Updating SSL Certificate

I noticed there is a supported operation for 'importSignedCertificate' on our current wildcard SSL certificate.  Instead of deleting and making a new entry, can this be used to overwrite/update the certificate information?

We use Web Adaptor.  The server hosting our Web Adaptor also uses a wildcard certificate, and it seems like it already has been updated with a more current certificate that will not expire until 2020.

Since we use Web Adaptor, do we need to register an SSL certificate with ArcGIS Server?...or does the certificate on the Web Adaptor server take care of this?  We have a self-signed certificate that is not set to expire anytime soon.

Honestly, it's a matter of preference and philosophy when it comes to the internal web server, but in general I'll state that using a CA signed cert is preferable to a Self-Signed cert.

With that said...

A certificate signed by a reputable Certificate Authority provides you with the following:

Confidentiality: protecting the information from disclosure to unauthorized parties.

Integrity: protecting information from being modified by unauthorized parties

Non-Repudiation: you are who you say you are and information you provide cannot be disowned

A self-signed certificate will provide you with confidentiality and integrity, but since when you create a self signed cert, you're essentially vouching for yourself, it won't provide non-repudiation. Also, a CA will provide their root certificates to vendors like Microsoft and Oracle (Java) to be provided to client machines via updates. In this manner, browsers know which certificates to 'trust'. Because self signed certificates aren't created via a CA, users have to take steps so that their systems will 'trust' the certificate.

In the case of ArcGIS Server, users typically expose services to the outside via a proxy of some sort, like the Web Adaptor or some other reverse proxy. Users aren't aware of the internal systems, they only know about the web tier. They won't get errors regarding the certificate being untrusted. Internal users, however, if they connect to the GIS Server using HTTPS on port 6443, will get browser errors unless they import the certificate into the browser. For these users, non-repudiation might not be a big deal - but in the scheme of the internet in general, non-repudiation IS a big deal and keeps users from falling victim to attempts to impersonate some organization.

So basically: if you only allow users to access the GIS Server via the web server front end and deny access via the GIS Server on port 6443 with a firewall or something, while it's considered bad form, this configuration is valid and secure - especially when coupled with secured services.

Many folks do use the self signed cert on the GIS Server back end with a CA cert on the front end. It comes down to your particular organizations security posture.

To answer your question though, you're working with two independent web servers. Updating the CA signed cert at the front end doesn't touch the back end, and vice versa.

Hope that helps,

Randall

Thanks for the thorough reply!  What I gather from that is, it's best-form to update the CA certificate within ArcGIS Server.  Having said that, is it best to delete the CA certificate and import the new one, or can we use the 'importSignedCertificate' operation on our existing CA certificate within Server admin...or does it really matter which way we do it?

Yes, best form. While I want to be 'real', I'm also active in the security realm and would lose reputation points if I promoted a self signed cert over a CA signed cert, but at the same time wanted to provide real world options. There's no need to remove your current certificate. When you upload/import the signed certificate, you'll be prompted to supply an alias, which is basically a label for the cert. Like the self signed cert has the alias 'SelfSignedCertificate'. For your CA signed certificate, I might provide the alias 'GoDaddyG2_certificate_05242017'. After the certificate is updated, you go into 'Machines' in the admin API and update the machine properties. You'll see an option to update the certificate alias - you'd update that to reflect the alias of your new certificate, which is how the web server will map to the certificate in the keystore.

https://server.arcgis.com/en/server/latest/administer/windows/configuring-https-using-a-new-ca-signe...

Another possibility is use let's encrypt

see blog Rick

https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows

tool for iis: https://github.com/Lone-Coder/letsencrypt-win-simple/releases/tag/v1.9.3 

Hi Randall, 

I have a question regarding updating the self-signed certificate for the GIS tier. I have a single machine deployment of ArcGIS Enterprise where the web tier utilizes a CA certificate, and the GIS tier uses a self-signed cert. However, my self-signed certificate used initially during setup is expired. This is causing issues when I attempt to use WAB developer edition.

Therefore, I am needing to create a new self-signed cert and want to make sure that Portal and Server remain federated, and that my existing services are not affected, as I am currently hosting our public web apps on the server. 

The CA cert and public domain are under a DNS alias, (gis.cityname.com) while the self-signed certificate is issued by the machine name and location on our network, (machinenumber.citynetwork.cityname.com.) 

My question is, since I have a DNS alias listed already, would the best option be to create a new self-signed certificate using the same issuer,(machinenumber.citynetwork.cityname.com) as last time? Also, once I do this and point the deployment to use the new certificate, my current services should carry over and remain in working order since they are published under the gis.cityname.com alias correct? 

Thank you,

Steven