AWS Enterprise Cloud Builder - Question About SSL Certificate Installation

AndyWells · ‎01-10-2022

I am attempting to set up ArcGIS Enterprise on AWS, using ArcGIS Enterprise Cloud Builder. I am new to the installation/configuration process of ArcGIS Enterprise, although I've worked with ArcGIS Servers before and we do use other AWS services. I have acquired an SSL certificate for my anticipated domain, and I purchased that through Register.com / Network Solutions. After it was validated, I retrieved the certificate which resulted in two .crt files, one of which is for the domain.

However, the "Configure Elastic IP Address (EIP) step of ArcGIS Enterprise Cloud Builder for AWS requires a certificate in .pfx format.

I have done some searching, and the only pfx file generators I can find require both the certificate AND a private key, which I do not have.

I do not know how to proceed beyond this step. I have an SSL certificate, but it is in .crt format and I can't figure out how to convert it to the required .pfx format. As you can probably tell, I have little experience with SSL certificates. All of the SSL certificates I've dealt with in the past are configured and managed in AWS Certificate Manager, but it does not seem like that is an option for these EC2 instances that ArcGIS Enterprise would be hosted on.

Any advice would be appreciated. I have been stuck on this step for quite a while now.

Thank You

ChristopherPawlyszyn · ‎01-11-2022

It looks like if your domain is hosted through register.com they generate the CSR for you, but otherwise they require a submitted CSR; on principle, the SSL certificate provider shouldn't have (or need) knowledge of the private key of your certificate. I would consider reaching out to their support to see if they can help you gain access to the private key, or walk through the process of rekeying the certificate with a new CSR. Once you have both the private and public key in hand you should be in good shape to convert to a PFX.

-- Chris Pawlyszyn

View solution in original post

ChristopherPawlyszyn · ‎01-11-2022

Where/how did you create your certificate signing request (CSR) that you submitted to register.com?

Typically the private key is generated when you create the CSR, and the combined signed certificate (public key) and private key can be converted to PFX using a number of different tools. If you used IIS to create the CSR, you can import the signed certificate then export the combined public/private keys as a PFX file directly.

-- Chris Pawlyszyn

AndyWells · ‎01-11-2022

I went to register.com, security, SSL security, and chose the basic organizational validation. I purchased it and I remember I had to set up SES with AWS so that the validation emails would come to me. I received a verification request that indeed I was requesting the certificate, and later I had to verify my phone number with register.com/Network Solutions (that required a call to their support). Once my phone number was verified, I received an email saying that the certificate was issued and finally an email stating that the SSL certificate had been issued. Once issued, I could log into register.com and download the certificate, which gives me a zip file that contains two files. One is RSAOrganizationValidationSecureServerCA.crt and the other one is my_domain_name.crt. That's the process as much as I can remember it anyway. The only thing I've been sent is the zip file with those two .crt files and I don't know what to do to get a pfx file and password from it. So any assistance is helpful. Thank you!

ChristopherPawlyszyn · ‎01-11-2022

It looks like if your domain is hosted through register.com they generate the CSR for you, but otherwise they require a submitted CSR; on principle, the SSL certificate provider shouldn't have (or need) knowledge of the private key of your certificate. I would consider reaching out to their support to see if they can help you gain access to the private key, or walk through the process of rekeying the certificate with a new CSR. Once you have both the private and public key in hand you should be in good shape to convert to a PFX.

-- Chris Pawlyszyn

AndyWells · ‎01-12-2022

The domain is not hosted at register.com (we use AWS S3) but the domain name was originally registered there. I'll contact their support and see what they say. I'll report back when I know something. Thanks for the guidance.

AndyWells · ‎02-01-2022

I did get a response from register.com about the SSL situation:

Based on your request, I am sorry to inform you thus we do not give out our private keys. If you are using the SSL for a different server, the server should generate a Private Key. You would either have to reissue the SSL for this and submit a new CSR or convert the CRT format into PFX format. You can Google these steps for your guide.

I ended up installing using the AMI here so now I already have the EC2 server instance up and running, so I will try to get the private key from the server and proceed from there.