Optional: Connecting to sites with certificates issued by unknown certificate authorities via HTTPS

Some organizations may have their own certificate authority (CA) or may have purchased a certificate from a commercial CA to avoid having multiple users go through the process of trusting a self-signed certificate.

The steps below will guide you through the process of using the Java Development Kit (JDK) keytool utility to add a new trusted certificate to GeoEvent Processor.

Prerequisites include the following:

Terms to be used in the steps below

Terms to replace

Description

Default values/Comments

FullPathToCacertPemFile

The full path to the cacert.pem file that contains the certificates you want to mark as trusted, including the cacert.pem file name

Referencing the file created in step 1 below

[FullPathToCacertsFile]

The full path to the Java KeyStore file containing root certificates

Windows: [ArcGIS-Server-Install-Folder]\GeoEventProcessor\jre\lib\security\cacerts

Linux: [ArcGIS-Server-Install-Folder]/framework/runtime/jre/lib/security/cacerts

[KeystorePassword]

Keystore password

changeit

Steps:
  1. Gather the collection of trusted CA certificates you want to import into the GeoEvent Processor certificate store in any format supported by the keytool utility, and name this file cacert.pem.
    NoteNote:

    The keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format or in printable encoding format (also known as Base64 encoding). In the latter case, the encoding must be bounded at the beginning by a string that starts with -----BEGIN and bounded at the end by a string that starts with -----END.

  2. Open a command prompt and issue the following commands:

    cd [ArcGIS-Server-Install-Folder]/framework/runtime/jre/bin

    keytool -import -file [FullPathToCacertPemFile] -alias [RootCertAlias] -keystore [FullPathToCacertsFile] -storepass [KeystorePassword] -trustcacerts

    NoteNote:

    RootCertAlias is a label or tag the keystore will associate with your certificate.

    Linux example: ./keytool -import -file ../certs/cacert.pem -alias MyCaAlias -keystore ~/arcgis/server/framework/runtime/jre/lib/security/cacerts -storepass changeit -trustcacerts

    Windows example: keytool.exe -import -file ..\certs\cacert.pem -alias MyCaAlias -keystore %ProgramFiles%\Arcgis\Server\GeoEventProcessor\jre\lib\security\cacerts -storepass changeit -trustcacerts

  3. Restart the GeoEvent Processor service and try to register ArcGIS for Server, Portal for ArcGIS, or HTTP Transport that uses a certificate issued by the CA you just imported. If the import was successful, you should be able to consume content from the site with certificates issued by the root certificate.
    NoteNote:

    Available keytool options can be viewed by executing the following commands from a command prompt:

    \>keytool -import -help and \>keytool -help
3/19/2014