Access Keys:
Skip to content (Access Key - 0)

FileMaker Server SSL Certificates

NOTE: IS&T recommends that IS&T Managed Servers be used for hosting FileMaker databases.
Only experienced server administrators should attempt to do so, particularly where databases with sensitive data and/or mission critical functions will be housed. The following web page offers MIT-specific configuration recommendations to help mitigate against security risks in the FileMaker hosting environment. In a changing computing landscape these recommendations in no way offer a guaranteed maintenance or risk-free hosting environment.

Note: The information on this page is accurate for FileMaker Server 16. Certain settings and features may differ for prior versions.

Overview

SSL allows for the encryption of data passed between FileMaker Server and FileMaker clients, as well as the web browser-based FileMaker Server Admin Console. A critical component of this function is the SSL certificate residing on the server. The FileMaker Server application ships with a self-signed SSL certificate that does not verify the server name. This default certificate is intended only for test purposes, and a custom SSL certificate is required for production use.

Instructions for Enabling SSL and Installing a Custom SSL Certificate

Instructions for configuring FileMaker Server to use SSL and requesting and installing a custom SSL certificate are provided here with the caveat that this process is best done by someone with server administration experience.

Some notes before we begin:

  • If you are using IS&T's managed hosting service, you do not need to worry about this process; it is all handled for you.
  • The following assumes that your server machine has already been set up with FileMaker Server installed and configured. Refer to Installing and Configuring FileMaker Server for more information on that process.
  • These instructions are for Windows servers only; the various file paths and FileMaker CLI commands will differ for Macintosh servers.

Configuring FileMaker Server for SSL

  1. In the Admin Console > Database Server > Security tab, make sure "Use SSL for database connections" and "Use HSTS for web clients" are checked off. Note that modifications to these settings require stopping and restarting FileMaker Server; do this now if applicable. Under SSL Connections, the Information note will read "Warning: The standard FileMaker SSL certificate installed by default on this server is available for test purposes only. A custom SSL certificate is required for production use."
  2. In the FileMaker Server Admin Console > General Settings > Server Information tab, the Server Name should be entered with the fully qualified domain name (FQDN), i.e. <your hostname>.mit.edu.

Requesting and Installing a Custom SSL Certificate

Starting with FileMaker Server 15, the process for requesting and importing initial certificates can be managed through the Admin Console as well as the command line interface. In earlier versions, the process must be done via the command line.

Using the Admin Console

  1. In the Admin Console, navigate to the Database Server pane > Security tab. Under SSL Connections, the Information note will read "Warning: The standard FileMaker SSL certificate installed by default on this server is available for test purposes only. A custom SSL certificate is required for production use."
    Security Message Before Certificate
  2. Select the option to Create Request.
    Create Request Button
  3. In the Create Certificate Signing Request dialog, fill out the request form. Enter the server's FDQN, organization = MIT, country = US, and State = Massachusetts. You will also need to enter an encryption key password, which you will to use again later when you import the certificate. Then click Create.
    Create Certificate Signing Request Dialog #1
  4. When the request has been created, you will be given the option to download the certificate signing request file, serverRequest.pem. Go ahead and do this now. (Alternately, you can retrieve this file later on the server machine in the C:\Program Files\FileMaker\FileMaker Server\CStore directory.) Then click Close.
    Create Certificate Signing Request Dialog #2
  5. Send an email to mitcert@mit.edu requesting a Comodo Elite SSL certificate for use with your FileMaker Server machine. Include the hostname and attach the serverRequest.pem file with a note that the certificate request info is in the attachment.
  6. The custom certificate will be returned via email, generally within a day or two. The email will contain links to multiple formats of your new certificate. Download the signed certificate file labeled "X509 Certificate only, Base64 encoded," and the intermediate certificate file labeled "X509 Intermediates/root only, Base64 encoded." The resulting certificate files will be named <your FQDN>_cert.cer and <your FQDN>_interm.cer, respectively, with dots in the FQDN replaced with underscores.
  7. Before returning the Admin Console to import the certificate, you will need physical access to the signed and intermediate certificate files detailed above. You will also need access to the private key file, serverKey.pem, that was created when you made the certificate request and is located in the FileMaker Server\CStore directory. Depending on where you are running the Admin Console (e.g. directly on server machine, or in a browser on your local machine) you may need to move one or more of these files around in order to have file browser access to all three files.
  8. Return to the Admin Console > Database Server pane > Security tab. Select the Import Certificate option.
    Import Certificate Button
  9. In the Import Certificate dialog, browse for and select the signed certificate file, private key file, and intermediate certificate file (the three files detailed above). Also enter the private key password which you set during the request process. Then click Import.
    Import Certificate Dialog
  10. You should see the following confirmation message: "Certificate imported successfully. Restart the FileMaker Server service (Windows) or FileMaker Server background processes (macOS) to apply the change."
    Import Certificate Confirmation
  11. In the Admin Console > Status pane, stop FileMaker Server.
  12. Open the Windows Services Manager (via Control Panel > Administrative Tools > View local services) and restart the FileMaker Server service.
    Restart FileMaker Server Service
  13. Return to the FileMaker Server Admin Console (note that you will need to log back in after restarting the FileMaker Server service). In the Database Server pane > Security tab, under SSL Connections, the Information note should now read "The custom SSL certificate installed on this server originated from a certificate authority supported by FileMaker." This confirms that the certificate has been properly installed and that SSL is ready for production use.
    Security Message After Certificate
  14. Make a backup of the serverRequest.pem and serverKey.pem files located in the FileMaker Server\CStore directory, along with the two certificate files and documentation of your encryption key password, and place these in a separate location on the server outside
    of the FileMaker Server directory. Should you need to reinstall FileMaker Server for any reason, you can install the existing certificate; see Installing an Existing Certificate below for more information.

