ArcGIS Server SSL Certs Multiple Sites - how many?

635
2
09-21-2017 09:45 PM
BillHarvey
New Contributor II

I have the SSL certs I need and think I understand how to set them up.   I have seen many other posts, but my questions has to do with multiple machines in a site.

I know every machine that participates in an ArcGIS Server Site has to have SSL enabled and setup per this:

http://server.arcgis.com/en/server/latest/administer/windows/configuring-https-using-an-existing-ssl...

If you have 3 different machines composing a site do they all have to have the same certificate, or simply be SSL?   For example, our sys admin setup a different cert for each of our IIS servers.   If each machine in a site has to have the same cert, does the web adapter machine also have to have that same cert?   I have root and intermediate certs that will apply to all of them, but can the individual machines themselves have different selfsigned certs as long as they are SSL or should each machine in the site use the same one and should the Web Adapter also have the same one?

Follow on.   If I have a web adapter on machine A pointing at the site, and another adapter on machine B pointing at the same site does it matter?   It seems like the Web Adapter machines have to be SSL enabled but the certs can be different than the site, and machines in it.

Make sense?

Thanks.

0 Kudos
2 Replies
RandallWilliams
Esri Regular Contributor

Q1: If you have 3 different machines composing a site do they all have to have the same certificate, or simply be SSL?

A1: The only way that applying the same certificate to multiple GIS Server machines in a site could be supported would be if the machines in the site share a domain and you use a wildcard certificate.

If you request a certificate to have a CN and SAN like *.xyzdomain.com, you may apply that certificate to multiple GIS Server machines in a site, assuming all those machines are on the same domain. You would not want to get a certificate with a CN for machine-A.xyzdomain.com and apply this certificate to machine-B.xyzdomain.com.

Q2: If each machine in a site has to have the same cert, does the web adapter machine also have to have that same cert?

A2: No. Certificates are applied at the web server level, not the machine level. A machine may have multiple web servers. For instance, I can run ArcGIS Server and IIS on the same machine. Those web servers cannot share the same ports, though. Customers can and do use self signed certs at the GIS Server tier and CA signed certs at the web tier.

Q3: If I have a web adapter on machine A pointing at the site, and another adapter on machine B pointing at the same site does it matter? It seems like the Web Adapter machines have to be SSL enabled but the certs can be different than the site, and machines in it.

A3. That's correct. I might have a CA signed certificate on a web server with a CN defined as www.randall.com. Then, I might open port 6443 on my firewall and register the web adaptor with a machine inside my local domain called machineA.xyzdomain.com. I may also install the web adaptor on an internal facing web server and configure it to point to my GIS Server site. In this case, I could potentially have three different certificates - one at the web tier with the external facing web adaptor, one on the internal web server, and one on the GIS Server.

BillHarvey
New Contributor II

That is great stuff.   Thank you for your thorough reply.   I appreciate it.

0 Kudos