HTTPS is a means of encrypting communications to and from a web server. HTTPS also allows a client application to confirm the identity of the web server. When using HTTPS, each web server where HTTPS is enabled must send a certificate to clients. The certificate contains a statement of identity (gis.mycity.gov) and a public key that the client can use to send encrypted information to the web server.
Portal for ArcGIS often transmits information that needs to be encrypted; therefore, HTTPS is always enabled in the portal. It’s recommended that the certificate you use is signed by a corporate (internal) or commercial certificate authority (CA). The portal itself includes a self-signed certificate. A self-signed certificate means that a client can’t verify the identity of the server. Replacing the self-signed certificate with a CA-signed certificate improves the security of your deployment.
There are two ways to use a CA-signed certificate with the portal:
- Generate a new CA-signed certificate—Generate a certificate signing request (CSR), have it signed by your CA, and import it into the portal.
- Use an existing CA-signed certificate—If you already have an existing CA-signed certificate assigned to the portal machine, import it into the portal.
Note:
These workflows apply to HTTPS communication with Portal for ArcGIS over port 7443 only. To generate or import a CA-signed certificate for the web adaptor, consult the documentation for the web server where the web adaptor is installed.
For full instructions on these processes, see the steps in the sections below.
Generate a new CA-signed certificate
You can enable HTTPS using a new certificate signed by a corporate (internal) or commercial CA. The steps are as follows:
Generate a new certificate
To generate a new certificate, complete the following steps:
- Sign in to the Portal Administrator Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Generate.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Generate, then repeat the following steps for each portal machine. - On the Generate Certificate page, enter the following information:
- Alias—A unique name that identifies the name of the certificate (for example, portalcert).
- Key Algorithm—RSA (the default) or DSA.
- Key Size—Specifies the size (in bits) used when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For RSA, the recommended key size is 2,048 or greater. For DSA, the key size can be between 512 and 1,024.
- Signature Algorithm—Use the default (SHA256withRSA). If your organization has specific security restrictions, one of the following algorithms can be used with DSA: SHA384withRSA, SHA512withRSA, SHA1withRSA, or SHA1withDSA.
- Common Name—This field is optional and is used for backward compatibility with older web browsers and software. It is recommended that you use the fully qualified domain name of your portal machine as the common name.
- Organizational Unit—A department name that would be meaningful to a user of your site (for example, GIS Department).
- Organization—The name of your organization (for example, Esri).
- City or Locality—The name of your city or locale (for example, Redlands).
- State or Province—The name of your state or province (for example, California).
- Country Code—The two-letter country code where your organization resides (for example, US).
- Validity—The number of days the certificate will be valid (for example, 365).
- Subject Alternative Name—The subject alternative name (SAN) is used to validate that the SSL certificate presented by the website being accessed was issued for that website.
If this parameter is left empty, the fully qualified domain name of the local machine is used as the default value. The SAN field supports multiple values; however, it must include the fully qualified domain name of the website. The SAN parameter value cannot contain spaces.
Using SAN, a certificate allows the use of different URLs to access the same website. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the certificate is created using the following parameter values:
CN=www.esri.com
SAN=DNS:www.esri.com,DNS:esri,IP:10.60.1.16
- Click Generate. A link to your certificate appears on the certificates page.
Request a CA to sign your certificate
For web browsers to trust your certificate, it must be verified and countersigned by a CA, such as your organization, Verisign, or Thawte.
- On the certificates page, click the name of your certificate.
- Click GenerateCSR. On the Generate CSR page, copy the CSR content and paste it into a file. Save the file with the .csr extension (for example, portalcert.csr).
- Submit the CSR to a CA. It's recommended that you obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, the CA will send you a file with the .crt or .cer extension.
- Save the signed certificate received from the CA to a location on your portal machine. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your portal machine.
- Sign in to the Portal Administrator Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Import Root or Intermediate.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Import Root or Intermediate, then repeat the following steps for each portal machine. - Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued additional intermediate certificates, import those as well. Portal for ArcGIS will restart automatically for each imported certificate. Do not import the signed certificate.
- Return to the SSLCertificates page.
- Click the name of the certificate you generated in the previous section (for example, portalcert).
- Click Import Signed Certificate and browse to the location of the signed certificate you received from the CA.
- Click Import. The certificate you created in the previous section is replaced with the CA-signed certificate.
Configure Portal for ArcGIS to use the CA-signed certificate
To configure Portal for ArcGIS to use the CA-signed certificate, complete the following steps:
- Sign in to the Portal Administrator Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Update.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Update, then repeat the following steps for each portal machine. - In the Web server SSL Certificate field, enter the alias of the CA-signed certificate. The alias you specify should match the alias of the certificate that was replaced with the CA-signed certificate in the previous section.
- Click Update.
The CA-signed certificate will now be used for HTTPS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.
Use an existing CA-signed certificate
If you already have a certificate issued by a corporate (internal) or commercial CA, you can use this certificate to enable HTTPS.
Import an existing CA-signed certificate
Caution:
To import the certificate into your portal, the certificate and its associated private key must be stored in the PKCS#12 format, which is represented by a file with either the .p12 or .pfx extension.
- Sign in to the Portal Administrator Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Import Existing Server Certificate.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Import Existing Server Certificate, then repeat the following steps for each portal machine. - On the Import Existing Server Certificate page, specify the following information:
- Certificate password—Enter the password to unlock the file containing the certificate.
- Alias—Enter a unique name that easily identifies the certificate (for example, rootcert).
- File—Browse to the location of and select the existing CA-signed certificate.
- Import certificate chain—When selected, any root or intermediate certificates included in the .pfx or .p12 file will be imported as well. The alias for these certificates will match the alias entered above and be appended with either _root or _intermediate depending on the type of certificate.
- Click Import.
Import the root CA certificate
After importing an existing CA-signed certificate, the root and intermediate certificates may have already been imported. These would be listed under Security > SSLCertificates.
If they were not imported or if an additional root or intermediate certificate is needed, complete the following steps:
- Click Security > SSLCertificates > Import Root or Intermediate.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Import Root or Intermediate, then repeat the following steps for each portal machine. - Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued additional intermediate certificates, import those as well. Do not import the CA-signed certificate.
- Restart the Portal for ArcGIS service.
Configure Portal for ArcGIS to use the CA-signed certificate
To configure Portal for ArcGIS to use the CA-signed certificate, complete the following steps:
- Click Security > SSLCertificates > Update.
Note:
If your portal is highly available, you should instead browse to Machines > [machine] > SSLCertificates > Update, then repeat the following steps for each portal machine. - In the Web server SSL Certificate field, enter the alias of the existing CA-signed certificate.
- Click Update.
The existing CA-signed certificate will be used for HTTPS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.