Home > FileMaker Server 14 SSL Certificate Setup For Windows Server
FileMaker Server 14 SSL Certificate Setup For Windows 2012 Server
The following was documented during our initial FileMaker Server 14 setup. We hope it will short circuit for others much of the investigations and testing we carried out.
For additional information setting up a 2-server deployment see below
The procedures below assume we are setting up a server as follows:
Please substitute any of the above with your own details when referenced below.
Before starting any work on with FileMaker Server, we strongly suggest you make some DNS preparations. For the example below we are using a server name of:
Your server must be named in the FileMaker Server admin console (General Settings, Server Information tab, Server Name) as per the fully qualified domain name (FQDN) used on the SSL certificate; in this case as above 'myserver.craftict.co.uk'
If you've already set the server name in the FileMaker Server admin Console, this can be changed after the SSL certificate has been installed if necessary.
if 'Use SSL for database connections' is selected, any access to the server after the certificate has been installed must be via the FQDN for the green padlock to appear in FileMaker Pro. Access to the FileMaker Server via an IP address will result in the grey padlock, not the green.
However, it is not quite as straight forward as that. For instance you can follow the procedures below, try to upload your first database using FileMaker Pro File:Sharing menu and receive a message such as:
This is a particular problem if the server being configured is to replace a server still in use using the FQDN, therefore our new myserver.craftict.co.uk server cannot be accessed via this name (say, for example a new FileMaker Server 14 is replacing an existing FileMaker Server 13).
Even more obvious is if you connect to the FileMaker admin console via a web browser. Connecting to https://184.108.40.206:16000 will display a certificate error. Connecting to the same server using https://myserver.craftict.co.uk:16000 will not display a certificate error.
To overcome this while configuring a replacement server, or if the server's DNS entry hasn't been setup, we recommend editing the host file on the new server and any computer you're using to configure this. Therefore, assuming our server address is 220.127.116.11, we would enter into the host file:
(we normally separate these with a tab)
If we are deploying 2 servers for FileMaker (master) and WebDirect (worker), we'd also add a line for the worker computer on both servers (and any computer you're connecting to these). When you go live, you can remove these host file entries.
To edit the hosts file in Windows:
To do the above on Macs:
In both cases # in front of any entry will disable it (sound familiar?)
As a precaution, use of the command line below was run with elevated permissions by right clicking and selecting 'Run as Administrator'
Create the certificate request
In the command line for the details listed above enter:
Navigate to C:\Program Files\FileMaker\FileMaker Server\CStore\
Open serverRequest.pem with Notepad (created by the above)
Select all, copy contents, close and use below
Purchase the certificate
Go to your chosen certificate issuer's website
Use the contents of your clipboard to paste into the online certificate signing request (CSR) and follow through the website until you receive your certificate by email for the FQDN you've requested.
Create and install the certificate
Upon receipt of the email containing the SSL certificate or a link to the certificate
In the command line enter (substituting your own certificate name):
Providing the above runs without any error messages
Opening a database using 'Open Remote' using the FileMaker Server FQDN (not IP address) should now display the green padlock in the lower left hand corner . Using the IP address will result in a grey padlock being displayed.
It is worth noting that the FQDN we were using was already in use on one of our live hosted servers running on another VM. Extensive editing and clearing of Windows and Mac (used for remote testing) hosts file and flush cache were used to swap between the live server and the replacement server.
The 2-server deployment had us scratching our heads for some time and we did have to request help from FileMaker tech support. We are running both master server (FileMaker Server 14) and a worker server (WebDirect) on the Internet with their own fully qualified domain names. If we follow the example from above, we have:
Our interpretation of the following from the fms14_getting_started_.pdf guide was wrong:
We read from the above that you must use the same certificate on both master and worker server. We were further confused with the following taken from the FileMaker list of supported SSL certificates:
At this point we were scratching our heads. How can you have 2-servers with different FQDNs using the same SSL certificate, based on the master server, but not use wildcards?
The answer is simple, which has come directly from FileMaker. You should use 2 separate SSL certificates, one for each server. Therefore, repeating the procedures above but using the fmsadmin CERTIFICATE command on the worker server to create and then subsequently import a second worker certificate will enable a secure encrypted connection from a browser to the WebDirect server and a secure encrypted connection from FileMaker Pro or FileMaker Go to the FileMaker Server 14 master.
For reference, the certificate request for the worker in this example would be:
Assuming the certificate file was created and saved as 'myworkerserver_craftict_co_uk.crt' in C:\Program Files\FileMaker\FileMaker Server\CStore
Using these procedures we now have green padlocks when making connecting using the FQDNs for each server.