5 Replies Latest reply on Sep 14, 2016 10:02 PM by wimdecorte

    Migrate Server with SSL certificate

    DickHoning

      Hi there,

       

      I would like to migrate a server version 14 to 15 and before I do so, I was wondering how to migrate the SSL certificate?

       

      Or can I uninstall 14, install 15 and will SSL work again automatically?

       

      In case it matters; it's on an OS X 10.11.4 machine.

       

      Thanks in advance and best regards - Dick

        • 1. Re: Migrate Server with SSL certificate
          PeggyConant

          We are also wondering if there is a way to use existing certificates when migrating from 14 to 15.  In the past we've had to do a manual work around to bind our Elite Comodo certificates to the server, but at least we have been able to do so by replacing the out-of-the-box pem files with our own.

           

          Since we already have certificates for our servers, we'd like to be able to bind those to FM Server 15 rather than requesting new keys from our provider.  When we tried to use the existing key file, using the new console method as well as the command line method to complete the installation of our existing certificates on FM 15 server, we ran into a road block because of the new FM 15 certificate security feature requiring that the cert. request be tied to a user and pw.   Our existing keys do not have username and password and we could not leave those blank in the console nor could we find a way to set them manually in the related files.

           

          Anyone already done this going from 14 to 15 with existing certificates?

           

          Thanks, Peggy

          • 2. Re: Migrate Server with SSL certificate
            Norsult

            Hi Peggy, hi Dick,

             

            as Dick may have experienced, in MacOS X it just works when the cert was installed correctly for FMS14.

             

            If not you really run into problems. The interface in the CLI ist changed for FMS 15 and the tool in the Admin Console does not help either. The same is for installations under Windows Server 2012 and FMS15. Certificates bought with FMS14 ServerRequest.pem cannot be installed since there is no password that can be entered. But all tools that could transport the certificate to IIS require a password…

            TSGal: could you provide a different approach?

             

            It seems that only a new certificate with all the hassle of the new process can help.

            If you just need ssl connection from FileMaker clients and ignore the warnings and failures with Webdirct and CWP or PHP it might be nice to know, that copying the existing files from FMS 14 (from the CSTORE directory) setting to 'use ssl for connections' and restarting the FileMaker service will work.

            • 3. Re: Migrate Server with SSL certificate
              TSGal

              Norsult:

               

              As mentioned on page 74 of FileMaker Server 15 Help (https://fmhelp.filemaker.com/docs/15/en/fms15_help.pdf ), it states:

              "Because of security improvements in FileMaker Server 15, certificate signing requests created for FileMaker Server 14 cannot be used to create SSL certificates for FileMaker Server 15."

               

              TSGal

              FileMaker, Inc.

              • 4. Re: Migrate Server with SSL certificate
                Norsult

                Hi TSGal and others,

                 

                nice. I realised that. But what to do do instead? Reading many post on the issue I see that nobody is willing to buy new certs because FileMaker changed a version. So some talk about re-keying the certificate.

                 

                What do you mean by re-keying the certificate?

                 

                When the request was made with a FMS14 server request (and thus the  private key server.pem was created) no password was required or set.

                 

                When I use exactly the same server.pem and the issued certificate and try the import on the FMS15 installed now, it requested a password that I do not know.

                 

                Re-issueing the request generates a new set of server request and server key files, now with password, but the signed certificate cannot be imported. Using the command line tool responds with an (misleading) error:

                 

                PS C:\Users\Administrator> fmsadmin certificate import /Library/FileMaker\ Server/CStore/fmfi_norsult_net.crt --keyfilepass secret

                <1>

                Error: 11000 (Invalid command)

                 

                Ok. Finally, since I spent all day more or less on getting a cert to run on a fresh FMS15 on Windows 2012 Server, I did call tech support from GeoTrust and with their help we created a new cert from a new server request (using FM Admin Console) and tomorrow morning I will try again to import now thru the Admin Console.

                 

                So: what you need to do is to find a way to get a new certificate file that matches the the new key file but holds the old certificate. Some providers make it easy, like GeoTrust, if you know were to look.

                 

                Perhaps this might help others with similar problems.

                 

                Regards,

                Volker

                • 5. Re: Migrate Server with SSL certificate
                  wimdecorte

                  Volker Krambrich wrote:

                   

                  Reading many post on the issue I see that nobody is willing to buy new certs because FileMaker changed a version. So some talk about re-keying the certificate.

                   

                  What do you mean by re-keying the certificate?

                   

                  You don't need to buy a new cert, but you need to:

                  - generate a new CSR (certificate signing request) using FMS15

                  - use that request to have the cert be re-issued by your provider

                  - then import that newly generated cert

                  1 of 1 people found this helpful