Import certificates

ArcGIS Enterprise on Kubernetes uses two types of digital certificates: identity certificates and trust certificates. Both can be imported using ArcGIS Enterprise Manager or the ArcGIS Enterprise Administrator Directory. You can use ArcGIS Enterprise Manager to view, assign, and remove certificates.

Import an identity certificate

An identity certificate contains a public key, a private key, and information about the owner and the issuer of the certificate. This is typically stored in PKCS12 format (.pfx or .p12 file). The common use case of an identity certificate is on a web server. ArcGIS Enterprise uses identity certificates in its web servers to allow clients to connect to ArcGIS Enterprise securely. When a client, such as a web browser, attempts to communicate with a web server, the web server sends the public portion of the identity certificate to the client. The client must validate the certificate and ensure that the remote computer is trustworthy before sending information to it. That trust is established through trust certificates.

The identity certificate you imported during initial ArcGIS Enterprise on Kubernetes configuration remains in your organization and is assigned to the ingress controller.

You can import new identity certificates at any time using ArcGIS Enterprise Manager. Any imported identity certificate can be assigned to the ingress controller to replace the initial certificate.

To import a new identity certificate and, optionally, assign it to the ingress controller, complete the following steps:

  1. Sign in to ArcGIS Enterprise Manager.
  2. Click the Security page tab.
  3. On the Overview tab, review your organization's certificates in the Active Certificates list as well as your identity store in the Identity Store list.
  4. Optionally, assign an active certificate to secure the organization's ingress controller.
  5. Click the TLS Certificates tab and review the available identity certificates and trust certificates.
  6. Click Import Certificate and browse to and select the certificate, which must be a .pfx or .p12 file.
  7. Provide the following information:
    • Certificate name (alias)—Enter a unique name that easily identifies the certificate.
    • Password—Enter the password to unlock the file containing the certificate.
    • Import certificate chain included in the PFX file—When selected, any root or intermediate certificates included in the .pfx or .p12 file will be imported as well. The alias for these certificates will match the alias entered above and be appended with either _root or _intermediate depending on the certificate.
  8. Click Import.
  9. In the Identity Certificates list, click Assign, and select Ingress controller to use the new certificate.

The ingress controller pod for your organization restarts automatically with the new certificate. The certificate previously assigned to the ingress controller remains unused in your organization.

Import a trust certificate

A trust certificate contains information about a certificate issuer or certificate authority. This is typically stored in PEM format (.cer or .crt file) or the binary .der file format. Organizations called certificate authorities (CAs) sign certificates indicating that they have verified the identity of the web server and the organization operating the web server. These CAs have their own certificates, which are broadly distributed and trusted by web browsers, operating systems, and client applications. Trust certificates help a client determine whether a particular web server is trustworthy. Providing ArcGIS Enterprise trust certificates ensures that when ArcGIS Enterprise connects to remote computers, it can determine whether the remote computer is trustworthy.

Tip:

While identity certificates must be assigned to a component for use, trust certificates do not.

To import a new trust certificate for use in your organization, complete the following steps:

  1. Sign in to ArcGIS Enterprise Manager.
  2. Click the lock button to open the Security page.
  3. On the Overview tab, review your organization's certificates and identify store in Active Certificates and Identity Store, respectively.
  4. Click the TLS Certificates tab to review the available certificates in the Identity Certificates and Trust Certificates lists.
  5. Open the Trust Certificates list and click Import Certificate.
  6. Browse to the new certificate, which must be a .cer, .der, or .crt file.
  7. Provide a certificate name (alias) and click Import.

The trust certificate is available for use by your organization.