Portal 10.6.1 fails to load CA-signed Server certificates (portaladmin)
After configuring a Portal 10.6.1 machine from scratch, we have tried to load a CA-signed Server certificate through /portaladmin but it fails but there are not any error message to found anywhere. The web interface just plainly returns without an error.
Bias ProcMon we have founded that the loading process is started as:
"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass portal.secret -srckeystore C:\Users\SVC-PO~1\AppData\Local\Temp\3f197469-451d-43a8-a642-af05d4b496c234558828440621475899837007361998\Q:EWI__Crypto__Certificatesesrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias *.esrinl.com -destkeypass ******** -deststoretype JKS -J-Duser.language=en
Looking closely, the p12 container is temporarily store under $env:TEMP ... having in its name "Q:" ... and obviously this not possible, as ProcMon states:
<event>
<ProcessIndex>785</ProcessIndex>
<Time_of_Day>09:08:22.7509261</Time_of_Day>
<Process_Name>keytool.exe</Process_Name>
<PID>42652</PID>
<Operation>QueryDirectory</Operation>
<Path>C:\Users\svc-portal\AppData\Local\Temp\6c8dcf85-ca76-44b4-bcd0-cc64e17cc657678222220559960898291853642410002\Q:EWI__Crypto__Certificatesesrinl.com.p12</Path>
<Result>NAME INVALID</Result>
<Detail>Filter: Q:EWI__Crypto__Certificatesesrinl.com.p12</Detail>
</event>
Our solution? Just use a line like:
"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass ******** -srckeystore Q:\EWI\__Crypto__\Certificates\esrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias "*.esrinl.com" -destkeypass portal.secret -deststoretype JKS
And the value of "-srcalias" is the CommonName (CN) of the certificate.
Edgar.