1 2 Previous Next 16 Replies Latest reply on Jun 23, 2017 8:43 AM by bigtom

    FMI becoming an ICANN Certificate Authority?

    taylorsharpe

      FileMaker has been improving security and we have all felt the pain of installing SSL certificates (note the many discussions about it).  The current process in 16 is better than in the past, but still a pain. 

       

      I think FMI should become an ICANN Certificate Authority and when they sell a FMS license, part of the licensing includes issuing of an SSL certificate that is done at the service level and all you have to do is give it the domain name.  The information CA's have to ask when you request one is basically the same info FMI gets when they license your software except for domain, which is easy to provide.  If FMI could become a CA and include the SSL cert in the FMS license, maybe that could make this even easier.  It would mean we would not have to go to another company to purchase the cert and could all just be included with the FMS license. 

       

      Or maybe someone else has a better idea of how to make SSL certificate management easier with FMS. 

        • 1. Re: FMI becoming an ICANN Certificate Authority?
          mikebeargie

          This would be a great thing for FileMaker cloud in moving towards a single-step rollout of a new server. As for regular FMS, I would think that they would still need the option of importing certificates from other CA vendors. Some IT departments have strict processes and vendor preferences in place for obtaining SSL certificates. You may run into situations where FMI as a CA would cause issues.

           

          Until then, continuing to make the process of importing certificates onto filemaker server easier needs to continue. SSL is on the cusp of being easy to install, but I find a lot of people still ignore the need for the certificate because the install process is a little tough to wrap around, start to finish, for the "citizen developer" types that are not expected to have higher level server know-how.

          • 2. Re: FMI becoming an ICANN Certificate Authority?
            taylorsharpe

            Yes, good point Mike.  I fully want FMI to support other CA's too.  In fact, I'm disappointed the current list is so small and hoping it will grow in the future. 

             

            I'll say that having done quite a number of SSL installs, it becomes routine.  But the first time you do it is rather daunting. 

            • 3. Re: FMI becoming an ICANN Certificate Authority?
              bigtom

              This would be great for FMC.

               

              FMI needs to keep in mind that many people want to use UCC or Wildcard certificates that are usually shared with other servers. These seem to be the most difficult to deal with. Sure you can tell them to just go buy another certificate, but clients do not like the idea at all.

               

              The SSL in stall process is not so bad not, but the documentation is non existent. Most of the resources are here on the community. For a thing like SSL that is pretty much a requirement for most FMS installs FMI should have better documentation.

              • 4. Re: FMI becoming an ICANN Certificate Authority?
                DavidJondreau

                Does FMI need to become a CA, couldn't they just could partner with an existing CA. I just set up a Wild Apricot site (a web-based membership platform) and installing an SSL certificate was a free optional service (through Let's Encrypt). It took less than 24 hours from a simple support request to running https on all pages.

                 

                Another suggestion would be for FMI to get into the hosting space!

                • 5. Re: FMI becoming an ICANN Certificate Authority?
                  bigtom

                  I would not want to see FMI in the hosting space and I am sure that they

                  do not really want to be there either. Partnering with AWS was a smart move.

                  • 6. Re: FMI becoming an ICANN Certificate Authority?
                    taylorsharpe

                    David, my goal is that FMI sells a software license that includes the SSL as part of the install where you have nothing to do other than provide the domain name in the Admin Console.  If you use another company such as an existing CA, then ICANN will require them to take you through a verification process as to who you are.  Since FMI already does this for software, this would mean providing our information once to one company, FMI.  It would avoid providing to a second company and their having to go through verification process. 

                     

                    FileMaker does not have to make this simple.  However, if their mission is to make the server easy to implement, this is the type of feature they need to provide. 

                     

                    They certainly could have left it with command line installs like in the past.  I think their improvements with the Wizard are great, but wanting to see if they can make it simpler.  Partnering with another company that will be required by ICANN to do additional verification is not making things simpler in the way I am suggesting. 

                     

                    I do lots of these installs and can now easily say the process is simple.  But just ask someone who is a junior FileMaker developer or an advanced user who has never done an SSL install to do it without any help and get their feedback.  I find few of those people find things as easy as say the FMS install.  This is the feedback I have gotten from our Dallas FMPUG users group. 

