AnsweredAssumed Answered

Portal 10.6.1 fails to load CA-signed Server certificates (portaladmin)

Question asked by EIparraguirreESRI-NL-esridist Employee on Dec 15, 2018
Latest reply on Dec 20, 2018 by EIparraguirreESRI-NL-esridist

Portal 10.6.1 fails to load CA-signed Server certificates (portaladmin)

 

After configuring a Portal 10.6.1 machine from scratch, we have tried to load a CA-signed Server certificate through /portaladmin but it fails but there are not any error message to found anywhere. The web interface just plainly returns without an error.

 

Bias ProcMon we have founded that the loading process is started as:

 

"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass portal.secret -srckeystore C:\Users\SVC-PO~1\AppData\Local\Temp\3f197469-451d-43a8-a642-af05d4b496c234558828440621475899837007361998\Q:EWI__Crypto__Certificatesesrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias *.esrinl.com -destkeypass ******** -deststoretype JKS -J-Duser.language=en

 

Looking closely, the p12 container is temporarily store under $env:TEMP ... having in its name "Q:" ... and obviously this not  possible, as ProcMon states:

 

<event>
<ProcessIndex>785</ProcessIndex>
<Time_of_Day>09:08:22.7509261</Time_of_Day>
<Process_Name>keytool.exe</Process_Name>
<PID>42652</PID>
<Operation>QueryDirectory</Operation>
<Path>C:\Users\svc-portal\AppData\Local\Temp\6c8dcf85-ca76-44b4-bcd0-cc64e17cc657678222220559960898291853642410002\Q:EWI__Crypto__Certificatesesrinl.com.p12</Path>
<Result>NAME INVALID</Result>
<Detail>Filter: Q:EWI__Crypto__Certificatesesrinl.com.p12</Detail>
</event>

 

Our solution? Just use a line like:

 

"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass ******** -srckeystore Q:\EWI\__Crypto__\Certificates\esrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias "*.esrinl.com" -destkeypass portal.secret -deststoretype JKS

 

And the value of "-srcalias" is the CommonName (CN) of the certificate.

 

Edgar.

Outcomes