arcgis server CA certificate import error

youngpark · ‎12-04-2017

Dear all,

I am trying to implement CA-signed certificate on arcgis server 10.4.1. I have been followed all the steps from "Configure HTTPS using a new CA-signed certificate—ArcGIS Server Administration (Windows) | ArcGIS En... "

however, when I am trying to import the ca signed certificate, I am getting error. "Importing CA certificate failed"

which section do I need to check to resolve this issue?

FYI, environment is as follows: windows server, IIS 8.5

RandallWilliams · ‎12-05-2017

Do you see a more verbose message in the GIS Server logs? In which format did the certificate come from your CA?

youngpark · ‎12-05-2017

Hi Williams,

log does not show the error.

And, i have gotten the file as ".txt" format. and details are as follows.

Our network collegue made it from rapidssl.

Thanks in advance.

RandallWilliams · ‎12-06-2017

That can't be a .txt file. The certificate signing request (CSR) would have been a text file, but what you have above is a .cer or .der. Did you change the extension when you received the response from the CA?

Regardless, what you're going to want is a PKCS#7 file.

The file name will be in the format of certname.p7b.

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=...

If the objective is to install the cert on ArcGIS Server itself (and not to the Web Adaptor hosted on IIS), then you can either request do download in .p7b format or convert the cert from .cer or .der to .p7b using OpenSSL or a tool like this: https://www.sslshopper.com/ssl-converter.html.

youngpark · ‎12-06-2017

Hi Williams,

thanks for the info. Yes I changed the file extension from txt to cer.

here are steps what I have done.

1. create a self-signed ssl

2. generate CSR

3. copy the CSR codes and pasted at notepad and save it with"cer" extension.

4. our network guru use the file from #3 and created certificate.

5. as I mentioned in the previous reply, i have gotten the xxxx.txt file.

6. then I opened file at notepad and save it as cer extension.

seems like I cannot change the file extension. I will contact the network person to create it as pkc#7 file.

I just want to confirm, can I change the #2 CSR code as cer file in the notepad? if I should not do it, i have to give a new file as txt to our network guy.

thanks in advance

RandallWilliams · ‎12-07-2017

If you have a valid .cer, I think you can convert it using OpenSSL. Here's an online tool that might work:

SSL Converter - Convert SSL Certificates to different formats

youngpark · ‎12-07-2017

Hi Williams.

I have gotten a new file xx.p7s format. But still i am getting the same error when i replace it with the self signed one.

Do i need to convert it to xx.p7b? Do i need uninstall web adaptor in order to replace ssl? I am using iis 8.

RandallWilliams · ‎12-07-2017

.p7s is for digitally signing emails. I don't think that will work.

Judging by your last question, I think we need to take a step back.

There are multiple servers in question, and they are mutually exclusive.

The web adaptor is installed at the IIS tier. The IIS web server will have it's own web server. Configuring HTTPS at the web tier is a process independent of configuring HTTPS at the GIS tier.

At the GIS tier, you have the ArcGIS Server/Portal (ArcGIS Enterprise). Each application server that participates in ArcGIS Enterprise could also have HTTPS enabled (and a certificate installed).

Many organizations choose to enable HTTPS with a CA signed certificate at the web tier (on IIS), and use the self signed certificate at the GIS tier. Some organizations require a CA signed certificate at both the web and GIS tiers.

The documentation you've been following is meant to apply a CA signed certificate at the GIS tier.

The simplest way for you to convey to your IT team to obtain the correct certificate is for them to obtain a certificate from the CA that is meant to be provided for a Tomcat application server. The CA should know exactly what to provide.

You'll want to only follow step one from this doc:

Download the SSL certificate

Download your certificate from the unique secure link we provide your technical contact via order fulfillment email.
The ZIP file you download contain the SSL and Intermediate CA certificate in PKCS#7 file (i.e. ssl_certificate.p7b).
Unzip the files onto the server where you will install the certificate.

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=...

From here, follow the Esri documentation. Use the web tools provided in with the ArcGIS Enterprise Admin APIs to import the cert. I'd suggest against manually attempting to import the certificate unless you're comfortable with the Java keytool command.