CA-Signed Certificate for ArcGIS Server

ZacharyHart · ‎09-28-2012

We are attempting to secure or server with at CA-Signed Certificate. The instructions for this are found here. http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certifi...

However the CA is requesting what what 'server software' we are using before we submit our CSR (the choices range from IIS7 to Apache to Lotus Domino and so forth). Our IT department has stated that providing the appropriate server software is typical when getting a CA-Signed certificate.

We are using the web adaptor for IIS which leads me to believe that we need to choose IIS7. However, as I understand it, at 10.1 AGS has a built in web server based on Apache (?) and I need get this right the first time.

What is most troubling is that Support Services has indicated that this is generally outside the realm of support and they have a request in to 'the developers'. :confused:

In the 10.1 Help section 'Configuring ArcGIS Server to be secure', it explicitly states:
While setting up SSL for a website, it is common practice to use a self-signed SSL certificate in the test environment and a CA-signed certificate when moving to production. (my emphasis added).

ESRI itself indicates this is best practice.

I'm hoping someone here will have the correct answer.

ZacharyHart · ‎10-01-2012

<Crickets chirping in the night>

Really? ESRI, can someone please give me an answer on this?

"If your site will be accessed by external users, you should configure SSL on the web server hosting the Web Adaptor using a commercial Certificate Authority certificate" http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server/0154000005q0...

ZacharyHart · ‎10-01-2012

anyone????

[ATTACH=CONFIG]18103[/ATTACH]

RobertJones2 · ‎10-11-2012

I faced this question recently due to a security review of an ArcGIS Server site I'm involved in building. You are correct that ArcGIS Server uses Apache - Apache Geronimo (which itself is built on Apache Tomcat, in case Geronimo isn't one of the choices available for signing your CR). I ended up generating two certificate requests - one for IIS, and one for ArcGIS Server.

In case it's of interest our authentication tier is GIS Server, and we have the Web Adaptor and ArcGIS Server installed on the same machine.

ZacharyHart · ‎10-18-2012

I faced this question recently due to a security review of an ArcGIS Server site I'm involved in building. You are correct that ArcGIS Server uses Apache - Apache Geronimo (which itself is built on Apache Tomcat, in case Geronimo isn't one of the choices available for signing your CR). I ended up generating two certificate requests - one for IIS, and one for ArcGIS Server.

In case it's of interest our authentication tier is GIS Server, and we have the Web Adaptor and ArcGIS Server installed on the same machine.

Robert, sorry i didn't respond to this sooner...usually I get notified when threads have been updated. At any rate, what you describe is the identical situation. After days of no developments from tech support, the incident either got elevated or directed to a developer/software engineer (or something, either way it was a person who spoke with some authority). They indicated that it wouldn't matter what software we chose when getting the CR signed at a CA. However, as you may have gathered, the correct/typical procedure is to have a certificate for both your GIS server and your web server. Applying the .crt to the GIS server (replacing the originally generated self-signed) isn't a problem. However, you cannot export the certificate from ArcGIS server the same way you do in Windows/IIS7 where you export as a .pfx (which contains the shared key, if i understand our IT dept. correctly) in order to import the .crt onto your web server's site.

Fortunately, we still had a valid 3rd party certificate for our web server, so the gis server and web server can 'talk' and know who they both are via the 2 different certificates. Our IT support was surprised that the GIS server did not have the necessary functionality to export the certificate with the key.

Clearly, there needs to be better documentation on this subject as ESRI is clear that for a production environment this is the recommended practice.

DrewDowling · ‎06-10-2014

thanks, this helped me get the cert we needed from the IT Dept.