Community
Select to view content in your preferred language

Enterprise Automated TLS Certificate renewal

585
8
a month ago
Status: Open
ThomasHoman
by
Frequent Contributor

Hello,

The guiding entities of the Internet have embarked on a timeline to reduce TLS Certificate lifetimes from 398 to 47 days by March 2029. ESRI needs to be ready to embrace this with automated certificate management tools. Much like the ACME tools commonly discussed with Let's Encrypt certificate deployments. This will help unburden administration staff where possible.

https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days 

Respectfully

Tom

8 Comments
AndrewFarrar
by
3 weeks ago

Thank you for posting this.  It is such a drastic change, and even though there are automated methods for cert renewal, installation, etc. the full process is certainly not there when it comes to specific applications and appliances, ESRI included. We'll have to see how all of this shakes out. 

SamLibby
by Esri Contributor
3 weeks ago

Thanks for sharing this, it's indeed a pretty significant change. An important recommendation here is a reminder that ArcGIS Enterprise administrators can simplify their lives substantially by only applying this guidance and automation to their reverse proxy or load balancer, all client traffic routed through that endpoint would then be able to benefit from automated certificate management, and likely the software + cloud providers will have good patterns for managing cert renewal on those endpoints by that time (and already do in many cases). Applying and re-applying CA-signed and trusted certs to backend endpoints that users do not interact with is comparatively not as critical, and that distinction between 6443 + 7443 + other endpoints is important.

Some users may have "end to end trust" requirements where they need every communication to be through a trusted, valid cert, but this is more uncommon in my experience. 

ThomasHoman
by
3 weeks ago

@AndrewFarraragreed. Just trying to make sure all know change is coming. As you say with specific applications we are looking at the need to replace a few that have onerous certificate updates. Our SFTP server being one of them where the binding is made manually deep inside the application.

@SamLibbyYou bring up a very good point in that it is largely the external facing components that will need the management. Is the implication that the back end certs could operate under self-signed certs or something else? I thought the Enterprise Deployment class suggested self-signed could be used for testing but that valid certs should be used for production. Thanks for any clarification you can provide.

SamLibby
by Esri Contributor
2 weeks ago

@ThomasHoman  My recommendation is to use self-signed certificates for backend components (i.e. the 6443/7443 listeners of a GIS Server / Portal site) as they are not client-facing. If organizational or regulatory standards require those to be updated to CA-signed and valid certs, then that is a lot of additional management. 

 

I do not know the content of the course you referred to, but I would say that my opinion is that statement is correct for the external-facing certs, not "all" certs. There are mostly opinions, not cut and dry facts here, unfortunately. 

BillFox
by MVP Frequent Contributor
2 weeks ago

A few references:

Portal for ArcGIS 11.3 system requirements

https://enterprise.arcgis.com/en/system-requirements/11.3/windows/portal-for-arcgis-system-requireme...

SSL certificates

Portal for ArcGIS is configured with a self-signed server certificate, which allows you to do initial testing of the portal and helps you quickly verify that your installation was successful. You must request a certificate from a trusted certificate authority (CA) and configure the portal to use it. The certificate can be signed by a corporate (internal) or commercial CA.

You must configure each applicable ArcGIS component in your organization with a certificate from a corporate or commercial CA. Common examples include ArcGIS Web Adaptor and ArcGIS Server. For example, ArcGIS Server includes a configured self-signed certificate. If you'll be federating the ArcGIS Server site with your portal, it's very important that you request a CA-signed certificate and configure the ArcGIS Server site and web adaptor to use it.

For more information, see Security best practices.

https://enterprise.arcgis.com/en/portal/11.3/administer/windows/security-best-practices.htm#ESRI_SEC...

"It's imperative that you use a CA-signed certificate to fully test and deploy your portal."

ZachBodenner
by MVP Regular Contributor
2 weeks ago

Yes please, renewing certs is annoying now, and will be such an important and regular workflow in the future that any help would be really important.

SimonSchütte_ct
by MVP Regular Contributor
a week ago

@BillFox ...and to cite the ArcGIS Enterprise Hardening Guide  (p.54):

"Basic: Implement Signed CA Certificates
Initial deployments of ArcGIS Enterprise edge components (Portal for ArcGIS and ArcGIS Server) are
configured to use HTTPS through self-signed certificates generated at installation time. Self-signed
certificates are sufficient for development and basic testing, but production deployments must use
certificates signed by a certificate authority (CA)"