                    • 7. Re: FMI becoming an ICANN Certificate Authority?
                      WinTechServ

                      Agreed, completely. The less reason there is for clients to push back against using the server, the better for everybody. As somebody who does not do this very often, I'd love to see it happen.

                      • 8. Re: FMI becoming an ICANN Certificate Authority?
                        bigtom

                        Is your vision to have FMI supply standard single domain certificates as well as UCC and WildCards? Will they support only FMS or will they support certificates that need to be installed on separate web servers as well?

                         

                        I am not against it and I certainly see this as an option for FMC, but will FMI be able to offer and support certificates at competitive pricing?

                         

                        I would say that if you are doing FMC a single domain SSL cert from FMI as a CA should maybe be included. I am sure FMI could build in a process to automatically rekey and reinstall certificates on renewal and upgrade with the cert tied to the server license key on FMC. Maybe on other installs as well. That would be nice. If this were the case I would support it. It can't be just another certificate CA. It needs to be nicely integrated and the value of that product would likely be worth it.

                        • 9. Re: FMI becoming an ICANN Certificate Authority?
                          taylorsharpe

                          If you want to use an FM wildcard SSL cert, that is what is issued with the Comodo one on FM Cloud.  But that is not what I envisioned.  FM would take the role of Comodo, Thawte, GoDaddy and other such providers to issue you the certificate.  The information that they are required to collect in issuing certificates is already as much as you have to do to license the software minus providing the domain name.  And by FM including the SSL, all you have to do it provide the domain name and their software will issue the SSL certificate for your server.  This could all be part of the standard install and setup with the Admin console.  You go to the Admin console, provide the domain name and IP, and they validate you based on your software licensing information. 

                           

                          The idea is to make this super super simple.  You only have to provide a domain name in the Admin console and FM will handle the certificate issue for you.  Nothing else to do but provide the domain name in the Admin console. 

                           

                          Simplicity is the purpose.  Not just the ability to issue a domain.  Providing everything in one licensing agreement and built into the Admin console will make it real easy and you only have to deal with one Company (FMI) and the Admin console. 

                           

                          After all the complaints about difficulties with SSL, this is just a suggested idea for making it easier. 

                          • 10. Re: FMI becoming an ICANN Certificate Authority?
                            bigtom

                            I think you missed the point of my question. I understand exactly what you are looking for.

                             

                            I have no idea what Comodo is doing on FMC. Are you saying there is one wildcard cert for all FMC installs?

                             

                            If FMI were to be a CA they would need to offer everything most CAs do. Wildcard certs are an example. Why a wildcard or UCC from FMI? Worker machines sounds like a perfect example.

                             

                            AVLAs with multiple servers? All the details need to be looked at or it would end up being something only a few people could use.

                            • 11. Re: FMI becoming an ICANN Certificate Authority?
                              taylorsharpe

                              FM Cloud by default issues you a SSL certificate from FileMaker's wild card SSL with a prefix that is unique to each install.  It's just a way of giving a unique domain to each one for SSL purposes,  but you are stuck using their wildcard name of their fmi.filemaker-cloud.com domain.  I don't want FileMaker name in my domain.  I want my own domain to be used. 

                               

                              If FM became a CA, they are like any other CA.  They can sell to whoever they want and offer as little or as much services as they want (well, a few legalities such as they can't deny service to people based on race, etc.).  I am not proposing they become a public CA.  I want them to be a CA  only for FileMaker customers. 

                               

                              I want the full ownership of a domain like I get when I buy one from GoDaddy or Thawte or Comodo.  But I want it nicely packaged as part of the license I get from FileMaker all wrapped up nicely in the Admin console where all I have to do is provide the domain name in the console.  FileMaker could not offer that service unless they become a CA. 

                              • 12. Re: FMI becoming an ICANN Certificate Authority?
                                bigtom

                                I see, another reason FMC it not so desirable.

                                 

                                Well I am in agreement with you then. It would be nice to have it all wrapped up in the admin console and have auto rekey/ re-install in the admin console for updates and upgrades. This would be worth paying for.

