HTTPS is a means of encrypting communications to and from a web server. HTTPS also allows a client application the ability to confirm the identity of the web server. When using HTTPS, each web server where HTTPS is enabled must send a certificate to clients. The certificate contains a statement of identity (gis.mycity.gov) and a public key that the client can use to send encrypted information to the web server.
Portal for ArcGIS often transmits information that needs to be encrypted; therefore, HTTPS is always enabled in the portal. It’s strongly recommended that the certificate used be signed by a corporate (internal) or commercial Certificate Authority (CA). The portal itself comes with a self-signed certificate. A self-signed certificate means that a client can’t verify the identity of the server. Replacing the self-signed certificate with a CA-signed certificate greatly improves the security of your deployment.
There are two ways to use a CA-signed certificate with the portal:
- Generate new CA-signed certificate—Generate a certificate signing request (CSR), have it signed by your CA, and then import it into the portal.
- Use an existing CA-signed certificate—If you already have an existing CA-signed certificate assigned to the portal machine, import it into the portal.
For full instructions on these processes, see the steps in the sections below.
Generate new CA-signed certificate
You can enable HTTPS using a new certificate signed by a corporate (internal) or commercial CA. The steps are:
Generate a new certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > SSLCertificates > Generate.
- In the Generate Certificate page, enter the following information:
- Alias—A unique name that identifies the name of the certificate (for example, portalcert).
- Key Algorithm—RSA (the default) or DSA.
- Key Size—Specifies the size (in bits) used when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For RSA, the recommended key size is 2,048 or greater. For DSA, the key size can be between 512 and 1,024.
- Signature Algorithm—Use the default (SHA1withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used with DSA: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA.
- Common Name—The fully-qualified domain name of your portal machine.
- Organizational Unit—A department name that would be meaningful to a user of your site (for example, GIS Department).
- Organization—The name of your organization (for example, Esri).
- City or Locality—The name of your city or locale (for example, Redlands).
- State or Province—The name of your state or province (for example, California).
- Country Code—The two-letter country code where your organization resides (for example, US).
- Validity—The number of days the certificate will be valid (for example, 365).
- Subject Alternative Name—An optional parameter that defines
alternatives to the common name (CN) specified in the
certificate. If no SAN is defined, a web site can only be accessed
(without certificate errors) by using the common name in the
URL. Using SAN, a certificate allows the use of different URLs
to access the same web site. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access
the same site if the certificate is created using the following
parameter values:
CN=www.esri.com
SAN=DNS:esri, IP:10.60.1.16
- Click Generate. A link to your certificate appears on the certificates page.
Request a CA to sign your certificate
In order for web browsers to trust your certificate, it must be verified and countersigned by a CA, such as your organization, Verisign, or Thawte.
- On the certificates page, click the name of your certificate.
- Click GenerateCSR. On the Generate CSR page, copy the CSR content and paste it into a file. Save the file with the .csr extension (for example, portalcert.csr).
- Submit the CSR to a CA. It's recommended you obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, the CA will send you a file with the .crt or .cer extension.
- Save the signed certificate received from the CA to a location on your portal machine. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your portal machine.
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > SSLCertificates > Import Root or Intermediate Certificate.
- Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Do not import the signed certificate.
- Click Security > SSLCertificates.
- Click the name of the certificate you generated in the previous section (for example, portalcert).
- Click Import Signed Certificate and browse to the location of the signed certificate you received from the CA.
- Click Import. The certificate you created in the previous section is replaced with the CA-signed certificate.
Configure Portal for ArcGIS to use the CA-signed certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > SSLCertificates > Update.
- In the Web server SSL Certificate field, enter the alias of the CA-signed certificate. The alias you specify should match the alias of the certificate that was replaced with the CA-signed certificate in the previous section.
- Click Update.
The CA-signed certificate will now be used for HTTPS.
Import the CA root certificate into the Windows certificate store
If the CA root certificate is not already present in the Windows certificate store on the portal machine, it must be imported.
- Log in to machine hosting Portal for ArcGIS.
- Copy the CA-signed certificate to a location on this computer.
- Open this certificate and click the Certificate Path tab. If the Certificate Status is This certificate is OK, the CA root certificate is already present in the Windows certificate store and does not need to be imported. Skip to step 8.
- Open Certificate Manager (you can open this by searching for certmgr.msc).
- In the Certificate Manager window, click Trusted Root Certificate Authorities > Certificates.
- On the top menu, click Action > All Tasks > Import.
- On the Certificate Import Wizard dialog box, click Next, then follow the instructions in the wizard to import the CA root certificate.
- Restart the machine hosting Portal for ArcGIS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.
Use an existing CA-signed certificate
If you already have a certificate issued by a corporate (internal) or commercial CA, you can use this certificate to enable HTTPS.
Import the root CA certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > SSLCertificates > Import Root or Intermediate Certificate.
- Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Do not import the CA-signed certificate.
- Restart the Portal for ArcGIS service.
Import the existing CA-signed certificate
Caution:
To import the certificate into your portal, the certificate and its associated private key must be stored in the PKCS#12 format, which is represented by a file with either the .p12 or .pfx extension.
- Click Security > SSLCertificates > Import Existing Server Certificate.
- On the Import Existing Server Certificate page, specify the following information:
- Certificate password—Enter the password to unlock the file containing the certificate.
- Alias—Enter a unique name that easily identifies the certificate (for example, rootcert).
- Browse to the location of the existing CA-signed certificate. Click Import.
Configure Portal for ArcGIS to use the CA-signed certificate
- Click Security > SSLCertificates > Update.
- In the Web server SSL Certificate field, enter the alias of the existing CA-signed certificate.
- Click Update.
The existing CA-signed certificate will now be used for HTTPS.
Import the CA root certificate into the Windows certificate store
If the CA root certificate is not already present in the Windows certificate store on the portal machine, it must be imported.
- Log in to machine hosting Portal for ArcGIS.
- Copy the CA-signed certificate to a location on this computer.
- Open this certificate and click the Certificate Path tab. If the Certificate Status is This certificate is OK, the CA root certificate is already present in the Windows certificate store and does not need to be imported. Skip to step 8.
- Open Certificate Manager (you can open this by searching for certmgr.msc).
- In the Certificate Manager window, click Trusted Root Certificate Authorities > Certificates.
- On the top menu, click Action > All Tasks > Import.
- On the Certificate Import Wizard dialog box, click Next, then follow the instructions in the wizard to import the CA root certificate.
- Restart the machine hosting Portal for ArcGIS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.