Hi Everyone,
With the upcoming industry-wide changes to public TLS certificate lifetimes, I wanted to propose an enhancement for ArcGIS Enterprise and see how the rest of the community is planning to handle this.
The Upcoming Challenge: The maximum lifetime for public TLS certificates is rapidly accelerating toward much shorter durations. According to recent announcements:
- March 15, 2026: Maximum lifetime reduces to 200 days
- March 15, 2027: Maximum lifetime reduces to 100 days
- March 15, 2029: Maximum lifetime reduces to just 47 days
Reference Link - TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert
The Impact on ArcGIS Enterprise: Currently, updating certificates in ArcGIS Enterprise (such as the IIS Web Adaptor and the Portal/Server Admin Web Servers) requires significant manual intervention. If you are using an existing CA-signed certificate, the current workflow requires administrators to log into the Administrator Directory, manually import the .p12 or .pfx file, update the web server SSL certificate property, and restart the ArcGIS Server site.
Crucially, if you have a multiple-machine deployment, these manual steps must be repeated for each GIS server in the deployment.
By 2029, we will be forced to perform these manual certificate updates and service restarts every 47 days. While public Application Load Balancers (ALBs) and Gateways can leverage protocols like ACME for automatic updates, ArcGIS Enterprise currently lacks an equivalent built-in automation for its internal web server components. This frequency will introduce severe manual overhead and significantly increase the risk of operational downtime if a certificate update is missed.
The Proposed Enhancement: We are requesting that Esri introduce automated certificate lifecycle management (such as native ACME protocol support) directly into ArcGIS Enterprise.
This built-in automation would allow ArcGIS Server and Portal to automatically fetch, bind, and apply renewed certificates seamlessly, entirely removing the need for manual administrative overhead and manual service restarts.
Community Question: Is anyone else looking at this 47-day timeline and worrying about the manual overhead? Are you currently building your own custom automation to handle this?
If you agree that Esri should provide a native, out-of-the-box solution to automatically manage these certificates, please give this post a Kudos / Upvote!
Thanks!
Ayush
