This topic shows you how you can configure HTTPS for ArcGIS Server using a self-signed certificate. The following steps configure HTTPS using a self-signed certificate:
Create a self-signed certificate
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin.
- Browse to machines > [machine name] > sslcertificates.
- Click generate.
- Provide values for the parameters on this page:
Option Description Alias
A unique name that easily identifies the certificate.
Key Algorithm
Use RSA (the default) or DSA.
Key Size
Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.
Signature Algorithm
Use the default (SHA256withRSA). If your organization has specific security restrictions, one of the following algorithms can be used for DSA: SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA1withDSA.
Common Name
This field is optional and is used for backward compatibility with older web browsers and software. It is recommended to use the fully qualified domain name of your server name as the common name.
If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.
If your server will only be accessible on your local area network (LAN) through the URL https://gisserver.domain.com:6443/arcgis, use gisserver.domain.com as the common name.
Organizational Unit
The name of your organizational unit, for example, GIS Department.
Organization
The name of your organization, for example, Esri.
City or Locality
The name of the city or locality, for example, Redlands.
State or Province
The full name of your state or province, for example, California.
Country Code
The abbreviated code for your country, for example, US.
Validity
The total time in days during which this certificate will be valid, for example, 365.
Subject Alternative Name
The subject alternative name (SAN) is used to validate that the SSL certificate presented by the website being accessed was issued for that website.
If this parameter is left empty, the fully qualified domain name of the local machine is used as the default value. The SAN field supports multiple values; however, it must include the fully qualified domain name of the website. The SAN parameter value cannot contain spaces.
For example, if your server will be primarily accessed using the URL https://www.esri.com, the SAN parameter should be set to DNS:www.esri.com. If your server will be accessed on the public Internet using the URL https://www.esri.com and within your organization's LAN (local area network) using the URL https://gisserver.esri.com, the SAN parameter should be set to DNS:www.esri.com,DNS:gisserver.esri.com.
The use of wildcards (*.esri.com) in the SAN parameter, though supported, is not recommended. When the same certificate is used for multiple websites or subdomains, list each website or subdomain in the SAN parameter, as shown in the following example:
Example: DNS:www.esri.com,DNS:esri.com,DNS:www.esri.ch,DNS:www.esri.rw,DNS:www.esri.de,DNS:maps.esri.com,DNS:support.esri.com,DNS:pro.arcgis.com.
- Click Generate to generate the certificate.
Configure ArcGIS Server to use the certificate
To specify the certificate that ArcGIS Server should use, complete the following steps:
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin.
- Browse to machines > [machine name].
- Click edit.
- Type the name of the certificate that you want to use in the Web server SSL Certificate field.
- Click Save Edits to apply your change. This automatically restarts your ArcGIS Server site.
- After your site is restarted, verify that you can access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the certificate. Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin, check your SSL certificate, and configure ArcGIS Server to use a new or different certificate.
- On the current page, view the property Web server SSL Certificate to verify that the desired certificate will be used for HTTPS.
Configure each server in your deployment
If you have a multiple-machine deployment of ArcGIS Server, you must create a self-signed certificate for each server machine that participates in your site and configure that machine to use the certificate.
Access your site
With HTTPS enabled by default, ArcGIS Server listens on port 6443 for requests. Use the URLs below to securely access ArcGIS Server:
ArcGIS Server Manager | https://gisserver.domain.com:6443/arcgis/manager |
ArcGIS Server Services Directory | https://gisserver.domain.com:6443/arcgis/rest/services |
Note:
If you rename ArcGIS Server, you can continue to access ArcGIS Server using HTTPS; however, you must generate a new certificate and configure ArcGIS Server to use it.
Import the certificate into the OS certificate store
For ArcGIS services, such as the PrintingTools service, to work with ArcGIS Server, the server's certificate must be installed as a trusted certificate:
- Log in to the ArcGIS Server Administrator Directory.
- Browse to machines > [machine name] > sslcertificates.
- Click the certificate being used by ArcGIS Server and click export. Save the file to a location on your computer.
- Open Certificate Manager. You can do this by clicking the Start button, typing certmgr.msc in the search box, and pressing Enter.
- In the Certificate Manager window, click Trusted Root Certificate Authorities and click Certificates.
- On the top menu, click Action and select All Tasks > Import.
- On the Certificate Import Wizard dialog box, click Next and follow the instructions in the wizard to import the certificate.
- Repeat the above steps for each GIS server in your site.