2 of 2 people found this helpful
I am thing not sure that we can copy custom signed ssl certificate and private key file from Mac machine and paste into "CStore" folder of current filemaker server installation path and then perform "Import certificate" action to import 2 existing files.
You should never ever put or paste something in the FMS cstore folder! The import certificate process will take care of putting things in the cstore folder.
Copy the crt files and the serverkey.pem file over to the windows machine (any folder, say the desktop) and then use the FMS admin console to import the certificate. If for some reason that does not work, just create a new CSR on the windows machine and have the SSL cert re-issued. That's much faster than trying to troubleshoot.
Sorry Wim, seems we occasionally have different points of view, but you can copy the serverrequest.pem and serverkey.pem files to the cstore folder and subsequently use the admin console to install the server and intermediate certificate (cer) files. This is particularly important if you're running multiple servers and a wildcard certificate.
Sorry Wim, seems we occasionally have different points of view, but you can copy the serverrequest.pem and serverkey.pem files to the cstore folder and subsequently use the admin console to install the server and intermediate certificate (cer) files.
Sure you can; but in many instances (and especially on Macs), copying something to the cstore folder affects its permissions and screws things up. And copying something into that folder is not needed for normal installs so it just creates confusion.
This is particularly important if you're running multiple servers and a wildcard certificate.
Can you expand on this? I use mostly wildcards and on multiple servers and never had the need to copy something into the cstore folder. Are you talking about 2-machine deployments?
Yup, I tend to forget the permissions issues on Mac servers, as we don't use them. Windows servers give us the luxury of adding things and even doing drop in file upgrades within the main database folder without repercussions; great for separation solutions (and impossible to do any other way if Gbs of data involved with external container storage). You are correct if someone doesn't know chown, chgrp and chmod, but then again I'd think any administrator of a Mac server would have to.
We have a set of procedures that usually puts the .pem files in the CStore folder and since v15 can use the admin console to add the .cer files. As it is a procedure updated from v14, we've never tried alternatives as it just works and yes the same on 2-machine deployment, albeit using command line.
All the best
I did fresh installation in windows server and created a new .csr file and sent same certificate authority to reissue certificate based on new .csr.
Then I imported certificate with Intermediate certificate into server and restarted filemaker services . Its working fine now.
Thanks a lot for all.
I'm running into a similar situation - I'm trying to move a cert from one server to another. The new server is a replacement for the old one, but is based on a newer more updated 'image' (these are AWS instances). The new server will have the same name and IP as the old one.
But all I have from the old server is the contents of the "CStore" folder. There isn't a ".cer" or ".crt" file; the coworker that created these can't seem to find it either - and he's not certain if he used a PW when creating the key.
So my question is: does the original "CStore" folder contain all the files that I need to install this certificate on the other server? Or is there some other file that is needed?
3 of 3 people found this helpful
I would reimport the cert and not fiddle with the contents of the Cstore folder.
I'm assuming you kept the original ServerKey.pem and the cert files you got from the CA? If not; do keep them around in case you have to reinstall from scratch in a Disaster Recover scenario.
Reimporting the cert is always good practice for those DR moments.
By 'reimport' do you mean start a new "Create Request..." process with the certificate vendor? I was thinking that might be the easiest way.
As for keeping the files around...I only know of what's in the current "CStore" folder from the old server. I have inquired with my co-worker who set things up originally, but he doesn't recall having/keeping other files around. He thought they would have been stored on the server; but I did a file search and couldn't find anything with ".cer" or ".crt" extensions. Oddly...the search didn't turn up a ".pkcs" file either - even though I could see one sitting in the "CStore" directory.
1 of 1 people found this helpful
No, I meant:
- the ServerKey.pem that is created when create the certificate signing request in the admin console or the fmsadmin CLI
- and then the actual crt files that CA gives you.
If you have those then you can go to a fresh install of FMS and do the import without having to create a new CSR and rekeying the certificate.
Especially handy if you have a wildcard cert obviously.
I didn't have the original ".crt" file, so I ended up going through the full CSR process again. It wasn't too terrible.
Once I got a new keyed certificate I was able to get it installed fairly easily. My provider gave two certificate files in their download - the 2nd one I was able to use as an intermediate certificate.
Maybe you know the answer to this one.
When I upgraded from FMS 15 to FMS 16, the certificate and key file were placed in a folder called "Backup". I know that FMS-16 requires an intermediate certificate so I went through the process that begins with Start Over, where the Admin Console tells me that the previous files were successfully removed. Then, I issue a new CSR request and download the new Certificate file and Intermediate Certificate file, but there is not a new ServerKey.pem file where I expect it to be.
And when I try using the previous one, of course it doesn't work.
I believe I have found the error, but I don't know if it is a bug.
When using the Start Over command, the Admin Console reports that it has removed the previous certificate and key files, but in fact it doesn't. It only removes the key file (if it was there at all) but it leaves the previous Request file in place. Then, when you create a new CSR request file, it doesn't make the new Key file that must be used in tandem with the new certificate. But if you manually get rid of the previous Request file, then you get the dialog box where you enter all your info again, and then it DOES make the new key file with the request file.