CA Certificate troubleshooting

3312
2
10-30-2013 11:56 AM
New Contributor III
Hi-

I've gone through every resource I can find, but still am having a problem installing a CA signed SSL Certificate. 

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_the_default_self_signed...

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certifi...

http://resources.arcgis.com/en/help/server-admin-api/index.html?certificate.html

If there is anyone that has installed their correctly with the (below) describe architecture, please let me know what steps you took...  I've been through ESRI's support, but so far not able to get the SSL working...  Thought I'd take a crack on this forum.

Environment:
ArcGIS Server 10.1 SP1 on Windows DataCenter 2008 R2
Single server on DMZ-no reverse proxy or web adaptor
CA signed by GoDaddy using the admin API to generate the cert from the self-signed cert...

Long story short, our IT department initially installed the certificate through IIS 7.0 (as detailed by GoDaddy).  We quickly found the https side in ArcGIS admin failed.  After this, we removed the certificate, set up the self-signed certificate (worked on both http/https sides), created the CSR, imported the signed certificate (there was some confusion with which certificate to import one was a *bundle* named file, the other a file with numeric name).  In the end we tried one, then the other, then installed both.  All trials ended with the http side working, but https not-had to revert to the self-signed certificate.

At this point I'm a bit frustrated (but not done with trying) with why this isn't working...  Could the certificate be either locked or dependencies removed in installling the cert in IIS and removing it, something may either be still installed or unintentionally removed during this process...  Also, I came across some help info for the GeoEvent Processor and manually adding a KeyPair (didn't find anything else with this), and wondered if anyone had to add the KeyPair manually, or if there was a way to verify the KeyPair existence on the server for 10.1?  My most recent attempt to get ESRI support was them acknowledging a bug with importing CA certificates, am still waiting to get them to respone further, since there seems to be numerouse successful installations as observed through these forums.

Any info, thoughts, comments, or other resources would be greatly appreciated.

Ed
2 Replies
Occasional Contributor
Hello,

Do you have a requirement to use a signed cert on your ArcGIS for Server? If you do then please generate the CSR and simply import the cert using the steps here:

http://resources.arcgis.com/en/help/main/10.1/index.html#//0154000005wr000000

If you do not have this type of requirement, please try these steps:

1. Turn on https on your arcgis for server, and use the selfsigned cert
2. In IIS, turn on bind https on a website using a signed cert (possibly one from Go Daddy as described)
3. Install Web Adaptor for IIS
4. Register your web adaptor (if web adaptor was installed, please re-register it after enabling IIS)

Then simply instruct your users to use the URL of your web adaptor. They will never be prompted this way as they will only reference the signed cert in IIS.

Thank you very much-
Reply
0 Kudos
MVP Regular Contributor
A few questions...

1. Did you import the CA-signed certificate and the Root certificate into the ArcGIS for Server Administrator Directory?  Those certificates need to match the ones that are set up in your Trusted Certification Root Authority and the one bound to the website in IIS.  It can be a pain to import these, depending on whether or not you can generate a PFX file for them to use for import. 

2. Are you positive that all certificates in your CA-cert's certification path are trusted on the server in question?  Double click the certificate and check out the certification path tab to make sure there aren't any red X's showing up.  If there are, that certificate isn't trusted and must be placed into the Trusted Certification Root Authority.  This includes the CA-signed server cert, and intermediary certs, and the root cert. 

3. Does your CA-signed server certificate (not the root cert, of course) use the fully-qualified (FQN) hostname for the NAME?  In other words, does it say GISMACHINE1 or GISMACHINE1.domain.int?  The cert must use the FQN; I have not had good luck otherwise. 

4. Does your server have a special DNS entry for your network by chance?  In other words, is gisserver.domain.int behave as a DNS pointer for GISMACHINE1 on your network?  If so, I would recommend that additional SANs be provided as part of the cert.  I generally use the host name, any DNS entries, and the server IP as additional SANs besides the FQN as the NAME.
Reply
0 Kudos