topic Self-signed certificate for ArcGIS Server not trusted in ArcGIS Enterprise Questions

Self-signed certificate for ArcGIS Server not trusted

StephanieSnider — Tue, 22 Jan 2013 16:58:09 GMT

ArcGIS Server 10.1 SP 1
Windows 64-bit OS: Windows Server 2008 R2 Standard, Service Pack 1

I enabled SSL on ArcGIS Server following these instructions. http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server_when_accessed_through_the_ArcGIS_Web_Adaptor/015400000600000000/

This internal website works https://ndep-25/arcgis/rest/services, but I get an error in Internet Explorer (and other browsers) that the website's security certificate is not trusted. I also see a warning about an untrusted certificate when I make an administrative connection to ArcGIS Server in ArcCatalog using https://ndep-25:6443/arcgis/admin. If I click Yes to continue through the warning messages, the website and connection works. However, I feel this is not really good.

I've tried installing the certificate using the default settings suggested by the browser or ArcCatalog, but that still doesn't make the certificate trusted and I continue to get a warning message that the security certificate is not issued by a trusted certificate authority.

Are these warning messages normal? Shouldn't a self-signed certificate that was created using ArcGIS Server be recognized by ArcCatalog as a trusted certificate in order to connect to map services?

[ATTACH=CONFIG]20959[/ATTACH]

Re: Self-signed certificate for ArcGIS Server not trusted

RichardWatson — Tue, 22 Jan 2013 21:20:36 GMT

If you want a trusted certificate then I think that you need to install a certificate generated by a certificate authority such as Verisign.

Let's say that I create a website with a self-signed certificate and you browse to it. Should you get a warning? I think so because you don't know me. If however, you went through an authority then they are responsible for validating that you are who you say you are.

Does that make sense?

Re: Self-signed certificate for ArcGIS Server not trusted

StephanieSnider — Tue, 22 Jan 2013 22:46:01 GMT

I think it does. Here's my reasoning and correct me if I'm wrong. It appears that a self-signed certificate generated by ArcGIS Server is enough to enable SSL on the GIS Web Server (https://ndep-25:6443/arcgis/rest/services). Then a certificate issued by a CA is required in order to enable SSL through IIS, using the web adaptor (https://ndep-25/arcgis/rest/services). Does that sound correct?

Re: Self-signed certificate for ArcGIS Server not trusted

RichardWatson — Wed, 23 Jan 2013 11:09:20 GMT

Here is an article on Enabling SSL using a new CA-signed certificate:

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certificate/0154000005wr000000/

What this discusses is installing CA-signed certificates on the GIS server(s).

Here is a discussion about the web adaptor:

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server/0154000005q0000000/http://

If you install a CA-signed certificate then you should not get browser warnings.

Re: Self-signed certificate for ArcGIS Server not trusted

StephanieSnider — Wed, 23 Jan 2013 19:32:35 GMT

We were trying to avoid having to purchase a CA certificate (for our internal domain), but it appears we will need to. Thanks for your help!

Re: Self-signed certificate for ArcGIS Server not trusted

AlinaTaus — Thu, 27 Jun 2013 18:45:44 GMT

Stephanie,

Were you able to get this solved without having to purchase a CA-signed certificate for the GIS Server? I am in the exact same situation...

Thank you!

Alina

Re: Self-signed certificate for ArcGIS Server not trusted

StephanieSnider — Mon, 01 Jul 2013 16:28:46 GMT

We have the ability to make organizational trusted certificates which are not really like self-signed but work more like a CA-trusted certificate on computers internal to our network. All the client machines in our network have a trusted certificate assoicated with Internet Explorer that recognize our organizational certificates for various servers. We had a difficult time creating the internal certificate so that ArcGIS Server would recognize it. Our IT security group had to submit a base-64 encoded request using the CSR generated request. They downloaded the certificate with its entire chain. We imported the machine certificate first, then the root and intermediate certificates.

So I guess my answer is that it does indeed need to be a trusted certificate - CA trusted or internal domain trusted. The map services work fine with a self-signed certificate using SSL and token based authentication. But my Silverlight web maps would not accept the map services until the ArcGIS Server machine had a trusted certificate.