                                 

                                I would be good to have wildcards for whatever domain you enter available. I think the one issue you may run into is verifying the domain ownership. This step still needs to happen overtime the certificate is keyed. Your idea of being fully wrapped up only works if FMI is the CA and the Domain Registrar so they can internally verify both.

                                 

                                Maybe that is a step you need to perform separately anyway.

                                 

                                If this is the first exposure that a company has to SSL and they purchase a wildcard for their Server and Workers issued by FMI as a CA, will there be support when they one day decide they want to use it on a web server or some other service?

                                 

                                Side note: With the requirement for SSL and FQDN hostnames for Worker Machines would addition of a DNS Server to FMS admin console be a decent idea?

                                • 13. Re: FMI becoming an ICANN Certificate Authority?
                                  taylorsharpe

                                  The problem with Wildcards is that they are for one company to purchase and use for their own servers.  If we have FM act as the Wildcard owner, then they really own the domain name and not us.  Also, you're stuck with whatever name they have with your info stuck to the front like 1234.filemaker-cloud.com or ABC.filemaker-cloud.com. 

                                   

                                  CA's always sell wild cards and nothing keeps you from doing that.  They just cost more.  My suggestion to FM is to give an option to include the SSL cert with the license, but to still allow use of certs from other CAs.  I would not want them to have an exclusive on the SSL certs for FMS.  But if they could bundle it nice and easily, why not. 

                                   

                                  Most people do not need Wildcards.  Wildcards are simply so that if you run several servers, you can buy one Wildcard domain and issue your own subdomains.  For example, you own SuperFMDeveloper.com.  If you purchase the wildcard of it, you can assign subdomains like mail.SuperFMDevloper.com www.SuperFMDeveloper.com or mail.SuperFMDeveloper.com or server1.SuperFMDeveloper.com or FileMaker.SuperFMDeveloper.com. 

                                   

                                  One word of warning is that you have to keep track of how the certs work for issuing to subdomains and that can make things more difficult.  Wildcards certainly make things more difficult, not easier.  But they can save you money by not having to individually buy the subdomains. 

                                   

                                  DNS services come with Windows Servers and Mac OS X.  I prefer the Mac.  HOWEVER, FileMaker has recommended FMS to not work with the Mac Server.app that has the DNS setup in it.  They did this because the want FM to control web services and not to be competing with other server services.  However, it is fairly obvious that sometimes a DNS server would be really useful and not recommending it means recommending you buy a whole other server just for DNS which is ridiculous.  DNS is a very lightweight service compared to say mail or web or file sharing.  Oh well.  It does exist on the Mac with a real nice user interface and all and it does on Windows Servers too.  Just FM recommends not using it on the same computer.  But I guess your suggestion is to do FM has done with Apache and IIS and have their own implementation of DNS with its own User Interface in the Admin console.  Hmmmmm.....

                                  • 14. Re: FMI becoming an ICANN Certificate Authority?
                                    bigtom

                                    I can buy a wildcard from a CA and I own it for whichever domain I choose. It is not cheap but it is an option. Let's set wildcards aside from now as it seems to be causing some confusion.

                                     

                                    FMI is pushing FLT and Web Direct. I is a big move to support 5 WD worker machines and 500 users. Each of these needs SSL. I am simply saying that at a minimum FMI as a CA would need to offer UCC/SAN certificates for multiple FQDNs. I get the impression you are set on the idea that they should offer only single FQDN certs and that is the thing I am saying my be a limitation from a sales perspective.

                                     

                                    Setting up the workers also requires DNS management. I would be a nice full package if there was a simple DNS panel in FMS admin console for managing the workers as well. This would be  super nice as it would be all managed in the admin console and no need for an additional server.

                                     

                                    I have run macOS Server on the same machine as FMS for DNS and it works just fine. It seems that as long as you do not use the web or wiki server options FMS and OS X/macOS Server work just fine together. I have one that runs caching, file share, time machine and DNS without issue or conflict with FMS. Makes great use of an over spec FMS.

                                     

                                    Setting up DNS services in macOS Server is pretty easy, but there is not a lot of info on it and for many it might be difficult to figure how it works the first (and likely only) time they set it up. Having an approved DNS service in FMS would be great. I will move that to the ideas area.

                                    1 2 Previous Next