Can ArcGIS Enterprise be deployed from CloudFormation using self-certified SSL certificate?

08-21-2020 02:18 PM
New Contributor

Has anyone here successfully installed ArcGIS Enterprise 10.7.1 (or actually any version) in AWS  with a self-signed SSL certificate? I have tried using the CloudFormation stack in the AWS marketplace and the Windows ConfigurationBuilder client. Both have failed. ConfigurationBuilder complains that the certificate can't be chained to a trusted authority. This deployment is for a in internal sandboxed use, so I don't need it to be linked to a global CA.

If anyone has any tips, including an alternate deployment path than the two I mention, I will be grateful to hear them.

Thank you in advance.

Tags (3)
0 Kudos
4 Replies
Esri Contributor

Hello John Felleman‌,

we have recently been successful building HA ArcGIS Enterprise 10.7.1 in AWS using custom CloudFormation scripts.
We started with the Esri supplied template, and re-used the Esri supplied AMI, but have deployed across multi tiers. Portal, Server, Relational Data Store and Tile Cache Data Store all on different EC2 instances (two at each tier for HA).

We have one environment using Web Adaptors (on the Portal Tier) and another where we did not include Web Adaptors (to match the FQDN of the environment from which we migrated).

To answer your question, we can use the self signed certificate on all tiers, but only if we used an ACM hosted certificate registered with an Application Load Balancer associated with the FQDN for the site in the DNS (Route53 in our case) 

That way, the ALB presents a valid and recognised certificate to the client, but directs through the request on HTTPS to the EC2 instances and does not itself care that the underlying web servers are only using self signeds.

In our case, the organisation is OK to use ACM public certificates and as such, do not need to import "private" external CA signed certificates.

Occasional Contributor III

Hi David

How did you reference your ACM certificate in your CloudFormation script?




0 Kudos
New Contributor

Hey David,

In your deployments where you do not use a web adaptor, are you able to customize the URL paths to portal for example? We have only been able to successfully setup routing to for example, but we cannot get to route correctly. Are we doing something wrong? Or is this a limitation / intended design?

0 Kudos
Esri Contributor

Hi Joe

I have personal experience where we have been able to route to without a web adaptor, but only within Azure using Azure Gateway, in AWS using ALB we cant do it because you need a URL rewrite functionality that AWS ALB does not provide.