How to Generate Certificate Signing Request on FileMaker Server 15 and Later
This article will go into detail on how to generate certificate signing request on FileMaker Server 15 and later.
- FileMaker Server
- 15.x
If security is important to your operations, all machines running FileMaker Server should have a custom SSL certificate. The standard FileMaker SSL certificate installed by default is available for test purposes only. Follow the process in this article to obtain a new certificate or replace an expired certificate.
Purchase a Fully Qualified Domain Name (FQDN)
Your Fully Qualified Domain Name (FQDN) is the public-facing address that you would like to use to access FileMaker Server. To obtain a FQDN, you must register your unique domain name with a DNS registrar who keeps the domain in sync with your server's IP address. Please keep the following points in mind:
- If you already own a domain, you may instead purchase a subdomain (such as subdomain.currentdomain.com) instead of getting an entirely new domain.
- For multi-machine deployments, each machine should have its own domain or subdomain. For example, server1.domain.com and server2.domain.com.
- When you purchase a new domain, you may recieve a new email account through the DNS registrar that you can use to validate that you are the owner of the domain.
Create a CSR for the domain name
A create a certificate signing request (CSR) is a hash file containing information about your domain, including the domain name, company, etc. When purchasing a SSL certificate, the CSR tells the Certificate Authority what domain to issue the certificate for.
To create a CSR:
- Go to the Admin Console (https://<ServerAddress>:16000/admin-console) > Database Server > Security
- Enable "Use SSL for database connections".
- Click "Create Certificate Request"
- Specify your domain name, company name, and a private key password. For wildcard certificates, specify the domain name using an asterisk *.<yourdomain.com> instead of subdomain.currentdomain.com. Wildcard certificates are recommended for multi-machine deployments.
- Click Next. This will create the following files in /FileMaker Server/CStore/ :
- serverRequest.pem: CSR required for the SSL purchase process.
- serverKey.pem: private key file required for the certificate import process.
- Cick Download to save a copy of serverRequest.pem to your Downloads folder.
Purchase a SSL certificate
Select a SSL certificate to purchase from a Certificate Authority (CA).
- Paste or upload the contents of your CSR: Open serverRequest.pem in a text editor and copy the entire contents into the space provided on the CAs website. (Including -Begin Certificate Request- and -End Certificate Request-)
- Provide the servers FQDN.
- Select a signature hash algorithm (use SHA-2 with SHA-1 root).
- Select "Other" as the server software used to generate the CSR.
- Validate by email that you are the owner of the domain name specified in the CSR.
Multi-machine deployments: purchase a wildcard certificate that can be imported on all machines.
Import the certificate into FileMaker Server
After the purchase, you will recieve an email from the CA containing your server certificate (matching your domain name) and required intermediate certificates. All certificates should be in Base64 PEM format. Common extensions are .pem, .crt, or .cer.
To import the certificate:
- Go to the Admin Console > Database Server > Security
- Click on Import Certificate.
- Specify the following:
- server certificate: its file name will match your domain name
- intermediate certificate: comes with server certificate
- private key file: serverKey.pem located in /FileMaker Server/CStore/
- private key password : specified during CSR creation
- Click Save at the bottom of the Admin Console window.
- Restart FileMaker Server.
NOTE: Certificates requested in FileMaker Server 14 or earlier using "fmsadmin certificate create" cannot be imported into FileMaker Server 15 and higher. Use the process in this article to create a new CSR.
Multi-machine deployments: Import the certificate onto the worker machine
- Copy the following files from the master machine to any directory on the worker machine:
- server certificate: its file name will match your domain name
- intermediate certificate: comes with server certificate
- private key file: serverKey.pem located in /FileMaker Server/CStore/
- Import the same certificate on the worker machine via command prompt:
- macOS: Open Terminal and run the command:
fmsadmin certificate import <path to server certificate> --keyfile <path to serverKey.pem> --keyfilepass <private key password> --IntermediateCA <path to intermediate certificate> - Windows: Open Command Prompt (cmd) as an administrator and run the commands:
cd "C:\Program Files\FileMaker\FileMaker Server\Database Server"
fmsadmin certificate import <path to server certificate> --keyfile <path to serverKey.pem> --keyfilepass <private key password> --IntermediateCA <path to intermediate certificate>
- macOS: Open Terminal and run the command:
- Restart all machines in the deployment.
Test the SSL certificate
After importing the certificate, a file named serverCustom.pem should be created in /FileMaker Server/CStore. This is your server's custom SSL certificate.
- Database Server test: Use FileMaker Pro to connect to a hosted file and check the security lock icons in the bottom-left corner of the window.
- Web Server test: Connect to the FQDN of your web server over https (https://<fqdn>) in a browser and check the security lock icon in the address bar.