Skip To Content

Configure ArcGIS Server with a new CA-signed certificate

This topic walks through the steps to create a certificate, have it signed by a Certificate Authority (CA), and configure it with ArcGIS Server. The steps to do this are as follows:

Create a self-signed certificate

  1. Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin.
  2. Browse to machines > [machine name] > sslcertificates.
  3. Click generate.
  4. Provide values for the parameters on this page:

    OptionDescription

    Alias

    A unique name that easily identifies the certificate.

    Key Algorithm

    Use RSA (the default) or DSA.

    Key Size

    Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.

    Signature Algorithm

    Use the default (SHA256withRSA). If your organization has specific security restrictions, one of the following algorithms can be used for DSA: SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA1withDSA.

    Common Name

    This field is optional and is used for backward compatibility with older web browsers and software. It is recommended to use the fully qualified domain name of your server name as the common name.

    If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.

    If your server will only be accessible on your local area network (LAN) through the URL https://gisserver.domain.com:6443/arcgis, use gisserver.domain.com as the common name.

    Organizational Unit

    The name of your organizational unit, for example, GIS Department.

    Organization

    The name of your organization, for example, Esri.

    City or Locality

    The name of the city or locality, for example, Redlands.

    State or Province

    The full name of your state or province, for example, California.

    Country Code

    The abbreviated code for your country, for example, US.

    Validity

    The total time in days during which this certificate will be valid, for example, 365.

    Subject Alternative Name

    The subject alternative name (SAN) is used to validate that the SSL certificate presented by the website being accessed was issued for that website.

    If this parameter is left empty, the fully qualified domain name of the local machine is used as the default value. The SAN field supports multiple values; however, it must include the fully qualified domain name of the website. The SAN parameter value cannot contain spaces.

    For example, if your server will be primarily accessed using the URL https://www.esri.com, the SAN parameter should be set to DNS:www.esri.com. If your server will be accessed on the public Internet using the URL https://www.esri.com and within your organization's LAN (local area network) using the URL https://gisserver.esri.com, the SAN parameter should be set to DNS:www.esri.com,DNS:gisserver.esri.com.

    The use of wildcards (*.esri.com) in the SAN parameter, though supported, is not recommended. When the same certificate is used for multiple websites or subdomains, list each website or subdomain in the SAN parameter, as shown in the following example:

    Example: DNS:www.esri.com,DNS:esri.com,DNS:www.esri.ch,DNS:www.esri.rw,DNS:www.esri.de,DNS:maps.esri.com,DNS:support.esri.com,DNS:pro.arcgis.com.

  5. Click Generate to generate the certificate.

Request a CA to sign your certificate

For web browsers to accept your certificate as a trusted certificate, it must be verified and countersigned by a well-known Certificate Authority such as Verisign or Thawte.

  1. Open the self-signed certificate you created in the previous section, and click generateCSR. Copy the contents into a file, usually with a .csr extension.
  2. Submit the CSR to a CA of your choice. You may obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, they'll send you a .crt or .cer file.
  3. Save the signed certificate received from the CA to a location on your computer that you can access from ArcGIS Server Administrator Directory. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your computer.
  4. Log in to the ArcGIS Server Administrator Directory: https://gisserver.domain.com:6443/arcgis/admin.
  5. Click machines > [machine name] > sslcertificates > importRootOrIntermediate to import the root certificate provided by the CA. If the CA issued any additional intermediate certificates, import those as well.
  6. Browse to machines > [machine name] > sslcertificates.
  7. Click the name of the self-signed certificate that you submitted to the CA.
  8. Click importSignedCertificate, and browse to the location where you saved the signed certificate received from the CA.
  9. Click Submit. This replaces the self-signed certificate you created in the previous section with the CA-signed certificate.

Configure ArcGIS Server to use the CA-signed certificate

Note:

The CRL Distribution Points (CDP) defined in the CA-signed certificate must be valid and accessible from the machine or machines hosting ArcGIS Server. If the CDP defined in the certificate is invalid or inaccessible due to a lack of Internet access, network, or firewall settings, publishing will fail in ArcGIS Desktop. To work around this issue, follow the steps in I can't publish a service to an ArcGIS Server site that uses a CA-issued certificate in the Common problems and solutions topic.

  1. Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin. Replace gisserver.domain.com with the fully qualified name of the machine where ArcGIS Server is installed.
  2. Browse to machines > [machine name].
  3. Click edit.
  4. Type the name of the signed certificate in the Web server SSL Certificate field. The name you specify should match the alias of the self-signed certificate that was replaced with the CA-signed certificate in the previous section.
  5. Click Save Edits to apply your changes. This automatically restarts your ArcGIS Server site.
  6. After your site has restarted, verify that you can access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the specified SSL certificate. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin, check your SSL certificate, and configure ArcGIS Server to use a new or different certificate.
  7. On the current page, view the property Web server SSL Certificate to verify that the desired certificate will be used for HTTPS.

Configure each ArcGIS Server machine in your deployment

If you have a multiple-machine deployment of ArcGIS Server, you must obtain and configure a CA-signed certificate for each ArcGIS Server machine that participates in your site. Once all certificates have been imported, restart each machine in the ArcGIS Server site.

Import the CA root certificate into the Windows certificate store

If the root certificate of the Certificate Authority is not present in the Windows certificate store, it must be imported.

  1. Log in to a machine hosting ArcGIS Server.
  2. Copy the signed certificate received from the CA to a location on this computer.
  3. Open this certificate, and click the Certificate Path tab. If the Certificate Status: is This certificate is OK., the CA root certificate is present in the Windows certificate store and does not need to be imported. Proceed to step 12.
  4. Copy the CA root certificate to a location on this computer.
  5. Open this certificate, and click the General tab. Click the button to Install Certificate.
  6. Once the Certificate Import Wizard appears, displaying the Welcome panel, click Next.
  7. In the Certificate Store panel, choose the option to Place all certificates in the following store.
  8. Click the Browse button. On the Select Certificate Store dialog box, enable the option to Show physical stores.
  9. Expand the Trusted Root Certification Authorities folder to expose its contents. Select Local Computer as the certificate store you want to use. Click OK.
  10. In the Certificate Store panel, click Next.
  11. Click Finish.
  12. Repeat steps 1–11 for each ArcGIS Server machine in your site.
  13. Restart ArcGIS Server on each machine.

Access your site

With HTTPS enabled by default, ArcGIS Server listens on port 6443 for requests. Use the URLs below to securely access ArcGIS Server:

ArcGIS Server Manager

https://gisserver.domain.com:6443/arcgis/manager

ArcGIS Server Services Directory

https://gisserver.domain.com:6443/arcgis/rest/services

Note:

If you rename ArcGIS Server, you can continue to access ArcGIS Server using HTTPS; however, you must generate a new certificate and configure ArcGIS Server to use it.