A self-signed SSL certificate is used for the following ArcGIS Data Store interactions:
- The Data Store Configuration wizard accessing the ArcGIS Data Store files through a web server
- Communication through the web server between the hosting server and ArcGIS Data Store machines
- Communication over ports between and within individual machines in a relational data store, tile cache data store, object store, or graph store.
- Communication through ports between the hosting server and any ArcGIS Data Store machine
If your organization requires that interactions be secured through an SSL certificate verified and signed by a certifying authority (CA) or one generated for your domain, you can use the replacesslcertificate utility to replace the self-signed certificate with a CA-signed or domain certificate.
The certificate file must be in PKCS12 format with a file extension of .pfx or .p12, and you must import it to each machine where ArcGIS Data Store is installed.
Follow these steps to update the SSL certificate on an ArcGIS Data Store machine:
- Obtain an SSL certificate from a certifying authority or generate a domain certificate.
- Create a PKCS12 format file and set a password and alias for the file.
- Run the replacesslcertificate utility to replace the self-signed SSL certificate for an ArcGIS Data Store machine.
- To replace the certificate used for web server communication, run the replacesslcertificate utility with the webserver option.
- To replace the certificate used for communication over ports and among data store machines, run the replacesslcertificate utility with the appropriate data store option.
In this example, the certificate file (casignedcert.pfx) is in the cacerts directory, has the alias myfilealias, is secured with the password Sec00rit, and is used to replace the certificate used for web server communication.
replacesslcertificate C:\cacerts\casignedcert.pfx "Sec00rit" myfilealias --option webserver
In the following example, the certificate file (casignedcert2.pfx) is in the certs directory, has the alias reldscert, is secured with the password S00per$ecret, and is used to replace the certificate used for communication between the primary and standby relational data store machines; communication with relational data store machines over ports 2443, 9876, 44369, 45671, 45672, and 50432; and communication for webhooks over ports 25672 and 44369.
replacesslcertificate C:\cacerts\casignedcert2.pfx "S00per$ecret" reldscert --option relational
- If you have multiple ArcGIS Data Store machines, update the certificate for each one.
Verify CA certificate is used for communication
To verify the web server's certificate updated properly, open a browser and type the URL to the Data Store Configuration wizard. The URL is in the format https://<fully qualified data store machine name>:2443/arcgis/datastore. If the wizard opens without returning a security warning, the SSL certificate was successfully updated for web server communication.
You can download and run OpenSSL commands to verify that the certificate path for port communication no longer contains self-signed certificates.