SSL Question

194
3
01-10-2019 02:25 PM
MikeLamb
New Contributor II

I have 2 customer sites that are accessing a SSL only ArcGIS server instance for their basemaps on the same standalone network. The first customer site has all of their browsers loaded with the correct Root and Intermediate CA certificates while the second site does not (This is due to how SCCM pushes out their browser updates). In order to allow both sites SSL access to the site (without the users having to manually add a SSL exception), would it work if I were to install another webadaptor on the same machine where the current one is, and just call it arcgis2 and bind the new cert, which would be signed by a CA the second site has in their browsers trust, then change that webadaptor to use another port for SSL access. The only problem I think I would run into would be that the ArcGIS Server itself can only use one SSL certificate at a time, and the one its using now is customer 1's CA signed certificate. Any help would be appreciated, I was just trying to avoid setting up another duplicate server just to use another CA's certificate.

Thanks,

Mike

0 Kudos
3 Replies
RandallWilliams
Esri Regular Contributor

I would expect that this would work. I don't think you'd need to bind to a port other than 443 if the web adaptors have different names. You'd just need to bind the new cert to the arcgis2 web adaptor instance. Users frequently use untrusted self signed certs at the GIS tier with trusted certs at the web tier. I expect the behavior here to be similar. 

0 Kudos
JoshuaBixby
MVP Esteemed Contributor

I will go one step further, with regards to port bindings, absolutely do not bind to a different port than 443.  Every time my organization has gone with non-standard ports, whether Esri standard (6080, 6443) or industry standard (80,443), we have run into gremlins with ArcGIS Server.

0 Kudos
MikeLamb
New Contributor II

Finally got the issue resolved. We had to create a new website on the web adapter machine through IIS and install the new ESRI web adapter there (called customer2). We then got a new certificate issues to the newly created DNS alias for the machine (also called customer2). So this is what it looked like in the end.

https://customer1.domain.com/arcgis uses customer 1's CA and is installed in IIS to the Default Web Site - and the signed cert is bound to 443 (not using server name identification, since the cert was incorrectly issued to the machine name vice the DNS alias)

https://customer2.domain.com/customer2 uses customer 2's CA and installed to a newly created website in IIS - signed cert is bound to 443 and uses server name identification to customer2.domain.com as this cert was correctly issued to the DNS alias.

So a little more work that originally anticipated on my end, but we now have a web adapter machine with 2 instances of ESRI web adapter that uses multiple CA root certificates in order to accommodate both our customer sites. I don't anticipate really anyone else running into this issue, but hopefully it can be helpful in the future if anyone needs this information.

Thanks to everyone for their replies.

Mike