- Create a new self-signed certificate
- Request a CA to sign your certificate
ArcGIS Serverto use the CA-signed certificate
- Configure each
ArcGIS Servermachine in your deployment
- Import the CA root certificate into the OS certificate store
- Configure HTTPS for your site
- Access your site using HTTPS
This topic shows you how you can configure HTTPS for ArcGIS Server using a certificate signed by a Certificate Authority (CA). The steps to configure HTTPS using a CA-signed certificate are as follows:
- Create a self-signed certificate.
- Request a CA to sign your certificate.
- Configure ArcGIS Server site to use the CA-signed certificate.
- Configure each ArcGIS Server in your deployment.
- Import the CA root certificate into the OS certificate store
- Configure HTTPS for your site.
- Access your site using HTTPS.
Create a new self-signed certificate
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin.
- Browse to machines > [machine name] > sslcertificates.
- Click generate.
- Provide values for the parameters on this page:
A unique name that easily identifies the certificate.
Use RSA (the default) or DSA.
Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.
Use the default (SHA1withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used for DSA: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA.
Use the domain name of your server name as the common name.
If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.
If your server will only be accessible on your local area network (LAN) through the URL https://gisserver.domain.com:6443/arcgis, use gisserver.domain.com as the common name.
The name of your organizational unit, for example, GIS Department.
The name of your organization, for example, Esri.
City or Locality
The name of the city or locality, for example, Redlands.
State or Province
The full name of your state or province, for example, California.
The abbreviated code for your country, for example, US.
The total time in days during which this certificate will be valid, for example, 365.
Subject Alternative Name
The subject alternative name (SAN) is an optional parameter that defines alternatives to the common name (CN) specified in the certificate. There cannot be any spaces in the SAN parameter value.
If no SAN is defined, a website can only be accessed (without certificate errors) by using the common name in the URL. If a SAN is defined and a DNS name is present, the website can only be accessed by what is listed in the SAN. Multiple DNS names can be specified if desired. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the certificate is created using the following SAN parameter value:
- Click Generate to generate the certificate.
Request a CA to sign your certificate
For web browsers to accept your certificate as a trusted certificate, it must be verified and countersigned by a well-known Certificate Authority such as Verisign or Thawte.
- Open the self-signed certificate you created in the previous section, and click generateCSR. Copy the contents into a file, usually with a .csr extension.
- Submit the CSR to a CA of your choice. You may obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, they'll send you a .crt or .cer file.
- Save the signed certificate received from the CA to a location on your computer that you can access from ArcGIS Server Administrator Directory. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your computer.
- Log in to the ArcGIS Server Administrator Directory: https://gisserver.domain.com:6443/arcgis/admin.
- Click machines > [machine name] > sslcertificates > importRootOrIntermediate to import the root certificate provided by the CA. If the CA issued any additional intermediate certificates, import those as well.
- Navigate to machines > [machine name] > sslcertificates.
- Click the name of the self-signed certificate that you submitted to the CA.
- Click importSignedCertificate, and browse to the location where you saved the signed certificate received from the CA.
- Click Submit. This replaces the self-signed certificate you created in the previous section with the CA-signed certificate.
Configure ArcGIS Server to use the CA-signed certificate
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin. Replace gisserver.domain.com with the fully qualified name of the machine where ArcGIS Server is installed.
- Browse to machines > [machine name].
- Click edit.
- Type the name of the signed certificate in the Web server SSL Certificate field. The name you specify should match the alias of the self-signed certificate that was replaced with the CA-signed certificate in the previous section.
- Click Save Edits to apply your changes. This automatically restarts your ArcGIS Server site.
- After your site has restarted, verify that you can access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the specified SSL certificate. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin, check your SSL certificate, and configure ArcGIS Server to use a new or different certificate.
- On the current page, view the property Web server SSL Certificate to verify that the desired certificate will be used for HTTPS.
Configure each ArcGIS Server machine in your deployment
If you have a multiple-machine deployment of ArcGIS Server, you must obtain and configure a CA-signed certificate for each ArcGIS Server machine that participates in your site.
Import the CA root certificate into the OS certificate store
- On the machine hosting ArcGIS Server, open the init_user_param.sh script in a text editor by navigating to the <ArcGIS Server installation directory>/arcgis/server/usr directory.
- Locate the line export CA_ROOT_CERTIFICATE_DIR=<Location_to_CA_Root_Certificate>, and specify a location where all CA root certificates are stored on the system. Note that the specified directory needs to be accessible by the account that was used to install ArcGIS Server. You need to uncomment the lines by removing the pound sign [#] characters.
- Save and close the init_user_param.sh script.
- Repeat steps 1-3 for each ArcGIS Server machine in your site.
- Restart ArcGIS Server on each machine. You can do this by running the startserver.sh script on each machine.
Configure HTTPS for your site
- Verify that you can access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the specified certificate. Check your certificate, and configure ArcGIS Server to use a new or different certificate.
- If you can access the URL https://gisserver.domain.com:6443/arcgis/admin, browse to security > config > update.
- For the Protocol parameter, choose the HTTPS Only option, and click Update.
Access your site using HTTPS
Once HTTPS has been configured, ArcGIS Server listens on port 6443 for HTTPS requests. Use the URLs below to securely access ArcGIS Server:
ArcGIS Server Manager
ArcGIS Server Services Directory