Hello -
We have recently upgraded to ArcGIS for Server 10.3 (Workgroup Standard), and are attempting to get Portal set up as well. The ESRI documentation indicates that using a 'Self-signed SSL certificate' should be used only for initial set-up and testing, and that we should be using a 'CA-signed certificate' or a 'Domain certificate'.
I have been working with our IT dept. and they have attempted to get a 'CA-signed certificate', but were unable to complete the process because the web server that we are using is completely internal to our organization (i.e. domain.local), and because of this the CA is unable to process the request (they are wanting a .com/.net address). Further, our IT dept. is unsure of what a 'Domain certificate' is or how to create one.
Currently everything seems to be working with the 'Self-signed certificate' in place, so my questions are as follows:
- Are there any reasons we cannot continue to use a 'Self-signed certificate' for our portal, being that we are operating behind a firewall, on a local network? (ESRI documentation seems to suggest that we will have several potential issues, including not being able to federate our server with our portal, connect to the portal from ESRI Maps for Office, unexpected behavior when printing hosted services and accessing the portal from client applications, etc.)
- Can anyone explain or direct me to documentation concerning how to create and sign a 'Domain certificate'?
- Any other suggestions?
Thanks in advance to anyone that might be able to steer us in the right direction!
cheers:
taylor
Greetings,
Thank you for your inquiry. I can definitely appreciate your position. Portal can be a bit tricky and SSL is tough if you are not familiar with it. Please find at the link below a guide that should help to create a Domain Certificate in Windows IIS 7.
Create a Domain Server Certificate in IIS 7
I can also confirm that many features of Portal will not function correctly with a Self-Signed Cert. You can check if Portal Trusts a cert using the URL below. Just plug in your machine information and the URL that is bound to the cert you are testing as appropriate.
I hope this information is useful. There is also a lot of free information on the web regarding SSL and I highly recommend that anyone looking to use Portal brushes up on SSL and builds a bit more knowledge on how to use it effectively.
Hi Patrick - thanks for the reply and info.
Our IT dept. has indicated that we do not have a server capable of acting as a CA. Do you know if it is possible to enable an existing server to act as a CA? The server where our ArcGIS Server and Portal are installed is running Windows Server 2008 Standard, with IIS 7. Could this same server be configured to act as a CA?
I feel that if we could do this, creating a Domain Server Certificate should be pretty straightforward, as described in the link that you provided.
Yes, it is technically possible to host your own Internal Certificate Authority. You can find plenty of information on this on the web. Unfortunately it is not something that I can assist with. I know many organizations host their own internal CA and use this internal CA to sign their internal SSL Certs. We use them for testing purposes and such almost daily.
Patrick - Thanks again for the info. I will get to searching the web to see if we can figure out how to host our own Internal Certificate Authority.
You can easily have your DNS servers point myalias.mydomain.com to a private IP address (e.g. 192.168.1.6
). Certificate validation is based on the name.