Skip to main content

Replace ArcGIS Data Store SSL certificates

A self-signed SSL certificate is used for the following ArcGIS Data Store interactions:

  • The Data Store Configuration app accessing the ArcGIS Data Store files through a web server

  • Communication through the web server between the hosting server and ArcGIS Data Store machines

  • Communication over ports between and within individual machines in a relational store, object store, or graph store

  • Communication through ports between the hosting server and any ArcGIS Data Store machine

If your organization requires that interactions be secured through an SSL certificate verified and signed by a certifying authority (CA) or one generated for your domain, you can use the replacesslcertificate utility to replace the self-signed certificate with a CA-signed or domain certificate.

The certificate file must be in PKCS12 format with a file extension of .pfx or .p12, and you must import it to each machine where ArcGIS Data Store is installed.

Follow these steps to update the SSL certificate on an ArcGIS Data Store machine:

  1. Obtain an SSL certificate from a certifying authority or generate a domain certificate.

  2. Create a PKCS12 format file and set a password and alias for the file.

  3. Run the replacesslcertificate utility to replace the self-signed SSL certificate for an ArcGIS Data Store machine.

    • To replace the certificate used for web server communication, run the replacesslcertificate utility with the webserver option.

    • To replace the certificate used for communication over ports and among data store machines, run the replacesslcertificate utility with the appropriate data store option.

    In this example, the certificate file (casignedcert.pfx) is in the cacerts directory, has the alias myfilealias, is secured with the password Sec00rit, and is used to replace the certificate used for web server communication.

    ./replacesslcertificate.sh /usr/cacerts/casignedcert.pfx "Sec00rit" myfilealias --option webserver

    replacesslcertificate C:\cacerts\casignedcert.pfx "Sec00rit" myfilealias --option webserver

    In the following example, the certificate file (casignedcert2.pfx) is in the certs directory, has the alias reldscert, is secured with the password S00per$ecret, and is used to replace the certificate used for communication with the relational store machine over port 9876, communication through the webserver over port 2443, and communication for webhooks over port 45671.

    ./replacesslcertificate.sh /usr/cacerts/casignedcert2.pfx "S00per$ecret" reldscert --option relational

    replacesslcertificate C:\cacerts\casignedcert2.pfx "S00per$ecret" reldscert --option relational

    This updates the certificate for the machine where the utility is run.

  4. If you have multiple ArcGIS Data Store machines, update the certificate for each one.

    For example, if your deployment includes a relational store that contains two machines and an object store that contains three machines, run the utility on all five machines.

Verify the CA certificate is used for communication

To verify the web server's certificate updated properly, open a browser and type the URL to the Data Store Configuration app. The URL is in the format https://<fully qualified data store machine name>:2443/arcgis/datastore. If it opens without returning a security warning, the SSL certificate was successfully updated for web server communication.

You can download and run OpenSSL commands to verify that the certificate path for port communication no longer contains self-signed certificates.