When your ArcGIS Notebook Server site is in a production deployment, it should carry a digital certificate signed by an external certificate authority (CA). This topic walks through the steps to generate a new certificate, submit it to be signed by an external CA and, once it has been signed, import it into your ArcGIS Notebook Server site.
If you already have such a certificate, see the topic Configure ArcGIS Notebook Server with an existing CA-signed certificate.
By default, ArcGIS Web Adaptor has HTTPS enabled and will only communicate with ArcGIS Notebook Server over the HTTPS protocol. If you haven't already, enable HTTPS on the web server hosting ArcGIS Web Adaptor. If you have configured a reverse proxy server with your ArcGIS Notebook Server site, ensure HTTPS is enabled on the reverse proxy server as well.
Create a new self-signed certificate
- Sign in to the ArcGIS Notebook Server Administrator Directory at https://notebookserver.domain.com:11443/arcgis/admin.
- Browse to machines > [machine name] > sslcertificates.
- Click generate.
- Provide values for the parameters on this page:
Option Description Alias
A unique name that easily identifies the certificate.
Key Algorithm
Use RSA (the default) or DSA.
Key Size
Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.
Signature Algorithm
Use the default (SHA1withRSA). If your organization has specific security restrictions, one of the following algorithms can be used for DSA: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA.
Common Name
Use the domain name of your server name as the common name.
If your server will be accessed on the internet through the URL https://www.notebookserver.com:11443/arcgis/, use www.notebookserver.com as the common name.
If your server will only be accessible on your local area network (LAN) through the URL https://notebookserver.domain.com:11443/arcgis, use notebookserver.domain.com as the common name.
Organizational Unit
The name of your organizational unit, for example, GIS Department.
Organization
The name of your organization, for example, Esri.
City or Locality
The name of the city or locality, for example, Redlands.
State or Province
The full name of your state or province, for example, California.
Country Code
The abbreviated code for your country, for example, US.
Validity
The total time in days during which this certificate will be valid, for example, 365.
Subject Alternative Name
The subject alternative name (SAN) is an optional parameter that defines alternatives to the common name (CN) specified in the certificate. There cannot be any spaces in the SAN parameter value.
It's recommended you include a SAN, as some web browsers now require certificates have one in order to be trusted.
If this parameter is left empty, the fully qualified domain name of the local machine is used as the default value. The SAN field supports multiple values; however, it must include the fully qualified domain name of the website. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the certificate is created using the following SAN parameter value:
DNS:www.esri.com,DNS:esri,IP:10.60.1.16
- Click Generate to generate the certificate.
Request a CA to sign your certificate
In the next step, request a CA to sign your certificate by following the steps below.
- Open the self-signed certificate you created in the previous section and click generateCSR. Copy the contents into a file, usually with a .csr extension.
- Submit the CSR to a CA of your choice. You can obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, the CA will send you a .crt or .cer file.
- Save the signed certificate you received from the CA to a location on your computer. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your computer.
- Sign in to the ArcGIS Notebook Server Administrator Directory: https://notebookserver.domain.com:11443/arcgis/admin.
- Click machines > [machine name] > sslcertificates > importRootOrIntermediate to import the root certificate provided by the CA. If the CA issued any additional intermediate certificates, import those as well.
- Browse to machines > [machine name] > sslcertificates.
- Click the name of the self-signed certificate that you submitted to the CA.
- Click importSignedCertificate and browse to the location where you saved the signed certificate you received from the CA.
- Click Submit. This replaces the self-signed certificate you created in the previous section with the CA-signed certificate.
Configure ArcGIS Notebook Server to use the certificate
To specify the certificate that ArcGIS Notebook Server should use, complete the following steps:
- Sign in to the ArcGIS Notebook Server Administrator Directory at https://notebookserver.domain.com:11443/arcgis/admin.
- Browse to machines > [machine name].
- Click edit.
- Type the name of the certificate that you want to use in the Web server SSL Certificate field.
- Click Save Edits to apply your change. This automatically restarts your ArcGIS Notebook Server site.
- After your site has restarted, verify that you can access the URL https://notebookserver.domain.com:11443/arcgis/admin. If you do not get a response from this URL, ArcGIS Notebook Server was unable to use the specified SSL certificate.
- On the current page, view the property Web server SSL Certificate to verify that the desired certificate will be used for HTTPS.
Access your site
With HTTPS enabled by default, ArcGIS Notebook Server listens on port 11443 for requests. Access the Administrator Directory at https://notebookserver.domain.com:11443/arcgis/admin or https://notebookwebadaptor.domain.com/notebook/admin.