Importing CA certificate failed

1270
8
12-14-2020 11:44 AM
by Anonymous User
Not applicable

We have had nothing but issues getting SSL certificates to work on Server. Last year we did a new enterprise 10.7.1 and I could not import our SSL certs. I spent weeks back and forth with tech support and I ended up doing a fresh 10.6.1 install and then our certs imported. We're now on 10.8.1 and I'm trying to add a second server machine to our site and can not get our certs to import. I've spent weeks back and forth with tech support and the technican was able to import our SSL certs just fine on his test environment. I have a brand new, virtual Server 2019 VM with NOTHING installed on it (not even antivirus). I install 10.8.1, create a site with a domain account, check that the domain account has full permissions on the arcgisserver folder, install folder, and python folder. Go into the Server API to import certs and get the same stupid error - cannot import CA certificate.

Why is this happening? Can't Esri create a better way to import certs than this clunky browser based setup that does not tell me why my certs wont import? I have checked the logs - the logs say the same thing and don't provide any more additional information. This is madness and I'm tired of vague error messages that nobody at Esri knows what they mean.

Anyone else run into this problem?

0 Kudos
8 Replies
BillFox
MVP Frequent Contributor

Good Day Nathan,

Is ArcGIS Server 10.7.1 all patched up?

I thought the certs get shared as needed when the new server joins the party.

If that's not true, for the CA cert, if it has bread crumbs in it (intermediate stuff), try exporting each piece and importing to the new partner.

0 Kudos
AnibalMmartinez
Occasional Contributor

Nosotros tenemos un problema similar en 10.7.1, en IIS server los 3 certificados funcionan, pero en ArcGIS Server Administrator Directory, solo funcionan root e intermedio. El certificado del equipo no funciona. no se puede importar.  ¿Que recomiendan hacer?

Saludos,

Anibal

0 Kudos
NiekGoorman1
New Contributor III

In previous versions of Enterprise there was a bug that did not allow import of certificates with special characters in their passwords - I encountered this in 10.7.1. There was also something relating to not being able to use an alias that had already been used, but I did not run into this myself. More information in another thread here including a bug number. It may be worth checking on this and running it past your Esri support contact? I'd be curious to know whether this is fixed in 10.8.1.

0 Kudos
AnibalMmartinez
Occasional Contributor

Si esto es asi, es probable que sea mi caso, la empresa realiza los certificados x una app y esta pide password con mayusculas, minusculas, numeros y 1 caracter especial al menos.

0 Kudos
by Anonymous User
Not applicable

Hi @Anonymous User . Does the account that is running the ArcGIS Server Windows service specifically have full control on the location from which the certificates are being uploaded from? You could also try moving these certificates to the server itself also and use a browser from the server machine to upload the certificates as a test. I would just make sure that the ArcGIS Server Windows account can access this location.

Please let me know if you have any questions or concerns.

-Jacob

0 Kudos
YasarKorkmaz
New Contributor III

Similar issue RESOLVED. Not sure if it will help you but here is what happened in my case. Installed everything for the Enterprise 10.8.1 on a brand spanking new Windows server (Server, Data Store, Portal, web adaptor (IIS) for both the server and portal), but when I went to the portaladmin site to import my CA certificate created by the IT department into the Portal, I kept getting a 500 error code saying it cannot import the certificate. It was puzzling because I stood up another identical server box with the same (differnt certificate name of course) CA created certificate for that dev box without an issue a few months ago. After hours of trying, I finally decided to disable the INTERNET EXPLORER's Enhanced Security Configuration on the Local Server and voila it worked! I was able to import the certificate into the portal.

So if you are using IE to login to the portal admin page, make sure the Enhanced Security Configuration of IE is OFF. or use Chrome. Hope that helps!

0 Kudos
AnibalMmartinez
Occasional Contributor

Gracias, por tu ayuda, he probado con todos los navegadores, crhome 32 , 64, ie, edge, etc y no cambia la falla. Hace poco migramos el SO de windows 2012 a 2019 server que incluye la migracion de IIS 8.5 a 10 y no influyo en nada.

Seguimos esperando si alguien nos puede dar una mano.

Saludos, Anibal

Telecom Argentina

0 Kudos
MirkoMosch_AIDB
New Contributor II

i had the same problem with ArcGIS Server 10.8.1 not wanting to import my root and intermediate ca-certificates. i used the following workarround:

1.) Look for keytool.exe in arcgis server install folder ("C:\Program Files\ArcGIS\Server\framework\runtime\jre\bin\keytool.exe")

2.) Look for the keystore arcgis server is using. you will find the location (and password) in the server.xml from your arcgis server ("C:\Program Files\ArcGIS\Server\framework\runtime\tomcat\conf\server.xml"). in this file search for "keystorefile" and you will find its location and "keystorepass".

with that info you can load an certificate in that keystore from the command line (replace path with correct values)

path\keytool.exe -importcert -file path\yourca.cer -keystore path\arcgis.keystore -alias certalias

the keytool will promt for the passwort > copy that one found in server.xml (passwort is suppressed).

 

0 Kudos