If you will be utilizing an SSL certificate with your ArcGIS Server site, which is the recommended practice, Esri recommends installing this first before the installation of ArcGIS Server. The acquisition and installation of SSL certificates are quite often not well understood by GIS professionals. This is understandable, as SSL certificates are usually handled by systems administrators. That said, your systems administrator may indeed handle all aspects of SSL certificates within your organization, so contact them first before proceeding with purchasing one yourself. Regardless, let's demystify the process of acquiring and installing SSL certificates.
Acquiring an SSL certificate
Requesting and purchasing an SSL certificate is not as scary as it may seem. Armed with the knowledge of the process, it can be done in a few hours spread out over a few days in most cases.
Requirements
To acquire a basic SSL certificate, a few items are necessary:
- Web server access
- An account with a certificate authority
- A domain name and unique IP address
First, you will need administrative access to the web server that the ArcGIS Web Adaptor will be installed on. For our purposes here, we will be using IIS 8.5 on Windows Server 2012 R2. SSL certificates can, of course, be installed on any flavor of web server. See your web server's documentation for details on SSL certificate installation. Secondly, you, or someone in your organization, will need an account with a certificate authority, such as Digicert, GoDaddy, or Entrust, through which you will apply for and purchase the certificate. Again, check with your systems administrator before proceeding with the purchase of any SSL certificates. Finally, you will need a unique IP address and domain name to go along with it.
Getting the certificate
The first step in acquiring an SSL certificate is the generation of a certificate signing request or CSR. A CSR is a block of encoded text generated on the server where the certificate will be installed; it contains information that will be included in the certificate, such as the organization and domain name. Think of CSR as a digital signature for your server. To generate a CSR in IIS, follow these steps:
- Launch IIS, select the machine name in the left
Connections
menu, then double-click on Server Certificates
in Features View
:
- In the right
Actions
menu, click on Create Certificate Request...
:
- Fill out the
Distinguished Name Properties
, being careful to match these items (especially the Organization
name) to those of the WHOIS
record for your domain name. Click on Next
:
- For
Cryptographic Service Provider Properties
, select Microsoft RSA SChannel Cryptographic Provider
with a Bit length
of 2048
; these are typical industry standards:
Specify a name and location for your CSR text file, as shown in the following screenshot:
- Open your CSR in a text editor; it will look like the following screenshot:
The second step in acquiring an SSL certificate is to purchase the certificate from the certificate authority, or CA. All CAs are different, but the process is the same in principle. First, log in to your account and purchase your SSL certificate. There are different options, so research them and find out which is best for your needs. Next, purchase your certificate. After you make the purchase, it will be available to you in your account.
The final step in this process is to apply your CSR to the certificate in your account. Here, you are requesting the certificate with the certificate signing request from your web server--this will bind the SSL certificate to your server, ensuring your end users that the site they are going to is indeed your site. After a successful request of the certificate from the CA, you will be able to download the certificate as a ZIP file.
Setting your site bindings
Next, you need to bind your server's IP address and host header to port 443
with your SSL certificate. This is done through the Site Bindings
settings in IIS. Again, open IIS and complete the following steps:
- In the
Connections
left pane, select your website. In the right Actions
pane, select Bindings...
:
- In the
Site Bindings
window, you will more than likely only have one binding for port 80
on http
. Click on Add
:
- Add a binding for
Type:
https
, IP
Address:
All
Unassigned
, Port:
443
. Select your SSL
certificate
from the SSL certificate dropdown, as shown in the following screenshot, and then click on OK
:
Your SSL certificate is now bound to port 443
. In a browser, navigate to your site over https
; in my case, it is https://www.masteringageadmin.com
: