Community
Select to view content in your preferred language

Self-signed certificate for ArcGIS Server not trusted

5980
6
01-22-2013 08:58 AM
StephanieSnider
by
Frequent Contributor
‎01-22-2013 08:58 AM
ArcGIS Server 10.1 SP 1
Windows 64-bit OS:  Windows Server 2008 R2 Standard, Service Pack 1

I enabled SSL on ArcGIS Server following these instructions.  http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server_when_accesse...

This internal website works https://ndep-25/arcgis/rest/services, but I get an error in Internet Explorer (and other browsers) that the website's security certificate is not trusted.  I also see a warning about an untrusted certificate when I make an administrative connection to ArcGIS Server in ArcCatalog using https://ndep-25:6443/arcgis/admin.  If I click Yes to continue through the warning messages, the website and connection works.  However, I feel this is not really good. 

I've tried installing the certificate using the default settings suggested by the browser or ArcCatalog, but that still doesn't make the certificate trusted and I continue to get a warning message that the security certificate is not issued by a trusted certificate authority.

Are these warning messages normal?   Shouldn't a self-signed certificate that was created using ArcGIS Server be recognized by ArcCatalog as a trusted certificate in order to connect to map services?

[ATTACH=CONFIG]20959[/ATTACH]
Tags (2)
Preview file
61 KB
0 Kudos
6 Replies
RichardWatson
by
Deactivated User
‎01-22-2013 01:20 PM
If you want a trusted certificate then I think that you need to install a certificate generated by a certificate authority such as Verisign.

Let's say that I create a website with a self-signed certificate and you browse to it.  Should you get a warning?  I think so because you don't know me.  If however, you went through an authority then they are responsible for validating that you are who you say you are.

Does that make sense?
0 Kudos
StephanieSnider
by
Frequent Contributor
‎01-22-2013 02:46 PM
I think it does.  Here's my reasoning and correct me if I'm wrong.  It appears that a self-signed certificate generated by ArcGIS Server is enough to enable SSL on the GIS Web Server (https://ndep-25:6443/arcgis/rest/services).   Then a certificate issued by a CA is required in order to enable SSL through IIS, using the web adaptor (https://ndep-25/arcgis/rest/services).  Does that sound correct?
0 Kudos
RichardWatson
by
Deactivated User
‎01-23-2013 03:09 AM
Here is an article on Enabling SSL using a new CA-signed certificate:

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certifi...

What this discusses is installing CA-signed certificates on the GIS server(s).

Here is a discussion about the web adaptor:

http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server/0154000005q0...

If you install a CA-signed certificate then you should not get browser warnings.
0 Kudos
StephanieSnider
by
Frequent Contributor
‎01-23-2013 11:32 AM
We were trying to avoid having to purchase a CA certificate (for our internal domain), but it appears we will need to.  Thanks for your help!
0 Kudos
AlinaTaus
by
Frequent Contributor
‎06-27-2013 11:45 AM
Stephanie,


Were you able to get this solved without having to purchase a CA-signed certificate for the GIS Server? I am in the exact same situation...

Thank you!

Alina
0 Kudos
StephanieSnider
by
Frequent Contributor
‎07-01-2013 09:28 AM
We have the ability to make organizational trusted certificates which are not really like self-signed but work more like a CA-trusted certificate on computers internal to our network.  All the client machines in our network have a trusted certificate assoicated with Internet Explorer that recognize our organizational certificates for various servers.  We had a difficult time creating the internal certificate so that ArcGIS Server would recognize it.  Our IT security group had to submit a base-64 encoded request using the CSR generated request.  They downloaded the certificate with its entire chain.  We imported the machine certificate first, then the root and intermediate certificates.

So I guess my answer is that it does indeed need to be a trusted certificate - CA trusted or internal domain trusted.  The map services work fine with a self-signed certificate using SSL and token based authentication.  But my Silverlight web maps would not accept the map services until the ArcGIS Server machine had a trusted certificate.
0 Kudos