ArcGIS Portal SSL Certificate Updates (10.9)

204
6
Jump to solution
01-10-2022 09:27 AM
ShawnRoberts1
Occasional Contributor

I'm about to go through the process to update the SSL certs on arcgis enterprise 10.9 for the first time. 

Within portal administrator there is the root, intermediate and CA signed certificate. The root and intermediate say they are not expiring until down the road, it is just the CA signed one itself that is expiring.

Should I reimport the root and intermediate from the new certificate as well, or am I alright to just leave them alone and only update the CA signed one.

Capture.JPG

1 Solution

Accepted Solutions
JonEmch
Esri Regular Contributor

Hey @ShawnRoberts1 , thanks for posting.

You shouldn't need to update them all, but if you have them on hand I would.

Please make sure you update the certs in the DataStore and ArcGIS Server as well. Let me know if you have any questions.

Keep on keeping on!

View solution in original post

6 Replies
JonEmch
Esri Regular Contributor

Hey @ShawnRoberts1 , thanks for posting.

You shouldn't need to update them all, but if you have them on hand I would.

Please make sure you update the certs in the DataStore and ArcGIS Server as well. Let me know if you have any questions.

Keep on keeping on!
DavidColey
Frequent Contributor

Hi @JonEmch , I am getting ready to go through this task as well. 

Question:  Is the update order for the CA-signed certs Portal - Server(s) - Datastores?  

@ShawnRoberts1 , did you also update the root and intermediate certs?  I am in the same position as you in that the root and intermediate don't expire until like 2038

0 Kudos
ShawnRoberts1
Occasional Contributor

Hey David, I did the order as datastore -> server -> portal although I'm fairly sure the order doesn't matter. 

In terms of the certs the root doesn't need to be updated. My root and intermediates were still valid until 2031 so I did not update them. What I did was import a new cert (I did not delete the old one right away), then just repointed portal (via portal admin) to point to the new cert. I left the old cert for a few weeks just in case before I deleted it. 

JonEmch
Esri Regular Contributor

In my experince, order really doesn't matter. However, keep in mind that the services will restart for the certs to take.

Keep on keeping on!
0 Kudos
DavidColey
Frequent Contributor

Ok thanks @ShawnRoberts1 , @JonEmch . Shawn, I think I did portal>server>datastore 2 years ago but wasn't certain.  I thought I'd do the same as you this time around - as you say I don't order matters either.  Yes, I do recall keeping the old certs in place before deleting.  Thanks Jon - yes services restart

0 Kudos
DavidColey
Frequent Contributor

HI @JonEmch , @ShawnRoberts1  - ssl update went well, no issues.  I did portal>server>datastore. I did use the updated root and intermediate as well.  Using an app called KeyStore Explorer, I also pulled out the private pem and public pem for Monitor.