Use a CA-signed SSL certificate for ArcGIS Web AppBuilder (Developer Edition)

Summary

Web AppBuilder for ArcGIS (Developer Edition) ships with a self-signed cert in Node.js to support HTTPS, which might not be ideal for enterprise usage. In a business enterprise, it is highly recommended to use an authorized CA certificate. To do so, replace two files in the server directory: cakey.pem and cacert.pem.

The instructions provided describe the workflow to convert an existing SSL domain or CA-signed cert in .pfx format into a certificate/key pair using the OpenSSL toolkit.

Procedure

1. Download OpenSSL for Windows from one of the third-party binary distributions.
2. Install OpenSSL and start it from its Bin folder.

Note:
You can add the path to OpenSSL\Bin to the system environment Path variable so that you can run the utility from any directory on your host.

3. Start a command prompt and change directory to the folder that contains the .pfx file. 
4. Use the below command extract the private key from the .pfx file.

​openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile.key]

Optionally, add the -nodes option to not encrypt the private key. Refer to the following command:

openssl pkcs12 -nodes -in [yourfile.pfx] -nocerts -out [keyfile.key]

Note:
Once entered you need to type in the importpassword of the .pfx file. This is the password that you used to protect your keypair when you created your .pfx file. Once you entered the import password, OpenSSL requests you to type in another password, twice! This new password protects the .key file.

5. Use the following command to convert the private key to PEM format. 

openssl rsa -in [keyfile.key] -outform PEM -out [cakey.pem]

6. Use the following command to extract the certificate from the .pfx file in PEM format.

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [cacert.pem]

7. Replace cacert.pem and cakey.pem files in \WebAppBuilderForArcGIS\server with the files generated in the above steps.
8. Restart Web AppBuilder.
9. Launch Web AppBuilder over HTTPS; it should now be using the domain/CA certificate.