Optional: Connecting to sites with certificates issued by unknown certificate authorities via HTTPS
Some organizations may have their own certificate authority (CA) or may have purchased a certificate from a commercial CA to avoid having multiple users go through the process of trusting a self-signed certificate.
The steps below will guide you through the process of using the Java Development Kit (JDK) keytool utility to add a new trusted certificate to GeoEvent Processor.
Prerequisites include the following:
- You will need access to a machine with the keytool utility.
Note:
This utility comes bundled with ArcGIS for Server and is located in [ArcGIS-Server-Install-Folder]/framework/runtime/jre/bin.
- Log in as a user with administrative privileges.
Terms to replace | Description | Default values/Comments |
FullPathToCacertPemFile | The full path to the cacert.pem file that contains the certificates you want to mark as trusted, including the cacert.pem file name | Referencing the file created in step 1 below |
[FullPathToCacertsFile] | The full path to the Java KeyStore file containing root certificates | Windows: [ArcGIS-Server-Install-Folder]\GeoEventProcessor\jre\lib\security\cacerts Linux: [ArcGIS-Server-Install-Folder]/framework/runtime/jre/lib/security/cacerts |
[KeystorePassword] | Keystore password | changeit |
- Gather the collection of trusted CA certificates you want to import into the GeoEvent Processor certificate store in any format supported by the keytool utility, and name this file cacert.pem.
Note:
The keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format or in printable encoding format (also known as Base64 encoding). In the latter case, the encoding must be bounded at the beginning by a string that starts with -----BEGIN and bounded at the end by a string that starts with -----END.
- Open a command prompt and issue the following commands:
cd [ArcGIS-Server-Install-Folder]/framework/runtime/jre/bin
keytool -import -file [FullPathToCacertPemFile] -alias [RootCertAlias] -keystore [FullPathToCacertsFile] -storepass [KeystorePassword] -trustcacerts
Note:
RootCertAlias is a label or tag the keystore will associate with your certificate.
Linux example: ./keytool -import -file ../certs/cacert.pem -alias MyCaAlias -keystore ~/arcgis/server/framework/runtime/jre/lib/security/cacerts -storepass changeit -trustcacerts
Windows example: keytool.exe -import -file ..\certs\cacert.pem -alias MyCaAlias -keystore %ProgramFiles%\Arcgis\Server\GeoEventProcessor\jre\lib\security\cacerts -storepass changeit -trustcacerts
- Restart the GeoEvent Processor service and try to register ArcGIS for Server, Portal for ArcGIS, or HTTP Transport that uses a certificate issued by the CA you just imported. If the import was successful, you should be able to consume content from the site with certificates issued by the root certificate.
Note:
Available keytool options can be viewed by executing the following commands from a command prompt:
\>keytool -import -help and \>keytool -help