Skip to main content

Adding a certificate to a trust store

Updated

Introduction

This chapter uses a simple example to show how a missing server certificate can be exported from the browser (Microsoft Edge) and then imported into the trust store (cacerts) of the ArcGIS Server using KeyStore Explorer.

A missing certificate in the trust store often means that, for example, a WMS cannot be loaded, the "Add Data" tool is missing in the Core Client etc.

Export certificate (e.g., in Microsoft Edge)

  1. Open the website where the certificate is missing in your browser.
  2. Click on the lock icon in the address bar.
  3. Select Connection is secure → Show certificate.
  4. Check if it is the correct server certificate.
  5. Click Details → Export...
  6. The Certificate Export Wizard opens.
    • Export format: Base64-encoded ASCII character, single certificate (*.pem;*.crt)
    • Select storage location
  7. Save the .crt file locally.

Import certificate into a trust store (cacerts)

Suitable software is required for this step. We will explain how to import certificates using an example with the KeyStore Explorer program: https://keystore-explorer.org/. However, you can also use other equivalent programs.

Procedure:

  1. Open KeyStore Explorer as an administrator.
  2. Select File → Open and open the cacerts file of the ArcGIS Server: "C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security"
  3. By default, the trust store password is: changeit
  4. Select Tools → Import Trusted Certificate.
  5. Import the .crt file previously exported from Edge.
  6. Save the changes.
  7. Restart the ArcGIS Server service.
  8. Reload the resources of the WebOffice project.

The certificate has now been successfully imported and is treated as trusted by ArcGIS Server.

Note for WebOffice and Java cacerts

In addition to the ArcGIS Server trust store, there are also Java and WebOffice trust stores into which the certificate must also be imported. These can be found at:

  • Java: "C:\Program Files\Java\<version>\lib\security"
  • WebOffice: "..\Tomcat\webapps\<WebOffice_Anwendung>\WEB-INF\work\truststore\cacerts_weboffice"

As with ArcGIS Server cacerts, the default password for Java cacerts is "changeit". The default password for the WebOffice cacerts is "weboffice4ever". The import into both cacerts can be done via the WebOffice administration page SynAdmin in the "Certificates" tab. This requires that the Apache Tomcat service user has read and write permissions for both directories. Alternatively, the KeyStore Explorer can also be used for the import.

 

Related articles

Comments

0 comments

Article is closed for comments.