If security is important to your operations, all machines running FileMaker Server should have a custom SSL certificate. The standard FileMaker SSL certificate installed by default is available for test purposes only. Follow the process in this article to obtain a new certificate or replace an expired certificate.
Purchase a Fully Qualified Domain Name (FQDN)
Your Fully Qualified Domain Name (FQDN) is the public-facing address that you would like to use to access FileMaker Server. To obtain a FQDN, you must register your unique domain name with a DNS registrar who keeps the domain in sync with your server's IP address. Please keep the following points in mind:
-
If you already own a domain, you may instead purchase a subdomain (such as subdomain.currentdomain.com) instead of getting an entirely new domain.
-
For multi-machine deployments, each machine should have its own domain or subdomain. For example, server1.domain.com and server2.domain.com.
-
When you purchase a new domain, you may recieve a new email account through the DNS registrar that you can use to validate that you are the owner of the domain.
Create a CSR for the domain name
A create a certificate signing request (CSR) is a hash file containing information about your domain, including the domain name, company, etc. When purchasing a SSL certificate, the CSR tells the Certificate Authority what domain to issue the certificate for.
To create a CSR:
-
macOS: Open Terminal and run the command:
fmsadmin certificate create <fqdn> -
Windows: Open Command Prompt (cmd) as an administrator and run the commands:
cd “C:\\Program Files\\FileMaker\\FileMaker Server\\Database Server”
fmsadmin certificate create <fqdn>
This will create the following files in /FileMaker Server/CStore/ :
-
serverRequest.pem: CSR required for the SSL purchase process.
-
serverKey.pem: private key file required for the certificate import process.
Multi-machine deployments: Go to each machine in the deployment and run the commands to create a CSR for each machine.
Import the certificate into FileMaker Server
After the purchase, you will recieve an email from the CA containing your server certificate (matching your domain name) and additional intermediate certificates. Only the server certificate needs to be imported. The certificate should be in Base64 PEM format. Common extensions are .pem, .crt, or .cer.
To import the certificate:
-
Run the import command via command prompt:
-
macOS: Open Terminal and run the command:
fmsadmin certificate import <path to certificate> -
Windows: Open Command Prompt (cmd) as an administrator and run the commands:
cd “C:\\Program Files\\FileMaker\\FileMaker Server\\Database Server”
fmsadmin certificate import <path to certificate>
-
-
Go to the Admin Console (https://<ServerAddress>:16000/admin-console) > Database Server > Security
-
Enable 'Use SSL for database connections'
-
Click Save at the bottom of the Admin Console window.
-
Restart FileMaker Server
Multi-machine deployments: Run these commands on each machine in the deployment to import each matching certificate, then restart FileMaker Server on all machines.
Test the SSL certificate
After importing the certificate, a file named serverCustom.pem should be created in /FileMaker Server/CStore. This is your server’s custom SSL certificate.
-
Database Server test: Use FileMaker Pro to connect to a hosted file and check the security lock icons in the bottom-left corner of the window.
-
Web Server test: Connect to the FQDN of your web server over https (https://<fqdn>) in a browser and check the security lock icon in the address bar.