Understand SSL Certificates for ArcGIS Server and Portal for ArcGIS
Have you ever wondered how to quickly fix errors or warnings about SSL certificates when working with ArcGIS Server or Portal for ArcGIS? Do you fully understand the multiple “levels” of certificates that ArcGIS Server and Portal for ArcGIS may leverage whenever they are accessed via HTTPS URLs? If your answers are “yes” and “no”, this blog post is for you.
Have you ever wondered how to quickly fix errors or warnings about SSL certificates when working with ArcGIS Server or Portal for ArcGIS? You probably have if you’re an ArcGIS Administrator or an IT Administrator who oversees your organization’s GIS and web servers.
Then, do you fully understand the multiple “levels” of certificates that ArcGIS Server and Portal for ArcGIS may leverage whenever they are accessed via HTTPS URLs? Such understanding is fundamental and would help you look at the right places when troubleshooting ArcGIS Server and Portal for ArcGIS certificate related issues.
If your answers are “yes” and “no”, this blog post is for you.
ArcGIS Server related certificates
We’ll start with ArcGIS Server.
First, let’s look at these two HTTPS URLs used to access ArcGIS REST Services Directory:
- https://<gisserver.domain.com>:6443/arcgis/rest/services
- https://<webadaptorhost.domain.com>/<webadaptorname>/rest/services
The first one is commonly referred to as an ArcGIS Server 6443 URL, and the second one is an ArcGIS Web Adaptor URL. (Note some organizations may choose not to configure ArcGIS Web Adaptor with ArcGIS Server and expose their services otherwise, such as through an existing reverse proxy.)
When accessing ArcGIS Server through the 6443 URL, users would encounter the certificate applied at the ArcGIS Server level; when accessing through the Web Adaptor URL, they would encounter the certificate applied at the web server level (e.g. an IIS web server).
To check the current ArcGIS Server level certificate, you would log into the ArcGIS Server Administrator Directory (e.g. https://<gisserver.domain.com>:6443/arcgis/admin), and you would click on machines, <machine name> and find the certificate name listed as Web server SSL Certificate. By default, ArcGIS Server automatically generates and applies a self-signed certificate when the site is built, which could be replaced by a domain or CA certificate if required so. You may further look into the current certificate details by clicking on Resources: sslcertificates and the certificate name identified above (see a sample self-signed certificate below).
ArcGIS Server self-signed certificate
To check the current web server level certificate, the approach would vary depending on your network architecture. A popular deployment is to install ArcGIS Web Adaptor on an IIS web server, configure it with ArcGIS Server and access ArcGIS Server via the Web Adaptor URL. In that case, administrators could check the web level certificate by launching IIS Manager, navigate to the website where ArcGIS Web Adaptor is installed, click on Edit Binding and check the certificate bound to the HTTPS port such as 443 (see an example below).
View SSL certificate in IIS Manager
Portal for ArcGIS related certificates
Similarly, you could launch Portal for ArcGIS Home application via the following two HTTPS URLs:
- https://<portal.domain.com>:7443/arcgis/home
- https://<webadaptorhost.domain.com>/<webadaptorname>/home
The first one is referred to as a Portal for ArcGIS 7443 URL, and the second one is an ArcGIS Web Adaptor URL. (Unlike ArcGIS Server, Portal for ArcGIS requires a Web Adaptor. Organizations may have other network components on top of the Web Adaptor such as a Load Balancer, and users may access Portal for ArcGIS through the Load Balancer URL instead of the Web Adaptor URL.)
When accessing Portal Home application through the 7443 URL, users would encounter the certificate applied at Portal for ArcGIS level; when accessing through the Web Adaptor URL, users would encounter the certificate applied at the web server level.
To check the current Portal for ArcGIS level certificate, you would log into the Portal Administrator Directory (e.g. https://<portal.domain.com>:7443/arcgis/portaladmin), click into Security, SSLCertificates and find the certificate listed as Web Server SSL Certificate. By default, Portal for ArcGIS automatically generates and applies a self-signed certificate when the site is built, which could be replaced by a domain or CA certificate as well. On the same page, you could click into the found certificate name to view its details.
To check the current web level certificate, what applies to ArcGIS Server also applies to Portal for ArcGIS, except for Portal Web Adaptor, you should only configure it with port 443 for HTTPS traffic.
Now you have a good understanding of the “multi-level” certificates ArcGIS Server and Portal for ArcGIS may leverage, you should be able to answer the following question:
“I’m getting a security warning when launching the ArcGIS REST Services Directory, but I DO have a valid CA certificate configured. What’s wrong?”
Security warning in Internet Explorer
One common issue is the valid CA certificate is applied at the web server level, and you are accessing the ArcGIS Server 6443 URL, which by default uses the auto-generated, self-signed certificate that’s not trusted by the client browser unless explicitly added to the trusted certificate store on that machine.
To check which certificate you’re encountering, when you browse to a HTTPS URL in Internet Explorer 11, you could click on the lock icon (or sometimes "Certificate error") insides the address bar and View certificates. In Chrome 65, launch the Developer Tool (pressing F12 on the keyboard), click on the Security tab and View certificate. For other browsers and specific versions, refer to their official documentations on how to view SSL certificate details.
That’s it!
Next time you need to troubleshoot ArcGIS Server or Portal for ArcGIS related certificate issues, I recommend starting with researching the warning or error messages online. Next, you should check the current SSL certificate details in browser for obvious problems such as name mismatch, certificate expiration and so on. Find out if the issue is with the web server SSL certificate or the certificate applied at ArcGIS Server/Portal for ArcGIS level. If you need to update the certificate, make sure you follow the proper documentations from either Esri or the web server provider(s). Here are some related Esri documentations:
-
Configure HTTPS using a new CA-signed certificate for ArcGIS Server
-
Configure HTTPS using an existing certificate for ArcGIS Server
-
Configure HTTPS on ArcGIS Server when accessed through ArcGIS Web Adaptor
Lastly, remember a “bad” certificate could bring down your site and lock out administrator’s access, so pay attention to certificate expiration dates and proceed with caution when you need to make a change!