Consider supporting a .cer SSL Certificate without a password

[pfoppe]

Our agency Certificate Authority currently provides .cer SSL certificates without a password. Unfortunately it seems that the arcgis powershell module has multiple checks for an SSL certificate password and if the password is not set then the module generates a self-signed certificate. We then have to fix the IIS SSL Certificate after the InstallLicenceConfigure.

Thanks for the consideration.

[pfoppe]

For reference... If a .cer file is specified, the PSDSC configure will generate a new self-signed certificate with the specified alias and assign that to the IIS 443 bindings:

[IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Setting up SSL Binding with self signed certificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating Binding on Port 443 for https [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Creating Binding on Port 443 for https [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Installing Self-Signed Certificate for DnsName www.example.com [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating New-SelfSignedCertificate for DNS:- www.example.com [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating using New-SelfSignedCertificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Creating using New-SelfSignedCertificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Removing existing certificate at IIS:\SslBindings\0.0.0.0!443 [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Installing Certificate with thumbprint and subject CN=www.example.com into IIS Binding for Port 443 [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Installing Certificate

All PSDSC messaging and logs indicate that the Install, License, and Configure for a base deployment is successful - IIS + (2) Web-adaptors, Portal, Server, Datastore.

We then go in and manually upload the .cer and re-assign the binding the the trusted certificate file so that clients do not receive an SSL cert error.

Thanks.

[sodtom]

Perhaps also/even support configurations to refer certificates directly from cloud keyvaults? The option exists in ArcGIS CB but seems not to work. Saving the artifacts gives error

and deployment fails to error

Deployment Error:- Could not find a part of the path 'C:\Users\xxxxxxx\AppData\Local\Temp\ea2fa619752a4b1394856006d064691b\AGBaseproperties.json'

as the folder doesn't exists. If I change the template to read the SSL from file - no problem. So the issue must be how keyvault are handled. Deployment user is the owner of the keyvault.

[cameronkroeker]

Hello @pfoppe,

With v4.0.1, there is a new attribute, ConfigData.WebAdaptor.OverrideHTTPSBinding. Set this to false, so that the existing ssl certificate in the IIS 443 binding will not be replaced. When SslCertificates.Target is set to WebAdaptor this will allow you to specify a .cer file for SslCertificates.Path.

• A value for SslCertificates.CNameFQDN is still needed, as this is what is used to construct the web adaptor registration url.
• The specified .cer file can be a dummy file, the ArcGIS Module does not import it into IIS (there will need to be an existing SSL certificate assigned to the 443 binding)
• SslCertificates.Password and SslCertificates.PasswordFilePath are not required in this scenario.

Thanks, Cameron K.