Hi, we have ArcGIS Enterprise 10.8 (single tier) running in Azure which was deployed using Cloud Builder.
I can't find any Esri documentation on renewing the SSL Certificate on this deployment which I think is known as V2 using an Azure App Gateway. It looks like the documentation all relates to the older <10.8 deployments.
Previously I know this quite involved, importing into Portal and Server but I wonder if they all work off self-signed now. From looking around in Azure Portal the only place I can see that might be correct is to upload a new (pfx) certificate in the HttpsEnterpriseDeploymentlistener.
Can anyone provide any details or links on doing this?
Hi, thanks for responding.
I hope I'm not getting confused between 10.7.1 and 10.8, but I 'think' when I added the certificate in Cloud builder on the first install it configured everything.
My certificate is now due to expire and I'm not sure where or how to renew as there are a lot of components involved.
Does that make sense?
Hey there Tony,
I think I understand what you are asking. So typically in an enterprise deployment there are three-five places you can look at to import your new certificate.
Each major component, ArcGIS Enterprise Portal, ArcGIS Server, and ArcGIS DataStore, by default uses a self signed cert. An environment will work with these, but best practices is to replace these with a CA signed cert for production. Best thing for you to do is to go to the locations of each listed below and see if its using self signed or not. If you find the self signed, I would leave it alone, otherwise replace them with your new certs:
Since azure uses IIS rewrite rules, you are most likely not using web adaptors. As such, you may have to import the cert directly into the V2. I looked around for a way to do this and found this article (https://docs.microsoft.com/en-us/answers/questions/51336/appgateway-v2-certificate-issue.html) ((Not an esri component, so I would double check my work here))
Thank you very much for your response.
When I look at the SSL Certificate(s) on both Portal and Server (single tier), each one has an issuer value of the Azure VM url e.g. [vmname].internal.cloudapp.net so I assume this means Portal and Server are both using a self-signed cert?
If this is the case, does it mean I would only need to look at renewing the certificate on the App Gateway https listener?
Hey there Tony,
After some research into this, you should be able to rotate the AAG certificate with the new certificate. The internal endpoints utilize self signed certs that are also imported into the AAG configuration, so I wouldn't worry about these either. Thank you for bearing with me!