I have SSL running on the Filemaker Server Advanced for Filemaker Pro clients and all is running well with that. I believe I have determined that this limitation in SSL cert providers only affects the Filemaker client to Filemaker Server connection.
In the very near future, I would like to deploy SSL on the web server for browser encryption as well but there are a few ambiguities I’d like to clarify first. I intend on using Digicert since they are my provider for all other certs and hopefully the above determination is correct.
My set up is a two-machine deployment running FMSA 126.96.36.199 on Macs running 10.10.5 each. I plan on using CLI to generate a CSR and import the certificate once received.
In the Filemaker Server 14 Getting Started document, under Chapter 7 - Setting up the web server, on page 71 it states:
"server_name is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.
For example, if FileMaker Pro clients use fmnet:/salesdbs.mycompany.com/sales to open the hosted database sales, then use the following command with salesdbs.mycompany.com as the server_name:
fmsadmin certificate create salesdbs.mycompany.com”
I assume this is just used as an example but they entire article seems to be written as if it’s for a one-machine deployment. Certainly, in a two-machine mode, if requesting a CSR for the web server (as the chapter title suggests) one wouldn’t use the database machine’s server_name.
Then, again on page 72 it states:
"To use the certificate import command:
1 Windows: You must have administrator permission to the CStore folder.
1 OS X: You must have read and write access permissions to the CStore folder.
After using the certificate import command, you must restart the Database Server.”
making me think this is written for one-machine or at the very least, the procedure for the database server and not for the web server.
And in the Notes on page 72, this confuses me:
"The Database Server and web server components must use the same certificate.”
It does go on to say that one shouldn’t use OpenSSL certificate tools (or IIS on Win) and to use either the Admin Console or CLI but that, too, is vague in that I could read it to mean not to use one method on the database server and another on the web server.
What I am wondering is:
- Can I use the CLI to generate a CSR on the web server in a two machine deployment?
- Can I use the CLI to import the resultant cert on the web server in a two machine deployment?
- Will the installation of a cert on the web server disturb the present connection between it and my database server?
I guess I'm over-thinking this but the document seems a bit vague. Thank you for any input you can offer.