Admin REST API ImportExistingCertificate

StevenMorgan · ‎08-22-2022

I am trying to automate the process of updating the SSL certificate for ArcGIS Server using cURL. I first get a token then use that to access this URL: https://domain.com:6443/arcgis/admin/machines/MACHINE.NAME/sslcertificates/importExistingServerCerti.... The server is in a private network and we are using our own CA, which works fine, but when I try the above URL I get this response: "Unable to find root ca certificate"

How do I fix this problem so I can automate this process?

Thanks,

Steve

StevenMorgan · ‎09-06-2022

Additional Info:

I decided since it's been more two weeks since I originally posted this and no one has replied that I probably didn't give enough information. The private CA Certificate is installed in the machine's certificate store in the Trusted Root Certification Authorities folder. I also tried to install it into ArcGIS Server here: https://domain.com:6443/arcgis/admin/machines/MACHINE.NAME/sslcertificates/importRootOrIntermediate which worked well enough, but I still got the same error as above.

Any advice would be greatly appreciated.

JoshuaBixby · ‎02-26-2024

The ImportRootOrIntermediate Admin API call is for a root or intermediate issuing CA, not for the certificate that ArcGIS Server will use. The wording of your comment made it sound like you tried to import the machine certificate using that command. Have you tried importing the necessary root and intermediate certificates for your organization?

np_al · ‎02-23-2024

@StevenMorgan Did you find a resolution to this issue? I am having the same issue and not having any luck finding solution.

Thanks,
Noel

StevenMorgan

I finally found a solution, after months of research with trial and error (mostly error). This solution is written in PHP using cURL.

Step #1 Generate a token:

$param = 'username=admin_user&password=admin_pass&client=ip&ip=10.10.10.15&f=json';
$url = 'https://domain.com:6443/arcgis/admin/generateToken';
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $param);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
$result = curl_exec($ch);
curl_close($ch);
$obj = json_decode($result);
$token = $obj->token;

The IP address listed in the $param line is the IP address where the request originates from. Once you have the token you can use it to install the new certificate with another cURL call:

Step #2 Install Certificate

$pfx = <curl_file_create('/folder/to/your/cert.pfx');
$params = array('token' => $token,'certPassword' => '<cert password>',
 'alias' => '<unique  name>, 'certFile' => $pfx,'f' => 'json');
$url = 'https:/domain.com:6443/arcgis/admin/machines/MACHINE NAME/
 sslcertificates/importExistingServerCertificate';
$ch = curl_init();
curl_setopt<($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, Array("multipart/form-data"));
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
$res = curl_exec($ch);
curl_close($ch);

Replace <cert password> with the password for the PFX certificate and <unique name> with something other than what was previously installed - it's an alias name for the new certificate so you can easily tell which certificate in the cert store you want to assign to the machine.

Of course, you will still have to make other API calls to assign the newly installed certificate into the machine and perhaps some other clean up tasks like deleting the old cert, but this worked for me! I hope someone will find it useful.