14 Replies Latest reply on Jul 8, 2015 4:40 AM by jcooper

    Importing Certificates

    jcooper

      Title

      Importing Certificates

      Your post

      Hi,

      I'm trying to import an SSL certificate from godaddy.  The CSR was generated elsewhere (it's for various subdomains one of which is our fms; it was actually renewed and we're setting up a new server too so we'd like the new certificate on the new server).  So, I have the crt file and I have the intermediate file. I also have the key from the server that made the csr in the first place. I've manged to get them all loaded on our other servers (apache, etc), but the fmsadmin certificate command baffles me.

      The documentation says "The CERTIFICATE IMPORT command combines this file with the certificate file returned to you by the certificate authority." "This file" seems to refer to the key. However, the example command "fmsadmin certificate import c:\Documents\signedCertificate.crt" only includes the certificate. How does it know what key file to use?

      Also, the examples seem to use pem files; do I need to convert my crt files to these first?

      One last thing: how do I include the intermediate certificate?

      SSL chains and certificates seem to be where VPN was 10 years ago as far as who-knows-what: those who understand it know so much they have a hard time explaining it to people who don't; but the current implementations require you know it in some detail.  If someone could post an actual example of all needed commands to import "signedcertificate.crt" and "intermediatebundle.crt" and the key into FMS, it would be hugely appreciated by me and I imagine a bunch of other people here too.

      Thanks,

      Jeff

        • 1. Re: Importing Certificates

          jscooper: 

           

          Thank you for the post. 

           

          "The CSR was generated elsewhere (it's for various subdomains one of which is our fms"

           

          This is very likely the source of the problem. FileMaker Server 13 does not support wildcard certificates. The certificate must be one of the specific ones listed in the article below:

           

          List of supported SSL certificate types and vendors for FileMaker platform

           

          Both the fmsadmin certificate create and the certificate import commands are run locally on the FileMaker Server.

           

          Please let me know if any of the above requires further clarification and additionally linked below is The FileMaker Security Guide:

           

          The FileMaker Security Guide

           

          TSFalcon

          FileMaker, Inc.

          • 2. Re: Importing Certificates
            jcooper

            I assume then that this is a new thing with v13?  Our current FMS12 is running the same certificate I'm trying to install on v13 and it's working fine.  I just updated  httpd-ssl.conf to point to the new crt files, (certificate and the "chain", godaddy labels this a "bundle", it already had the key from before since this is just a renewed certificate) and it's working like a charm.  When I try to do this on v13, the WPE doesn't start.

            • 3. Re: Importing Certificates

              jscooper: 

               

              Thank you for the reply. 

               

              “I assume then that this is a new thing with v13?”

               

              No. This is not new to FileMaker Server 13. The certificate create command is FileMaker’s official method of creating the CSR.  

               

              If another method is used to generate the CSR, then we do not expect it to work. However, if a different process was used to manually configure the server and certificate (not following our documented process), it is possible for the server to accept the manually created CSR and new certificate.

               

              FileMaker Inc. recommends using a tested certificate and using the certificate create and import process.

               

              TSFalcon

              FileMaker, Inc.

              • 4. Re: Importing Certificates
                jcooper

                OK thanks. I never even looked for documentation on a special way to import certificates since on the mac fms just uses apache; I just installed the certs they way I do on every other apache server.  Never occurred to me it would be different somehow.

                I'm still puzzled though about the actual "fmsadmin certificate import" command. Nowhere in the examples for this command does it reference the key file.  So, how does the command know what the key is?  Is it it embedded in the certificate somehow when the request is generated? Or is there a prompt to specify it? From the Help docs:

                       
                1.      
                              
                  1.           

                    For example, if the certificate file is c:\Documents\signedCertificate.crt, then use the following command:

                              

                    fmsadmin certificate import c:\Documents\signedCertificate.crt

                              

                    The CERTIFICATE IMPORT command combines the signed certificate file with the serverKey.pem file and creates a file called serverCustom.pem. The serverCustom.pem file is created in the CStore folder:

                              
                  2.      
                       

                How does it combine with the key if it doesn't even mention it in the command?

                Thanks,

                Jeff

                • 5. Re: Importing Certificates
                  jcooper

                  Hi again, as a followup it just occurred to me we may be talking about two different things. FMS optionally uses SSL to encrypt the databases. But there is also SSL at work when web users go to the website (for example: custompage.mydomain.com). I'm talking about the latter: the web server's certificate, not the database server's.

                  Also, my certificate is not wildcard, it's SAN/UCC; does that make a difference? Sorry, I'm just really tying to avoid paying for a separate certificate when I have one that works with everything else (our mail server, ftp, web server, etc). Thanks,

                  Jeff

                  • 6. Re: Importing Certificates

                    jscooper: 

                     

                    Thank you for the reply.

