How to Generate Certificate Signing Request on FileMaker Server 14 and Earlier

Products

• FileMaker Server
• 14.x
• 13.x

If security is important to your operations, all machines running FileMaker Server should have a custom SSL certificate. The standard FileMaker SSL certificate installed by default is available for test purposes only. Follow the process in this article to obtain a new certificate or replace an expired certificate.

Purchase a Fully Qualified Domain Name (FQDN)

Your Fully Qualified Domain Name (FQDN) is the public-facing address that you would like to use to access FileMaker Server. To obtain a FQDN, you must register your unique domain name with a DNS registrar who keeps the domain in sync with your server's IP address. Please keep the following points in mind:

• If you already own a domain, you may instead purchase a subdomain (such as subdomain.currentdomain.com) instead of getting an entirely new domain.
• For multi-machine deployments, each machine should have its own domain or subdomain. For example, server1.domain.com and server2.domain.com.
• When you purchase a new domain, you may recieve a new email account through the DNS registrar that you can use to validate that you are the owner of the domain.

Create a CSR for the domain name

A create a certificate signing request (CSR) is a hash file containing information about your domain, including the domain name, company, etc. When purchasing a SSL certificate, the CSR tells the Certificate Authority what domain to issue the certificate for.

To create a CSR:

• macOS: Open Terminal and run the command:
  fmsadmin certificate create <fqdn>
• Windows: Open Command Prompt (cmd) as an administrator and run the commands:
  cd "C:\Program Files\FileMaker\FileMaker Server\Database Server"
  fmsadmin certificate create <fqdn>

This will create the following files in /FileMaker Server/CStore/ :

• serverRequest.pem: CSR required for the SSL purchase process.
• serverKey.pem: private key file required for the certificate import process.

Multi-machine deployments: Go to each machine in the deployment and run the commands to create a CSR for each machine.

Purchase a SSL certificate

• Paste or upload the contents of your CSR: Open serverRequest.pem in a text editor and copy the entire contents into the space provided on the CAs website. (Including -Begin Certificate Request- and -End Certificate Request-)
• Provide the servers FQDN.
• Select a signature hash algorithm (use SHA-2 with SHA-1 root).
• Select "Other" as the server software used to generate the CSR.
• Validate by email that you are the owner of the domain name specified in the CSR.

Multi-machine deployments: Use each machines CSR to purchase a separate certificate for each machine.

Import the certificate into FileMaker Server

After the purchase, you will recieve an email from the CA containing your server certificate (matching your domain name) and additional intermediate certificates. Only the server certificate needs to be imported. The certificate should be in Base64 PEM format. Common extensions are .pem, .crt, or .cer.

To import the certificate:

1. Run the import command via command prompt:
   • macOS: Open Terminal and run the command:
     fmsadmin certificate import <path to certificate>
   • Windows: Open Command Prompt (cmd) as an administrator and run the commands:
     cd "C:\Program Files\FileMaker\FileMaker Server\Database Server"
     fmsadmin certificate import <path to certificate>
2. Go to the Admin Console (https://<ServerAddress>:16000/admin-console) > Database Server > Security
3. Enable "Use SSL for database connections"
4. Click Save at the bottom of the Admin Console window.
5. Restart FileMaker Server

Multi-machine deployments: Run these commands on each machine in the deployment to import each matching certificate, then restart FileMaker Server on all machines.

Test the SSL certificate

After importing the certificate, a file named serverCustom.pem should be created in /FileMaker Server/CStore. This is your servers custom SSL certificate.

• Database Server test: Use FileMaker Pro to connect to a hosted file and check the security lock icons in the bottom-left corner of the window.
• Web Server test: Connect to the FQDN of your web server over https (https://<fqdn>) in a browser and check the security lock icon in the address bar.