERTIFICATE REQUEST-----, and the last line will be -----END NEW CERTIFICATE REQUEST-----.
- Send this request to your CA and get a certificate in return.
- After you get your certificate back from the CA, you will need to import it and the other certificates required by your CA into the .jks file.
- You should receive a file with extension .cer or .p7b.
Each CA is slightly different, but it is usually a text file with contents that begin with the line ----BEGIN CERTIFICATE----- and end with the line -----END CERTIFICATE-----.
- If the CA has intermediate authorities, make sure to import those into the geoEventSSLCertificates.jks file by issuing a command similar to the following:
keytool -import -alias rootCA -file Root.cer -keystore geoEventSSLCertificate.jks -trustcacerts
You will need to provide a unique value for the -alias parameter and the appropriate path for the -file parameter for every certificate you import.
- After you have imported all of the intermediate CAs, import your HTTPS certificate with the following command:
keytool -import -alias geoEventCertificate -file geoEventCert.cer -keystore geoEventSSLCertificate.jks
You will need to change the parameter of the -file argument to fit your environment.
- Shut down ArcGIS GeoEvent Processor for Server and back up the old geoEventSSLCertificate.jks file, and replace it with the one you just created. You will then need to restart the ArcGIS GeoEvent Processor service using the Windows Services console.
- Using Internet Explorer, open GeoEvent Processor Manager and confirm that no warnings or certificate errors display in your browser.
Proceed to Optional: Connecting to sites with certificates issued by unknown certificate authorities via HTTPS.