                     

                    “So, how does the command know what the key is?”

                     

                    CERTIFICATE CREATE creates both the Request and the Key in the CStore folder.  CERTIFICATE IMPORT matches the Request and the Key from the CStore folder to the provided certificate and imports the certificate appropriately.  

                     

                    Beyond this basic description the mechanics are not documented.  This is why we recommend performing this process with a tested certificate. 

                     

                    “How does it combine with the key if it doesn't even mention it in the command?”

                     

                    OpenSSL is used.  Our CERTIFICATE CREATE / CERTIFICATE IMPORT process automates certain OpenSSL commands.

                     

                    “as a followup it just occurred to me we may be talking about two different things.”

                     

                    The certificate encrypts both database and web connections.  When the CERTIFICATE process is completed successfully with a known working certificate, web communications and network sharing communications alike are encrypted when encryption is requested.

                     

                    “Also, my certificate is not wildcard, it's SAN/UCC; does that make a difference?”

                     

                    Only certificates explicitly listed in the article above will work to secure the database and web connections using the CERTIFICATE process.  The certificates allowed can only encrypt a single domain. 

                     

                    TSFalcon

                    FileMaker, Inc.

                    • 7. Re: Importing Certificates
                      jcooper

                      We have a single domain but a couple different subdomains point to our server. My internal clients, and my databases, find files by going to filemaker.mydomain.com, which is internal only (we use a splt dns).  We also run a website off of this for some of our clients to view some data (currently using CWP), by connecting to clients.mydomain.com (which our gateway forwards to the same machine).  Do I need two different certificates?  Or will filemaker pro/go clients not complain with SSL warnings like web browsers do if I buy a new cert for clients.mydomain.com, even though my internal people use filemaker.mydomain.com?

                      Much appreciate your patience with this; I really didn't think it would be this big a deal. Thanks,

                      Jeff

                      • 8. Re: Importing Certificates

                        jscooper: 

                         

                        Thank you for the reply.

                         

                        Unless following a process other than what we discussed above, FileMaker Server 13 can only accept a single certificate and this certificate may only be tied to a single fully qualified domain. 

                         

                        TSFalcon

                        FileMaker, Inc.

                        • 9. Re: Importing Certificates
                          maser

                          Can I pile on to the *original* question?   Is there a way to have an intermediate.cert imported?  My certificates from InCommon come with an intermediate certificate and I would rather not have to buy yet-another-certificate from another provider for this.

                          • 10. Re: Importing Certificates

                            maser:

                             

                            Thank you for the reply. 

                             

                            As stated above:

                             

                            “Only certificates explicitly listed in the article above will work to secure the database and web connections using the CERTIFICATE process.”

                             

                            TSFalcon

                            FileMaker, Inc.

                            • 11. Re: Importing Certificates
                              maser

                              Can you remind me of the link to submit product suggestions?  This seems like a no-brainer...

                              • 12. Re: Importing Certificates

                                maser:

                                 

                                Please enter this as a suggestion into our Feature Requests web form at: 

                                 

                                http://www.filemaker.com/company/contact/feature_request.html 

                                 

                                These web form suggestions are monitored and read by our Development and Product Management departments where they are then discussed and considered for a future release.

                                 

                                TSFalcon

                                FileMaker, Inc.

                                • 13. Re: Importing Certificates
                                  user17889

                                  Dear Jeff or others,

                                  GoDaddy asks you to choose the serve type when downloading certificates. It then generates 2 certificates for download. I assume you select the "other" server version or do you use Apache ? Did you work out how to tell which certificate to use; primary or secondary  ? Do they both need to be imported with fmsadmin certificate import ?

                                  If not how do you tell which one is which and which one to import ?

                                  Grahame

                                   

                                   

                                   

                                  • 14. Re: Importing Certificates
                                    jcooper

                                    Yes, I downloaded the one for apache. I then opened both .crt files in textedit (they're just text files really), copied and pasted the contents into a  new file, which I named fullchain.crt. I then imported this one.

                                    Put the contents of actual certificate (the one with the cryptic name) first, then the gd_bundle:

                                    -----BEGIN CERTIFICATE-----
                                    ...bunch-o-gobbledygook ...
                                    -----END CERTIFICATE-----
                                    -----BEGIN CERTIFICATE-----
                                    ...bunch-o-gobbledygook ...
                                    -----END CERTIFICATE-----
                                    -----BEGIN CERTIFICATE-----
                                    ...bunch-o-gobbledygook ...
                                    -----END CERTIFICATE-----

                                    I still don't quite understand how it works, but somehow the certificate says who you are, then the bundle connects it with godaddy and verifies who THEY are .. or something .. I think. Good luck.

                                    Thanks,

                                    Jeff