What type of Cert do I need for Portal?

870
4
03-06-2019 06:45 AM
AdamBauer2
New Contributor II

We are in the process of setting up an internal only install of Portal and running into SSL issues.  We are a tiny organization and our IT consists of a total of 6 people and that includes myself, the media tech, and 4 people who actually do IT.  We have no internal domain CA and our one Networking guy (who is new) doesn't really have any SSL experience.   We are currently looking at certs online and there is a large variety in levels and costs.  The installation instructions make it clear about needing a cert but I didn't really see anything that talks about exactly what kind of cert I would need.  We tried talking to the company that we get our website cert from and they were trying to say that we needed a cert that was going to cost in the 700 range.  That seems excessive for a site that is accessible only from in our network.  Can somebody who knows a bit more about certs give me a little more explanation about what kind of cert it is that I need to be purchasing?

4 Replies
JonEmch
Esri Regular Contributor

Hello Adam,

I would like to preface my answer with a disclaimer: I know that this answer not overly technical, but this is by design. As you mentioned, there are many network considerations that your organization has to consider before finding the best fit. I have done my best to include empirical knowledge from past experiences that have worked in the past, but please make sure that you consult with your IT before implementing these solutions.

Certificates are a very important part of the overall deployment. They not only deal with the security of the transactions between clients and servers, but also ensure that traffic between esri products stays encrypted and not tampered with. To answer your question:

  1. There are two types of certificates that are viable options for you to use: Certificate Authority (CA) signed certificates, and Domain signed certificates. The latter is a certificate you obtain from outside your organization, while the domain signed certificate is used within an organization's network. The Domain certificate is set up by your IT organization, and can validate any internal websites. These are restricted to internal use only
  2. From your description, it seems that both options are viable. While buying a certificate from a CA will quickly resolve this issue, having a Domain Signed cert will allow you to generate an unlimited amount of certificates for use in your internal network.
  3. $700 is a bit steep for a certificate, I would follow up on that with your provider.
  4. There are a few documents I am going to link here that should help you:
    1. ArcGIS and SSL Considerations
    2. Understanding SSL Certificates for ArcGIS Server and Portal for ArcGIS
    3. Import a certificate into the portal
  5. Lastly, one of the more important technical aspects of the certificate is the Subject Alternative Name field (SAN). Without this field, Chrome will not allow proper operation of the certificate. Please make sure to include these.

If you have any questions, I will be more than happy to assist in any way I can.

Keep on keeping on!
AdamBauer2
New Contributor II

HI Jon,

   I understand the importance of security and also the difference between an internal and external generated cert.  I was more confused about what level of outside CA would be needed.  Just looking at digicert for example I can get a cert ranging from standard, to EV, to Multi-Domain, to Wildcard with prices ranging from $188 to $625 a year.  Other sites also have different levels and range from as low as $30 dollars to well over $1000 a year.  I would think that since this cert is pretty much only to get the browsers to stop complaining about an untrusted site any standard or lowest level cert would work.

JonEmch
Esri Regular Contributor

Hello Adam,

   I completely understand the frustration with the verity of certificates offered out there. To help explain a bit better, I would suggest reading over this article which goes over different types of Certificates available to you.

    Unfortunately, we reach a bit of a road block here. Esri will do its best to assist you with setting up the software and consume it, but certificates are a git of a gray area. Reason being because every organization does their a bit differently, and industry standards vary from org to org.

   Please let me know if you have any questions!

Keep on keeping on!
0 Kudos
JeffGarland
New Contributor II

Adam.  I feel your pain. First question is are you certain you organization doesn't have an internal domain CA?  I'm going to assume your a Microsoft based network with Active Directory (AD).  Here's an article about adding a CA to your network.  I would recommend exploring this first.  That's pretty much standard BMP for securing an office network.  If you do decide to go the external route, here's GoDaddy's page that shows pricing.  Another entity is Thwate, here's there pricing.  You don't have to utilize your hosting provider.  You can utilize one of these and make an entry in your DNS to point the external URL to server hosting Portal.  I strongly recommend not proceeding with content development in Portal until you get the cert issued worked out.  Finally, a question to ask yourself and your organization is why go on-premise Portal?  Don't discount the cost in establishing and maintaining an on-premise implementation versus a SaaS solution like AGOL.  You could establish a hybrid model with ArcGIS Server on premise (much smaller footprint, you could easily utilize self-signed cert) and AGOL for content.  Hope this helps.

0 Kudos