English

How To: Import a new certificate to the ArcGIS Data Store

Summary

Customers frequently require that the default self-signed certificate that ships with ArcGIS Data Store be replaced with a certificate signed by a Certificate Authority. The following instructions detail the process of importing a new signed certificate into the ArcGIS Data Store.

Procedure

  1. Stop the ArcGIS Data Store
  2. Navigate to the Data Store keystore folder:
    cd "c:\Program Files\ArcGIS\DataStore\etc\ssl"
  3. Create a new keystore named agsdatastore_signed:
    ..\..\framework\runtime\jre\bin\keytool.exe -genkey -alias agsdatastore -keyalg RSA -keystore agsdatastore_signed -keysize 2048
  4. Use agsdatastore.secret for the password.
  5. Generate a new Certificate Signing Request (CSR):
    ..\..\framework\runtime\jre\bin\keytool.exe -certreq -alias agsdatastore -keystore agsdatastore_signed -file agsdatastore.csr
    When prompted, use the fully qualified machine name (FQDN) used to access the data store for the “First and Last Name” parameters of the CSR request when prompted. Do not use your given name. Complete the other parameters as requested. Use the same password as set previously in Step 4 to access the keystore.
    This command creates a text file called agsdatastore.csr in the /jre/bin folder.
  6. Submit the agsdatastore.csr file to your chosen certificate authority. Request the response be provided as a .p7b file so that the CA root certificate is imported as well. If you can only download the certificate itself, export any root/intermediate certs from the CA and import them to the keystore as well:
    ..\..\framework\runtime\jre\bin\keytool.exe -import -trustcacerts -alias my_ca_cert -keystore agsdatastore_signed -file ca_cert.cer
    Answer “yes” when prompted,
  7. Import the certificate authority’s response:
    ..\..\framework\runtime\jre\bin\keytool.exe -import -trustcacerts -alias agsdatastore -keystore agsdatastore_signed -file cert_der_fullchain.p7b
    Answer “yes” when prompted.
  8. When the signed certificate is imported successfully:
    • Rename the agsdatastore file to agsdatastore_orig
    • Rename the agsdatastore_signed to agsdatastore
  9. Restart the ArcGIS Data Store service.
    Confirm that accessing https://serverFQDN:2443/arcgis/datastore is a valid secure HTTPS connection.