Select to view content in your preferred language

Questions about updating SSL certificates on 10.8.1

3308
17
Jump to solution
11-10-2022 09:17 AM
LLCCG
by
Occasional Contributor

IT tells me that our SSL certificate is expiring soon and needs to be updated. 

I have a HA system with Portal, Server, and Data Store each running on two machines. 

I'm not really sure how many places I need to update these certificates, though.

In Portal Admin, when I go to Home > Machine > MachineName > SSLCertificates, each of the two certificates listed shows an expiration date of 2053. I'm assuming I don't need to update anything there. 

In Server Admin, when I go to Home > Machine > MachineName > SSLCertificates, I have one that expires soon, and and a self-signed certificate that expires in 2053. 

Is there any way to check the expiration date of the certificate for Data Store?

Is there any other place I need to check for certificates that expire soon? 

I'm thinking that all I need to do is update the one in Server Admin that is expiring soon, and restart services, right?

 

Thanks!

0 Kudos
17 Replies
LLCCG
by
Occasional Contributor

The screen for both machines looks the same: 

screenshot2.png

The cert that ends in "2022" is the CA cert that expires soon. 

0 Kudos
Scott_Tansley
MVP Regular Contributor

Cool - you'd be surprised how many people install a cert but then leave that option as self-signed.  So now you need to import your new certificate:

https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-https-using-an-existin... 

into the first screen that you sent a screen grab off, and then update the entry above.  Test, then delete the old cert.

I'm risk averse, so take a snapshot of the machine before you do it.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
LLCCG
by
Occasional Contributor

This seems to have worked perfectly. Thanks!

Scott_Tansley
MVP Regular Contributor

Awesome, so I think I read that you have two servers.  You need to do it on both.

You'll also need to do it on the portal machine(s).

Datastore is an interesting one.  Have a read of:

https://enterprise.arcgis.com/en/data-store/latest/install/windows/data-store-utility-reference.htm#...

It will tell you if the datastore is sslenabled or not.  It's more detailed to implement than portal/server, so many people leave it.  If it is enabled then you need the instructions here:

https://enterprise.arcgis.com/en/data-store/latest/install/windows/data-store-utility-reference.htm#...

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
LLCCG
by
Occasional Contributor

I did it on both machines. Those two machines are also the machines that run Portal and Data Store. When I open Portal Admin, and go to the SSLCertificates page under Machines, each one shows two self-signed certificates, both of which have 2053 expiration dates. Is there anything else I need to do there?

When I run describedatastore, it doesn't have any mention of SSL. (It goes straight from "Data store status" to "Last failover" with no lines in between.) I assume that means it's not ssl enabled?

0 Kudos
Scott_Tansley
MVP Regular Contributor

Did you run that command on both data stores?  I would expect a lot more text than just that.  One of them should say "sslenabled True (or False)"

The fact that portal is using selfsigned simplifies things and means you haven't got to change it.  It raises the question however, of why was it important to certifify server but not portal?  You normally do both or not at all.  Most of my clients are using Web Adaptors and 'all' traffic goes through there, so all users are certified at that point and the web adaptors trust the self-signed cert anyway.  That removes all of this need to recertify the software components.

Your choice on certifying portal or not.  I would typically only recommend it for ultra-secure environments like police/defence.  But I design systems with many layers of security and good practice over the top and it mitigates the need a little bit.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
Scott_Tansley
MVP Regular Contributor

Or alternatively have a good read here:

https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-https-using-an-existin...

the name of the certificate in use should be clearly shown.  If it says self signed then you only need to update IIS.  If it’s the name of the short term cert then it needs replacing.  

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
Kara_Shindle
Frequent Contributor

If your IT dept misses a cert and it expires on the Web Adaptor machine and they replace it, do you need to register it somewhere for it to fix things?  I've got some datastore issues I'm wondering if its because of this expired cert.  Just posted about it here.

0 Kudos