We are in the process of setting up an internal only install of Portal and running into SSL issues. We are a tiny organization and our IT consists of a total of 6 people and that includes myself, the media tech, and 4 people who actually do IT. We have no internal domain CA and our one Networking guy (who is new) doesn't really have any SSL experience. We are currently looking at certs online and there is a large variety in levels and costs. The installation instructions make it clear about needing a cert but I didn't really see anything that talks about exactly what kind of cert I would need. We tried talking to the company that we get our website cert from and they were trying to say that we needed a cert that was going to cost in the 700 range. That seems excessive for a site that is accessible only from in our network. Can somebody who knows a bit more about certs give me a little more explanation about what kind of cert it is that I need to be purchasing?
I would like to preface my answer with a disclaimer: I know that this answer not overly technical, but this is by design. As you mentioned, there are many network considerations that your organization has to consider before finding the best fit. I have done my best to include empirical knowledge from past experiences that have worked in the past, but please make sure that you consult with your IT before implementing these solutions.
Certificates are a very important part of the overall deployment. They not only deal with the security of the transactions between clients and servers, but also ensure that traffic between esri products stays encrypted and not tampered with. To answer your question:
If you have any questions, I will be more than happy to assist in any way I can.
I understand the importance of security and also the difference between an internal and external generated cert. I was more confused about what level of outside CA would be needed. Just looking at digicert for example I can get a cert ranging from standard, to EV, to Multi-Domain, to Wildcard with prices ranging from $188 to $625 a year. Other sites also have different levels and range from as low as $30 dollars to well over $1000 a year. I would think that since this cert is pretty much only to get the browsers to stop complaining about an untrusted site any standard or lowest level cert would work.
I completely understand the frustration with the verity of certificates offered out there. To help explain a bit better, I would suggest reading over this article which goes over different types of Certificates available to you.
Unfortunately, we reach a bit of a road block here. Esri will do its best to assist you with setting up the software and consume it, but certificates are a git of a gray area. Reason being because every organization does their a bit differently, and industry standards vary from org to org.
Please let me know if you have any questions!
Adam. I feel your pain. First question is are you certain you organization doesn't have an internal domain CA? I'm going to assume your a Microsoft based network with Active Directory (AD). Here's an article about adding a CA to your network. I would recommend exploring this first. That's pretty much standard BMP for securing an office network. If you do decide to go the external route, here's GoDaddy's page that shows pricing. Another entity is Thwate, here's there pricing. You don't have to utilize your hosting provider. You can utilize one of these and make an entry in your DNS to point the external URL to server hosting Portal. I strongly recommend not proceeding with content development in Portal until you get the cert issued worked out. Finally, a question to ask yourself and your organization is why go on-premise Portal? Don't discount the cost in establishing and maintaining an on-premise implementation versus a SaaS solution like AGOL. You could establish a hybrid model with ArcGIS Server on premise (much smaller footprint, you could easily utilize self-signed cert) and AGOL for content. Hope this helps.