Any communication sent over a computer network can potentially be intercepted, deciphered, or altered. To secure network communication, the use of HTTPS is recommended. HTTPS is a standard industry security technology used to establish an encrypted link between a web server and a web client (such as a web browser). HTTPS facilitates secure network communication by identifying and authenticating the server as well as ensuring the privacy and integrity of all transmitted data. Since HTTPS prevents eavesdropping on or tampering with information sent over the network, it should be used with any login or authentication mechanism and on any network where communication contains confidential or proprietary information.
Create a server certificate
To be able to create an HTTPS connection between a web server and a client, the web server requires a server certificate. A certificate is a digital file that contains information about the identity of the web server. It also contains the encryption technique to use when establishing a secure channel between the web server and the client. A certificate must be created by the owner of the website and digitally signed. There are three types of certificates, CA-signed, domain, and self-signed, which are explained below.
Certificate authority (CA) signed certificates should be used for production systems, particularly if your deployment of ArcGIS Server is going to be accessed from users outside your organization. For example, if your server is not behind your firewall and accessible over the Internet, using a CA-signed certificate assures clients from outside your organization that the identity of the website has been verified.
In addition to being signed by the owner of the website, a certificate may be signed by an independent CA. A CA is usually a trusted third party that can attest to the authenticity of a website. If a website is trustworthy, the CA adds its own digital signature to that website's self-signed certificate. This assures web clients that the website's identity has been verified.
When using a certificate issued by a well-known CA, secure communication between the server and the web client occurs automatically with no special action required by the user. There is no warning message displayed in the web browser, since the website has been verified by the CA.
If your server is located behind your firewall and using a CA-signed certificate is not possible, using a domain certificate is an acceptable solution. A domain certificate is an internal certificate signed by your organization's certificate authority. Using a domain certificate helps you reduce the cost of issuing certificates and eases certificate deployment, since certificates can be generated quickly within your organization for trusted internal use.
Users within your domain will not experience any of the unexpected behavior or warning messages normally associated with a self-signed certificate, since the website has been verified by the domain certificate. However, domain certificates are not validated by an external CA, which means users visiting your site from outside your domain will not be able verify that your certificate really represents the party it claims to represent. External users will see browser warnings about the site being untrusted which may lead them to think that they are actually communicating with a malicious party and be turned away from your site.
A certificate signed only by the owner of the website is called a self-signed certificate. Self-signed certificates are commonly used on websites that are only available to users on the organization's internal (LAN) network. Since there is no need to verify the identity of the website, using a self-signed certificate ensures secure network communication within the organization.
Creating a self-signed certificate should not be considered as a valid option for a production environment as it will lead to unexpected results and a poor experience for all users of the site.
Any web client, such as a web browser, connecting to a website using a self-signed certificate will display a warning that the site could not be verified as a trusted website. For information on how to suppress warnings from self-signed certificates, see Suppressing warnings from self-signed certificates.