Questions on configuring SSL certificate for Geoevent Server

wizgis · ‎02-09-2023

Hi Community,

Hope everyone is doing well

I just want to make sure that I am following the correct workflow. We are in the process of installing geoevent server on a machine which is separate from the machine where we have our base deployment set-up.

Our base deployment is fully functional and is configured with a CA signed certificate. In order to configure ssl certificate on geoevent server I referred to the following documentations:

After going through the documentations I think I need to take following steps:

Export the CA certificate by giving password from IIS in .pfx format.
Navigate to the admin end point of ArcGIS Server underneath which Geoevent server would be running and import the certificate.

Please let me know if any additional steps needs to be taken.

TonyContreras_Frisco_TX · ‎02-13-2023

You definitely need a separate SSL cert, since the CN (Common Name) used in each one should be different. One will have the internal server name (servername.domain.com) that you will use when accessing the server directly (https://servername.domain.com:6443/arcgis/rest/services) and that is the one you configure in the GIS Server admin page. The other cert should have a CN like maps.domain.com and should be installed on a Web server (configured in IIS) in the DMZ, with maps being an alias that you have set up to point to the DMZ server or group of servers if using a load balancer. See more information here about securely making your server accessible outside your network.

View solution in original post

TonyContreras_Frisco_TX · ‎02-09-2023

These steps are correct. Step 1 may contain mini-steps like making sure the cert is for the FQDN that you will be using to reach the rest endpoint. If you receive the .pfx file, great, but there is usually a process needed to create the pfx file from other files like the CA cert, private key and the cer files. The point is, don't be surprised if someone sends you a different file type and tells you to figure out the rest.

For Step 2, you will also have to import a cert for the CA as well as edit the machine in the REST Admin page to use the new cert you imported.

wizgis · ‎02-10-2023

Thank you @TonyContreras_Frisco_TX for confirming this.

I followed the steps mentioned in the documentation and I can see that ArcGIS Server is now using the CA signed certificate. I confirmed this from admin end point as well as from the pad lock icon however, I still see the NOT SECURE message.

I think this could be because of the fact that I have not yet configured the ArcGIS Server installed on new machine with webadaptor and this webadaptor is present on a separate machine and I exported the .pfx certificate from the IIS of the machine hosting webadaptor.

Please let me know if my understanding is correct here.

TonyContreras_Frisco_TX · ‎02-13-2023

I think that is correct if the cert you installed was for the GIS/Geoevent Server machine, then visiting the internal URLs with the 6443 and 6143 ports would work. The Web adaptor will need a valid Cert installed on whatever web server product you are using (it sounds like IIS in your case) if you want to visit the sites via the web adaptor URL (recommended).

wizgis · ‎02-13-2023

So earlier today, I configured WebAdaptor (WA) with the new machine that had ArcGIS Server installed underneath which GeoEvent Server runs, and it worked as when I access ArcGIS Server through WA URL, I can see the padlock icon however, when I try to use the internal/port URL I still get the error message of not secure.

I am beginning to think do I need a new CA certificate for this new machine because the certificate that I have been using so far has been issued to WebServer machine and that was the certificate that I exported from IIS and imported in ArcGIS Server admin page.

TonyContreras_Frisco_TX · ‎02-13-2023

You definitely need a separate SSL cert, since the CN (Common Name) used in each one should be different. One will have the internal server name (servername.domain.com) that you will use when accessing the server directly (https://servername.domain.com:6443/arcgis/rest/services) and that is the one you configure in the GIS Server admin page. The other cert should have a CN like maps.domain.com and should be installed on a Web server (configured in IIS) in the DMZ, with maps being an alias that you have set up to point to the DMZ server or group of servers if using a load balancer. See more information here about securely making your server accessible outside your network.

TonyContreras_Frisco_TX · ‎02-13-2023

You will definitely need separate certificates, since each has its own FQDN. The GIS Server cert will be made for something like servername.domain.com (only accessible inside your network) and the Web server (which should be in the DMZ with only the needed ports open between it and the GIS Server) should have a cert with a CN (Common Name) like maps.domain.com, where maps is an alias set up to point to your dmz server, so that its hostname is not exposed and the alias can be pointed to other servers is the current one needs to be replaced, or you are using a load balancer for multiple web servers. See this page for information on various setups using Web adaptors.

wizgis · ‎02-13-2023

Thank you for clearing this out.