How to obtain a CA-issued certificate for ArcGIS Enterprise on Azure?

1771
1
04-10-2017 08:35 AM
JonathanBailey
Occasional Contributor III

I've deployed an ArcGIS Enterprise setup to Azure, and now I'm trying to install a CA-issued certificate so that the services can be accessed via HTTP without warnings. While Esri provides good documentation on how to install the certificate here, they provide no guidance on how to obtain the certificate, other than that I'm supposed to magically obtain a .pfx file somehow.

My initial attempts have led me to a couple of roadblocks:

  1. Some CAs, such as Comodo, won't issue certificates for Azure domains.
  2. Once ArcGIS Server is installed, IIS won't serve out text files from wwwroot, which throws a wrench into the domain control validation process.

Does anyone have any guidance on how to obtain a CA-issued certificate for ArcGIS Enterprise on Azure?

1 Reply
NicolasPfeffer-Taggart
New Contributor II

I had similar frustrations, as I too am using a Comodo issued certificate... Both documentation and tech support seemed to lack clear details of the azure/web adapter arrangement. Ultimately I was unable to get a certificate issued for the azure dns name of my ArcGIS Enterprise azure vm ([your dns name].[location].cloudapp.azure.com) as you mentioned in roadblock 1, as we obviously don't have control over the DNS server for said domain... A definite bummer as it would be great if you could create standalone ArcGIS Enterprise sites on azure without the need for a registered name.

In the case that you do have a domain of your own (or subdomain which is my case, I happen to also host my subdomain DNS with Azure DNS service, but most DNS providers have the same functionality) the instructions are still unclear. I pointed my (sub)domain to my [your subdomain].[location].cloudapp.azure.com address via a CNAME in my DNS record. A good article describing the process and more generally "DNS for noobs" (me) available here Install a CA-issued certificate—ArcGIS Enterprise | ArcGIS Enterprise . Though this article refers to Azure "Web Sites" think of them as synonomous with your Azure ArcGIS VM and replace their references to [your subdomain].azurewebsites.net with your [your subdomain].[location].cloudapp.azure.com

Anywho, back to getting the certificate issued, the steps below obviously won't get you a cert for your azure name, but it may help someone who is trying to get their site on Azure to function using a cert for a domain/subdomain they own. These steps presume you are using some form of CNAME records on the DNS of your choice to point your chosen domain to your azure domain:

  1. login to your Azure VM via RDP, open IIS go to [your server, localhost] > Server Certificates > Create Certificate Request
  2. Fill in the details making sure to enter your intended domain (gis.contoso.com NOT the azure name [your subdomain].[location].cloudapp.azure.com) for "Common Name" and download your CSR
  3. Take your CSR to your chosen CA and get verified. Again, I couldn't figure out how to get my Azure VM IIS to supply the required HTTP response to verify, but I have access to the admin email and DNS records for my subdomain and verified using the other methods offered by Comodo
  4. In my case, I didn't get a .pfx back from Comodo, so I used what was given to me (.cer) to "Complete Certificate Request" in IIS on my Azure VM. This left me with my freshly issued certificate sitting on my VM in IIS, but not quite ready to return and install the cert via ArcGIS Cloud Builder for Azure
  5. To get the necessary pfx, I highlighted my newly signed certificate in IIS under "Server Certificates" and clicked "export", gave a path to output my pfx file and entered a strong password to keep it safe in transit
  6. with my pfx in hand, I hopped back over to ArcGIS Cloud Builder, logged in with my azure credentials, supplied my pfx file and the required site administrator account info. This is where I got thoroughly hung up... The "Domain Name (Alias)" I had to enter in ArcGIS Cloud Builder for Azure WAS the Azure DNS name ([your subdomain].[location].cloudapp.azure.com) of my VM NOT the CN of my recently requested and received certificate (gis.contoso.com). I suppose if I read the fine print at https://server.arcgis.com/en/server/latest/cloud/azure/install-ssl-certificate.htm I would have noted where step 9 says "Type the CNAME for your site in the Domain Name (Alias) field" but for some reason my feeble mind was hooked on the idea that I needed to enter the CN name of my issued certificate. After all, that's what I wanted my site to resolve as and use rather than the long, awkward azure domain name...
  7. Skip the headache I had, enter the azure domain name and install the cert (even though its for another domain name). When you now visit your site (either using your domain or azures domain, they'll both redirect and appear in the address bar as the azure domain) you'll still likely see a big-fat security warning in your browser, only this time it will be due to a name mismatch, not a self-signed-certificate. If you examine the certificate returned by your site, it will now read as the name of your domain. So the last step involves getting your site to think and know and actually function as your domain (gis.contoso.com) Simply following along with the documentation for installing via Cloud Builder didn't get me where I wanted, instead I found my answer under "Use a reverse proxy server with Portal for ArcGIS". Skipping the steps to register the portal with the reverse proxy (azures load balancer does this out-of-the-box) follow the instructions for updating the WebContextURL setting it to whatever your domain is (not azure, yours like gis.contoso.com/arcgis

Voila! when I visit gis.contoso.com, my URL doesn't switch to the azure provided domain name, and my browser is happy with the name on my CA issued certificate. All is well in my world. 

This may not get at exactly what you are looking for, but I still hope it helps you or someone else who is struggling with getting things up and running on Azure. I'm new to Azure, and would have much preferred to deploy to AWS due to my experience with the platform, but this current project dictated I use Azure, and after the few initial glitches, I can say I'm actually very satisfied with how easy it's been to maintain. The ArcGIS Cloud Builder for Azure sure made things seeeeeeem simple, but in retrospect, I should have probably just grabbed an esri image from the marketplace and set things up myself... I would have likely figured out the glitches faster than staring at the pretty UI and expecting things to just happen  Cheers and good luck