Using the Command Line Interface

  1. Copy the following FileMaker Server CLI command into the command line prompt on the server, and run the command. Be sure to replace <your FQDN> with your actual FQDN and <secret> with a desired encryption key password.

    fmsadmin certificate create "/CN=<your FQDN>/O=MIT/C=US/ST=Massachusetts" --keyfilepass <secret>

  2. Two files, serverKey.pem and serverRequest.pem, will have been generated by the above command in the following folder: C:\Program Files\FileMaker\FileMaker Server\CStore\.
  3. Send an email to mitcert@mit.edu requesting a Comodo Elite SSL certificate for use with your FileMaker Server machine. Include the hostname and attach the serverRequest.pem file with a note that the certificate request info is in the attachment.
  4. The custom certificate will be returned via email, generally within a day or two. The email will contain links to multiple formats of your new certificate. Download the signed certificate file labeled "X509 Certificate only, Base64 encoded," and the intermediate certificate file labeled "X509 Intermediates/root only, Base64 encoded." The resulting certificate files will be named <your FQDN>_cert.cer and <your FQDN>_interm.cer, respectively, with dots in the FQDN replaced with underscores. Copy the files to the FileMaker Server\CStore directory (path noted above).
  5. Copy the following FileMaker Server CLI command into the command line prompt on the server, and run the command. Be sure to replace <your FQDN> with your actual FQDN, but with dots replaced with underscores as noted in the certificate filename above, and replace <secret> with the private key password you entered above.

    fmsadmin certificate import "C:\Program Files\FileMaker\FileMaker Server\CStore\<your FQDN>_cert.cer" --intermediateCA "C:\Program Files\FileMaker\FileMaker Server\CStore\<your FQDN>_interm.cer" --keyfilepass <secret>

  6. In the Admin Console > Status pane, stop and restart FileMaker Server.
  7. Open the Windows Services Manager (via Control Panel > Administrative Tools > View local services) and restart the FileMaker Server service.
  8. Return to the FileMaker Server Admin Console (note that you will need to log back in after restarting the FileMaker Server service). In the Database Server pane > Security tab, under SSL Connections, the Information note should now read "The custom SSL certificate installed on this server originated from a certificate authority supported by FileMaker." This confirms that the certificate has been properly installed and that SSL is ready for production use.
  9. Make a backup of the serverRequest.pem and serverKey.pem files located in the FileMaker Server\CStore directory, along with the two certificate files and documentation of your encryption key password, and place these in a separate location on the server outside
    of the FileMaker Server directory. Should you need to reinstall FileMaker Server for any reason, you can install the existing certificate; see Installing an Existing Certificate below for more information.

Installing an Existing Certificate

If you have a server with an existing custom SSL certificate and need to re-install FileMaker Server for any reason, such as when migrating to a new version of FileMaker Server or migrating to a new server machine, you can bypass the certificate request process as follows:

  1. If you haven't already (as described above), make a backup of the serverRequest.pem and serverKey.pem files located in the FileMaker Server\CStore directory, along with the two certificate files, and have your encryption key password handy.
  2. Perform the FileMaker Server migration, whether it be uninstalling and reinstalling FileMaker Server on the same machine or installing FileMaker Server on a new machine.
  3. Copy the original serverRequest.pem and serverKey.pem files to the FileMaker Server\CStore directory.
  4. Proceed with the instructions above, starting at the Import Certificate step.

Note: SSL certificates requested for FileMaker Server 14 cannot be re-used for v15 and up. If you are upgrading from FileMaker Server 14, you will need to request a new certificate rather than use your existing one. Follow the above steps for requesting and importing certificates.

Other Resources

The list of SSL certificates that are supported by FileMaker Server is available here. Note that MIT's certificate provider is InCommon, and InCommon provides the Comodo Elite SSL certificate which is supported by FileMaker.

Refer to FileMaker Server Help for more detail on requesting and installing SSL certificates for use with FileMaker Server.

For an overview on FileMaker network security and SSL, refer to http://help.filemaker.com/app/answers/detail/a_id/14176/.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

June 29, 2017

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-dda c-dda Delete
filemaker filemaker Delete
c-filemaker c-filemaker Delete
c-filemaker-server c-filemaker-server Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki