11 Replies Latest reply on Jul 29, 2017 6:21 PM by nrgsoft

    Importing Wildcard SSL on FMS 16

    mikiosmart

      Hello, I'm new here, and we just moved from FMS 15 to 16. With the "not encrypted" warning and red lock displaying, we are wanting to use SSL. We have a wildcard cert that we are using for exchange.

       

      We recently renewed our Wildcard cert, and assumed it was a good time to rekey. Unfortunately, I rekeyed the cert using the CSR from FMS, and everything sort of worked, and we ended up with an orange lock. I couldn't figure out how to export from FMS and make everything work on Exchange, so I then rekeyed again got everything working on Exchange, and would like to get it working with FMS.

       

      I exported the exiting key we are using from Exchange, and got a pfx file. Seeing that the pfx file would not work. I used openssl to convert the pfx file to pem. I downloaded the signed cert from Go Daddy using "other" and used "Import Certificate" via FMS 16 admin console, and I get  "Certificate could not be imported: private key file already exists, please remove it and run the command again."

       

      Is it possible to use our wildcard ssl exported from Exchange on with FMS? If so, is there any advice of how to make this work? This is my first time posting here, and I hope this makes sense.

       

      Thank you!

      Matt

        • 1. Re: Importing Wildcard SSL on FMS 16
          CICT

          Hi Matt

           

          It sounds like you've already done the hard work and, yes, absolutely this should work - we did something very similar a while back, we need the same wildcard certificates for RemoteApp, IIS and FileMaker Server.

           

          I'm not quite sure what you've done regarding the CSR and intermediate certificate, but it sounds like you need to remove an existing certificate you've installed. I'll try to dig out our notes from this and update here once I've found them.

           

          Regards

           

          Andy

          • 2. Re: Importing Wildcard SSL on FMS 16
            mikiosmart

            Andy,

             

            Thank you! It's reassuring to know it should work. I was thinking that I needed to remove the old cert via CLI, so I tried that, however, I got an error. I think I need to restart the FMS service, with all the random changes I've been trying. I will have to wait until later as we do have users working on it.

             

            Thanks again Andy. I look forward to seeing any extra notes you may have on it.

             

            Matt

            • 3. Re: Importing Wildcard SSL on FMS 16
              mikiosmart

              I restarted the FMS Service. I actually had to first turn off SSL and then ran fmsadmin certificate delete to get rid of the old certificate. This did fix the last error, however, when I went to input the password I set when I converted the pfx file to pem, it said the password was incorrect. I then tried it without the password, and now it says, "Certificate could not be imported: config_DBServer_CertificateDialog_ErrorGo Daddy Secure Certificate Authority - G2"

               

              Any thoughts?

               

              Thank you,

              Matt

              • 4. Re: Importing Wildcard SSL on FMS 16
                bigtom

                I would have to say that a large number of community questions in the past month have involved FMS16 and SSL.

                 

                I am looking forward to seeing how this plays out as I know I will need to deal with a Wildcard in the near future.

                • 5. Re: Importing Wildcard SSL on FMS 16
                  mikiosmart

                  I actually got it working. I accidently kept trying to use the cert downloaded from GoDaddy when I needed to use the one I pulled from the pfx file along with the private key. Now, I couldn't get it working with the intermediate certificate, so I have the orange lock... I did read about this issue, so hopefully I can get that resolved...

                   

                  I used openssl to convert the pfx file. The link below descibes that.

                  Connecton-premise – SSL – Convert .pfx to .pem format | Adobe Connect Blog by Adobe

                  • 6. Re: Importing Wildcard SSL on FMS 16
                    CICT

                    Interestingly bigtom we've an unexpected issue with one server using our wildcard certificate. Currently we're still on FileMaker Server v15 across the board, all are setup the same and use the same wildcard certificate on single and 2-server deployment.

                     

                    However, on one server only we get an 'unencrypted' message when connecting to this from FMP v16, but not when connecting to the same server using FMP v15, which is fine. All the other servers use the same Geotrust TrueBusiness ID wildcard certificate and using v16 is fine.

                     

                    We've not got to the bottom of this as yet, but may move to v16 server and see if this continues.

                     

                    Regards

                     

                    Andy

                    • 7. Re: Importing Wildcard SSL on FMS 16
                      CICT

                      Hi Matt

                       

                      Unusually I can't lay my hands on the exact procedure, I usually document absolutely everything, so I don't have to work something out twice.

                       

                      I do know that we generated the the FileMaker .cer files from the .pfx file generated from within IIS as you describe and generated a complementary CSR from within the Admin Console within FileMaker Server 15. As I didn't document much after this, I can only assume I used our standard procedures from here. I published an anonymised version against another posting about a month ago, which I've pasted here in case it is of help: (Windows only, as others have reminded me Macs have permissions problems when poking around the CStore  folder)

                       

                      We've generated our certificate using the vendor's online CSR generation tool

                       

                      Copy the certificate request (CSR) text into Notepad and save as serverRequest.pem

                       

                      Copy the Private Server Key text into Notepad and save as serverKey.pem

                       

                      Copy the Web Server Certificate into Notepad and save as a .cer file, call it Server Certificate.cer

                       

                      Copy the Intermediate Certificate into Notepad and save as a .cer file, call it Intermediate Certificate.cer

                      ----

                      Backup your current cStore certificate related files

                       

                      Copy to Program Files\FileMaker\FileMaker Server\CStore\

                        serverKey.pem

                        ServerRequest.pem

                       

                      Copy the Server Certificate.cer and Intermediate Certificate.cer files to Documents or similar

                      -

                      (if following already setup, skip to 'Import Certificate' below)

                      In Server Admin, click Database Server

                        Security

                        Restrict access to databases per user

                        Select 'List only the databases each user is authorised to access'

                        Click 'Save'

                       

                        SSL Connecctions

                        Click 'Use SSL for database connections'

                        Click 'Save'

                       

                        Progressive Downloading

                        Click 'Use SSL for progressive downloading'

                       

                        Click 'Save'

                        Ignore restart server messages, as we'll be doing this shortly

                      -

                        Click 'Import Certificate'

                        Signed Certificate File

                        Click 'Browse'

                        Select 'Server Certificate.cer' from 'Documents'

                        Click 'Open'

                        'Intermediate Certificate File'

                        Click 'Browse'

                        Select 'Intermediate Certificate.cer '

                        Click 'Open'

                        Private Key File:

                        Click 'Browse'

                        Navigate to Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem

                        Click 'Open'

                        Private Key Password:

                      Usually left blank

                        Click 'Import'

                       

                        A red 'Certificate imported successfully' should appear

                       

                      We restart the complete server to fulfil FileMaker Server restart requirements, but should be able to just restart FMS

                       

                      When restarted, log into the admin console using:

                        https://server.domain.name:16000

                        View the certificate, which should be valid

                       

                      Perhaps not the most official way to do it, but it has helped us use the same certificates across different servers and between IIS and FileMaker Server Master and Worker servers in a 2-server deployment and a convenient way to update the current certificate.

                       

                      Sorry I couldn't find anything more relevant to the procedures you're using.

                       

                      Regards

                      Andy

                      1 of 1 people found this helpful
                      • 8. Re: Importing Wildcard SSL on FMS 16
                        CICT

                        Hi Matt

                         

                        Since my last posting I was teaching my son FileMaker and have given him a project to learn on and was referring to our 'cheat sheets' we send to our customers and use internally ,and couldn't believe it when I found I'd created a 57 page 'cheat sheet' from renewing the wildcard certificate from IIS, through to setting up a RemoteApp server and then subsequently use this on a 2-machine FileMaker Server deployment.

                         

                        I've cut the first 47 pages out, as you've completed this successfully and quickly anonymised the last 10 pages, which I've attached. This shows step by step how we subsequently updated FileMaker Server using the same certificate. Can't believe I hadn't checked here, but hope you find this useful.

                         

                        Andy

                        1 of 1 people found this helpful
                        • 9. Re: Importing Wildcard SSL on FMS 16
                          mikiosmart

                          Andy,

                           

                          This is great! I am still stuck with an orange lock on the FMP side. I have not had a chance to get back in there. I will look over your notes(which is excellent documentation btw), and see if I missed anything.

                           

                          I will report back if I can get further.

                           

                          Thank you,

                           

                          Matt

                          • 10. Re: Importing Wildcard SSL on FMS 16
                            mikiosmart

                            I still can't get it. It's the intermediate cert that I can't get to play nice. If I leave it out, it works, but I get an orange lock.  I've tried the bundled intermediate from GoDaddy using other, I converted the .crt to pem and cer, and GoDaddy's gdig2.crt that I've seen work for others, but I get nothing. I followed the PDF documentation and the post prior, but the intermediate just won't go through. I get "Config_DBServer_CertificateDialog_ErrorGo Daddy Secure Certificate Authority - G2"

                             

                            Thanks for all the help though. If I get it, I will let you guys know.

                             

                            Matt

                            • 11. Re: Importing Wildcard SSL on FMS 16
                              nrgsoft

                              I just upgraded our server from v14 to v16 with a wildcard on Windows and had the same issue. I knew the password was correct but it kept throwing the error. I went back and re-exported and converted the key files and still got the error. After struggling with this and testing in other software (filezilla server, server 15) the trick as mentioned above is to keep the key password blank. I have a comodo wildcard and didn't need to set an intermedate cert file. Two hours of my life wasted.