FileMaker Server 14 SSL HowTo
I had quite a time getting SSL working with my two server deployment so I figured I would post this for those who come behind me. I had spent quite a bit of time on the phone with FileMaker support trying to resolve the "Default Certificate Installed" error when accessing my FileMaker server through web direct.
I had followed the instructions to generate a CSR and import the signed cert into the FileMaker database. I could see that the server was correct when viewing the cert in the web admin console, but I was still getting this damn red banner on the web server. While waiting on hold with support I found my answer in the FMS 14 "Getting Started" guide on page 72 in the notes section.
So anyway here is the process I followed, if anything I have done is incorrect let me know and I will update my post.
- Generate CSR using fmsadmin certificate create
- Download signed certificate from CA
- Import signed cert with fmsadmin certificate import
- Now the part that tripped me up copy signed cert and ServerKey.pem to the CStore dir on the web server
- On the web server use the fmsadmin certificate import to import the signed cert into web server
- Reboot both server
- At this point you should be able to browse web direct you will receive an invalid certificate error because your IIS binding for HTTPS is set to the db server cert, but the red banner from FileMaker should be resolved.
- Create CSR for your normal wildcard duplicate in IIS you can use SANS or whatever you would do for a normal application.
- Download cert from CA in my case DigiCert
- Import signed cert into the Computer/Personal store/Complete Signing request in IIS however you want to do this should be fine. Personally I use the DigiCert Utility
- Go into the IIS management console right-click on the FMS site and Edit Bindings
- Select HTTPS and click Edit
- From the drop down menu select your newly import certificate for the web server
After getting this working I don't think there is a reason any X.509 certificate won't work as long as it's for a single server, and all of the intermediaries are included in the signed cert. Tomorrow I am going to try re-issuing my DigiCert single server cert and see if I can get it working. I'll update this post if it works.