Skip To Content

Import a certificate into the portal

HTTPS is a means of encrypting communications to and from a web server. HTTPS also allows a client application the ability to confirm the identity of the web server. When using HTTPS, each web server where HTTPS is enabled must send a certificate to clients. The certificate contains a statement of identity (gis.mycity.gov) and a public key that the client can use to send encrypted information to the web server.

Portal for ArcGIS often transmits information that needs to be encrypted; therefore, HTTPS is always enabled in the portal. It’s strongly recommended that the certificate used be signed by a corporate (internal) or commercial Certificate Authority (CA). The portal itself comes with a self-signed certificate. A self-signed certificate means that a client can’t verify the identity of the server. Replacing the self-signed certificate with a CA-signed certificate greatly improves the security of your deployment.

There are two ways to use a CA-signed certificate with the portal:

Note:

These workflows apply to HTTPS communication with Portal for ArcGIS over port 7443 only. To generate or import a CA-signed certificate for the web adaptor, please consult the documentation for the web server where the web adaptor is installed.

For full instructions on these processes, see the steps in the sections below.

Generate new CA-signed certificate

You can enable HTTPS using a new certificate signed by a corporate (internal) or commercial CA. The steps are:

Generate a new certificate

  1. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > SSLCertificates > Generate.
  3. In the Generate Certificate page, enter the following information:
    • Alias—A unique name that identifies the name of the certificate (for example, portalcert).
    • Key Algorithm—RSA (the default) or DSA.
    • Key Size—Specifies the size (in bits) used when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For RSA, the recommended key size is 2,048 or greater. For DSA, the key size can be between 512 and 1,024.
    • Signature Algorithm—Use the default (SHA256withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used with DSA: SHA384withRSA, SHA512withRSA, SHA1withRSA,SHA1withDSA.
    • Common Name—This field is optional and is used for backwards compatibility with older web browsers and software. It is recommended to use the fully qualified domain name of your portal machine as the common name.
    • Organizational Unit—A department name that would be meaningful to a user of your site (for example, GIS Department).
    • Organization—The name of your organization (for example, Esri).
    • City or Locality—The name of your city or locale (for example, Redlands).
    • State or Province—The name of your state or province (for example, California).
    • Country Code—The two-letter country code where your organization resides (for example, US).
    • Validity—The number of days the certificate will be valid (for example, 365).
    • Subject Alternative Name—The subject alternative name (SAN) is used to validate that the SSL certificate presented by the website being accessed was issued for that web site.

      If no SAN is defined, some web browsers may attempt to validate the SSL certificate using the Common Name (CN) parameter while some web browsers may display an error that the SSL certificate presented by the website could not be validated. The SAN field supports multiple values. However, it must include the fully qualified domain name of the website. The SAN parameter value cannot contain spaces.

      Using SAN, a certificate allows the use of different URLs to access the same web site.

      For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the certificate is created using the following parameter values:

      CN=www.esri.com

      SAN=DNS:www.esri.com,DNS:esri,IP:10.60.1.16

  4. Click Generate. A link to your certificate appears on the certificates page.

Request a CA to sign your certificate

In order for web browsers to trust your certificate, it must be verified and countersigned by a CA, such as your organization, Verisign, or Thawte.

  1. On the certificates page, click the name of your certificate.
  2. Click GenerateCSR. On the Generate CSR page, copy the CSR content and paste it into a file. Save the file with the .csr extension (for example, portalcert.csr).
  3. Submit the CSR to a CA. It's recommended you obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, the CA will send you a file with the .crt or .cer extension.
  4. Save the signed certificate received from the CA to a location on your portal machine. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your portal machine.
  5. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  6. Click Security > SSLCertificates > Import Root or Intermediate Certificate.
  7. Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Portal for ArcGIS will restart automatically for each imported certificate. Do not import the signed certificate.
  8. Click Security > SSLCertificates.
  9. Click the name of the certificate you generated in the previous section (for example, portalcert).
  10. Click Import Signed Certificate and browse to the location of the signed certificate you received from the CA.
  11. Click Import. The certificate you created in the previous section is replaced with the CA-signed certificate.
  12. Portal for ArcGIS is restarted automatically. When the restart completes, the portal is configured for the certificate you've specified.

Configure Portal for ArcGIS to use the CA-signed certificate

  1. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > SSLCertificates > Update.
  3. In the Web server SSL Certificate field, enter the alias of the CA-signed certificate. The alias you specify should match the alias of the certificate that was replaced with the CA-signed certificate in the previous section.
  4. Click Update.

The CA-signed certificate will now be used for HTTPS.

Verify you can access your portal using HTTPS

Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.

Use an existing CA-signed certificate

If you already have a certificate issued by a corporate (internal) or commercial CA, you can use this certificate to enable HTTPS.

Import the root CA certificate

  1. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > SSLCertificates > Import Root or Intermediate Certificate.
  3. Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Do not import the CA-signed certificate.
  4. Restart the Portal for ArcGIS service.

Import the existing CA-signed certificate

Caution:

To import the certificate into your portal, the certificate and its associated private key must be stored in the PKCS#12 format, which is represented by a file with either the .p12 or .pfx extension.

  1. Click Security > SSLCertificates > Import Existing Server Certificate.
  2. On the Import Existing Server Certificate page, specify the following information:
    • Certificate password—Enter the password to unlock the file containing the certificate.
    • Alias—Enter a unique name that easily identifies the certificate (for example, rootcert).
  3. Browse to the location of the existing CA-signed certificate. Click Import.

Configure Portal for ArcGIS to use the CA-signed certificate

  1. Click Security > SSLCertificates > Update.
  2. In the Web server SSL Certificate field, enter the alias of the existing CA-signed certificate.
  3. Click Update.

The existing CA-signed certificate will now be used for HTTPS.

Verify you can access your portal using HTTPS

Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.