Updating SSL Certificate

7389
11
05-24-2017 07:34 AM
mpboyle
Regular Contributor

Our SSL Certificate is expiring and I'm wondering if once we get our new certificate, do we need to import the certificate through ArcGIS Server admin or is updating the certificate on the server sufficient?

We use a wildcard certificate and am assuming that is what our IT will be renewing, so the name of the certificate will likely not change.

If we need to import the certificate, should we delete the existing certificate entry and then import?

Just looking for best practices since we only do this once every few years!

System Configs

OS: Windows Server 2012 R2

ArcGIS Server: 10.4.1

Thanks!

0 Kudos
11 Replies
ScottFierro2
Regular Contributor

Have done this twice now using a GoDaddy wildcard cert same name, etc. and we have done these during off hours, delete existing and import new via Server Admin as well as local server in mmc.exe (we have 1 environment this is necessary on but adopted it for all environments as our own best practice as a fallback in case SSL offloading has an issue). Odds are your root and intermediate certs exp dates are still way far off and you probably only need to do this for the wildcard but always good to check and confirm so that your cert is fully qualified and you don't have a broken path.

mpboyle
Regular Contributor

I noticed there is a supported operation for 'importSignedCertificate' on our current wildcard SSL certificate.  Instead of deleting and making a new entry, can this be used to overwrite/update the certificate information?

0 Kudos
RandallWilliams
Esri Regular Contributor

A few questions:

Are you discussing the certificate at the GIS tier, or the certificate at the Web tier? Like, for instance, in house here I use ArcGIS Server's self signed certificate at the GIS tier, but access my GIS Server via the web adaptor. At the web tier, I have signed CA certificates. So in my case, when the self signed certs expire I just create a new one using the ArcGIS Server admin API, and when my CA signed certificates expire, I get a new one from the CA.

If you don't use the web adaptor, then you'd use the admin tools in the admin API to bring the new cert into the ArcGIS Server keystore. Because ArcGIS Server uses a Java web server, it only uses the system keystore when ArcGIS Server is acting as a client. You can certainly have a CA signed certificate that you imported into ArcGIS Server AND a CA signed certificate at the web tier.

mpboyle
Regular Contributor

We use Web Adaptor.  The server hosting our Web Adaptor also uses a wildcard certificate, and it seems like it already has been updated with a more current certificate that will not expire until 2020.

Since we use Web Adaptor, do we need to register an SSL certificate with ArcGIS Server?...or does the certificate on the Web Adaptor server take care of this?  We have a self-signed certificate that is not set to expire anytime soon.

0 Kudos
RandallWilliams
Esri Regular Contributor

Honestly, it's a matter of preference and philosophy when it comes to the internal web server, but in general I'll state that using a CA signed cert is preferable to a Self-Signed cert.

With that said...

A certificate signed by a reputable Certificate Authority provides you with the following:

Confidentiality: protecting the information from disclosure to unauthorized parties.

Integrity: protecting information from being modified by unauthorized parties

Non-Repudiation: you are who you say you are and information you provide cannot be disowned

A self-signed certificate will provide you with confidentiality and integrity, but since when you create a self signed cert, you're essentially vouching for yourself, it won't provide non-repudiation. Also, a CA will provide their root certificates to vendors like Microsoft and Oracle (Java) to be provided to client machines via updates. In this manner, browsers know which certificates to 'trust'. Because self signed certificates aren't created via a CA, users have to take steps so that their systems will 'trust' the certificate.

In the case of ArcGIS Server, users typically expose services to the outside via a proxy of some sort, like the Web Adaptor or some other reverse proxy. Users aren't aware of the internal systems, they only know about the web tier. They won't get errors regarding the certificate being untrusted. Internal users, however, if they connect to the GIS Server using HTTPS on port 6443, will get browser errors unless they import the certificate into the browser. For these users, non-repudiation might not be a big deal - but in the scheme of the internet in general, non-repudiation IS a big deal and keeps users from falling victim to attempts to impersonate some organization.

So basically: if you only allow users to access the GIS Server via the web server front end and deny access via the GIS Server on port 6443 with a firewall or something, while it's considered bad form, this configuration is valid and secure - especially when coupled with secured services.

Many folks do use the self signed cert on the GIS Server back end with a CA cert on the front end. It comes down to your particular organizations security posture.

To answer your question though, you're working with two independent web servers. Updating the CA signed cert at the front end doesn't touch the back end, and vice versa.

Hope that helps,

Randall

mpboyle
Regular Contributor

Thanks for the thorough reply!  What I gather from that is, it's best-form to update the CA certificate within ArcGIS Server.  Having said that, is it best to delete the CA certificate and import the new one, or can we use the 'importSignedCertificate' operation on our existing CA certificate within Server admin...or does it really matter which way we do it?

0 Kudos
RandallWilliams
Esri Regular Contributor

Yes, best form. While I want to be 'real', I'm also active in the security realm and would lose reputation points if I promoted a self signed cert over a CA signed cert, but at the same time wanted to provide real world options. There's no need to remove your current certificate. When you upload/import the signed certificate, you'll be prompted to supply an alias, which is basically a label for the cert. Like the self signed cert has the alias 'SelfSignedCertificate'. For your CA signed certificate, I might provide the alias 'GoDaddyG2_certificate_05242017'. After the certificate is updated, you go into 'Machines' in the admin API and update the machine properties. You'll see an option to update the certificate alias - you'd update that to reflect the alias of your new certificate, which is how the web server will map to the certificate in the keystore.

https://server.arcgis.com/en/server/latest/administer/windows/configuring-https-using-a-new-ca-signe...

nicogis
MVP Frequent Contributor
0 Kudos
StevenE
New Contributor III

Hi Randall, 

I have a question regarding updating the self-signed certificate for the GIS tier. I have a single machine deployment of ArcGIS Enterprise where the web tier utilizes a CA certificate, and the GIS tier uses a self-signed cert. However, my self-signed certificate used initially during setup is expired. This is causing issues when I attempt to use WAB developer edition.

Therefore, I am needing to create a new self-signed cert and want to make sure that Portal and Server remain federated, and that my existing services are not affected, as I am currently hosting our public web apps on the server. 

The CA cert and public domain are under a DNS alias, (gis.cityname.com) while the self-signed certificate is issued by the machine name and location on our network, (machinenumber.citynetwork.cityname.com.) 

My question is, since I have a DNS alias listed already, would the best option be to create a new self-signed certificate using the same issuer,(machinenumber.citynetwork.cityname.com) as last time? Also, once I do this and point the deployment to use the new certificate, my current services should carry over and remain in working order since they are published under the gis.cityname.com alias correct? 

Thank you,

Steven

0 Kudos