Skip To Content

Create a domain certificate

ArcGIS Monitor uses HTTPS by default, which requires a server certificate. The Google Chrome internet browser only trusts domain certificates that contain a subject alternative name (SAN) parameter. This parameter cannot be configured by the Windows makecrt command or the Microsoft Internet Information Server (IIS) Manager application alone, meaning that a certificate produced using either of these methods is not trusted by Chrome.

In most cases, your IT administrator will provide you with the necessary domain certificate. The following script creates a certificate that contains a SAN and exports it from IIS Manager in a format that can then be imported into Monitor.

Save and run the certificate script

To create a domain certificate, your domain must already have a certificate authority, and your machine must have IIS Manager installed. The Windows PowerShell Integrated Scripting Environment (ISE) is recommended for this workflow, as it provides both a script window and a command prompt window.

If a certificate for the hostname already exists on your machine, the script asks if you want to overwrite the existing certificate.

  1. Open the Windows PowerShell ISE application on your machine using the Run as administrator option and create a script.
  2. Copy and paste the certificate script below into the script window of the ISE application.
  3. Save the script as a .ps1 file.

    For example: certificateScript.ps1

  4. In the command prompt panel of the ISE application, change directories to where you saved the script, and run it using the following syntax:

    .\certificateScript.ps1

Certificate script to be run in PowerShell:


function New-CertificateRequest {
    param ( [string]$hostname )
    $CATemplate = "WebServer"
    $CertificateINI = "cert.ini"
    $CertificateREQ = "cert.req"
    $CertificateRSP = "cert.rsp"
    $CertificateCER = "cert.cer"
    $Subject = 'Subject="CN=' + $hostname + '"'
    $FriendlyName = 'FriendlyName=' + $hostname
    $SAN = '_continue_ = "dns=' + $hostname + '&"'

    ### INI file generation
    new-item -type file $CertificateINI -force
    add-content $CertificateINI '[Version]'
    add-content $CertificateINI 'Signature="$Windows NT$"'
    add-content $CertificateINI ''
    add-content $CertificateINI '[NewRequest]'
    add-content $CertificateINI $Subject
    add-content $CertificateINI 'Exportable=TRUE'
    add-content $CertificateINI 'KeyLength=2048'
    add-content $CertificateINI 'KeySpec=1'
    add-content $CertificateINI 'KeyUsage=0xA0'
    add-content $CertificateINI 'MachineKeySet=True'
    add-content $CertificateINI 'ProviderName="Microsoft RSA SChannel Cryptographic Provider"'
    add-content $CertificateINI 'ProviderType=12'
    add-content $CertificateINI 'SMIME=FALSE'
    add-content $CertificateINI 'RequestType=PKCS10'
    add-content $CertificateINI $FriendlyName
    add-content $CertificateINI '[Strings]'
    add-content $CertificateINI 'szOID_ENHANCED_KEY_USAGE = "2.5.29.37"'
    add-content $CertificateINI 'szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"'
    add-content $CertificateINI 'szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"'
    add-content $CertificateINI 'szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"'
    add-content $CertificateINI '[Extensions]'
    add-content $CertificateINI '2.5.29.17 = "{text}"'
    add-content $CertificateINI $SAN

    ### Certificate request generation
    if (test-path $CertificateREQ) {del $CertificateREQ}
    certreq -new $CertificateINI $CertificateREQ
    ### Online certificate request and import
    if ($OnlineCA) {
        if (test-path $CertificateCER) {del $CertificateCER}
        if (test-path $CertificateRSP) {del $CertificateRSP}
        certreq -submit -attrib "CertificateTemplate:$CATemplate" -config $OnlineCA $CertificateREQ $CertificateCER
        certreq -accept $CertificateCER
    }

    ### Delete certificate request files
    if (test-path $CertificateINI) {del $CertificateINI}
    if (test-path $CertificateREQ) {del $CertificateREQ}
    if (test-path $CertificateRSP) {del $CertificateRSP}
    if (test-path $CertificateCER) {del $CertificateCER}
}

## Main
if ($args.length -ne 0) {$hostname = $args[0]}
else {$hostname = "$env:computername.$env:userdnsdomain".ToLower()}

# Check if a CA exists in the domain and if IIS is installed
if (@(certutil -dump | select-string "Config:")) {
    $OnlineCA = (certutil -dump | select-string "Config:")[-1].Line.replace("``",'"').replace("'",'"').split('"')[1]
} else {
    Write-Host "Unable to determine certificate authority (CA) for this domain"
    Exit
}

# Check if a certificate already exists and prompt user to overwrite
if (@(Get-ChildItem cert:\LocalMachine\My | where-object { $_.FriendlyName -eq "$hostname" }).count -ne 0) {
    Write-Host "A certificate for $hostname already exists"
    $reply = Read-Host -Prompt "Overwrite existing certificate? (y/n)"
    if ( $reply -notmatch "[yY]" ) { Exit }
    Get-ChildItem cert:\LocalMachine\My | where-object { $_.FriendlyName -eq "$hostname" } | Remove-Item
}
New-CertificateRequest -hostname $hostname > $null
Write-Host "`nCreated a new certificate for $hostname"

# Export certificate to .pfx (Windows 2012 and higher)
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
if ([Environment]::OSVersion.Version -ge (new-object 'Version' 6,2)) {
    $pfxname = $hostname.Split(".")[0]
    if ($pfxname -eq '*') {$pfxname = "wildcard"}
    $pfxname = $pfxname + ".pfx"
    Remove-Item $scriptPath\$pfxname -ErrorAction Ignore
    $pfxpwd = ConvertTo-SecureString -String "certificate" -Force -AsPlainText
    $cert = (Get-ChildItem cert:\LocalMachine\My | where-object { $_.FriendlyName -eq "$hostname" } | Select-Object -First 1).Thumbprint
    Get-ChildItem -Path cert:\localMachine\My\$cert | Export-PfxCertificate -FilePath $scriptPath\$pfxname -Password $pfxpwd -ChainOption EndEntityCertOnly > $null
    Write-Host "Exported certificate in PFX format with password 'certificate' to"
    Write-Host "    $scriptPath\$pfxname"
}
Note:

If you receive a security exception error message when the script runs, its execution policy must be adjusted. Run the following command to make a temporary change to allow the script to run:

Set-ExecutionPolicy RemoteSigned -scope Process

Import the domain certificate into Monitor

Complete these steps to import the new domain certificate into Monitor:

  1. Access Monitor, if necessary.

    The Home page appears.

  2. Click Administration.

    The Administration page appears.

  3. Click Edit next to HTTP communication settings on the Administration page.

    The HTTP communication settings dialog box appears.

  4. Click Choose file under SSL certificate and choose the .pfx file that contains the domain certificate and its private key.
  5. If your SSL certificate requires a passphrase, provide it in the SSL passphrase text box.
  6. Click Save and restart.

    The CA-signed certificate that you specified is used by Monitor Server for HTTPS requests.

Access Monitor Server

Monitor Server listens on port 30443 for requests when HTTPS is enabled. Use the following URL syntax to securely access Monitor Server:

https://monitorserver.domain.com:30443/arcgis/monitor

Note:

If you rename the Monitor Server machine, you can continue to access it using HTTPS; however, the hostname will no longer match the original certificate. You must generate a new certificate and configure Monitor Server to use it.

Related topics