11 Replies Latest reply on Aug 7, 2017 2:32 AM by bkaisin

    How to… multiple certificate

    bkaisin

      Hello,

       

      I have 2 FMS (FMS1 and FMS2) with 2 different IP addresses.

      I have a domain name with 2 subdomain (db., fm.).

      I create 2 A records in the DNS management for these 2 subdomains.

       

      My question is:

      If I create a ServerRequest.pem on FMS1 for the certificate (*.mydomain.com), I can import the certificate and the bundle cert into FMS1.

      But should I import the FMS1 private key into the FMS2?

      Should I copy the entire CStore from FMS1 into FMS2?

      What should I do get a secure access on both FMS?

       

      Regards

      Ben

        • 1. Re: How to… multiple certificate
          fmpdude

          You might be better off talking to your certificate provider as this is really an issue of how to install a wild-carded certificate generally. That is, if you generalize how to install a single certificate for FMS, and you understand that process, then installing a wild-carded certificate should work as you would install any wild-card certificate for any new sub-domain.

          1 of 1 people found this helpful
          • 2. Re: How to… multiple certificate
            CICT

            Yes, you can do this.

             

            You can use the certificate, intermediate certificate and the serverKey.pem from FMS1 to import into FMS2, don't worry about putting anything in the CStore, the above will work, just import the 3 files into the Admin Console certificate import.

             

            We also use the same wildcard certificate for IIS on our Windows servers if needed.

             

            Kind regards

             

            Andy

            2 of 2 people found this helpful
            • 3. Re: How to… multiple certificate
              bkaisin

              Thanks for your reply,

               

              It seems to work like you said for 2 FMS 16 with at 2 different locations, but I still have an issue:

               

              When I access FMS (WebDirect) from the web (https://fm.mydomain.com/fmi/webd/) it is secure.

              Dropbox - Safari.jpg 

               

              When I access FMS from my local network with FMPro I have the orange padlock.

              When I check the certificate in FileMaker Pro, the intermediate certificate is valid but the last level isn't.

              FM_Cert.jpg

              In this "not valid" certificate it's also mentioned:

              Purpose #1: Server authentication

              Purpose #2: Client authentication

               

              When I check the certificate in FMS I have

              FMS_Cert.jpg

               

              My GoDaddy certificate allows up to 5 domains (GoDaddy Standard UCC SSL Certificate), I use 3.

              GoDaddy_Cert.jpg

               

              Do you have any suggestion why I have this orang padLock?

              Should I have a wildcard certificate?

              What kind of certificate are you using?

               

              Regards

              Ben

              • 4. Re: How to… multiple certificate
                CICT

                Hi Ben

                 

                It is a little difficult to diagnose without knowing the actual host name, but the FMS screen shot does state that it is a host name mismatch. I think I'd assumed you were using a wildcard certificate as you were trying to use the same certificate on 2 different servers. If it isn't, then you need a certificate that matches the host name of each server. I'm afraid I don't know how the Go Daddy certificates work, but if you had FMS1.domain1.com and FMS1.domain2.com from what you said, then the certificate should work, assuming the certificate works as you describe allowing up to 5 domain names. However, what wouldn't work is FMS1.domain1.com and FMS2.domain1.com as the actual hostname has changed. The simplest thing is either 2 certificates to match the 2 server FQDN or a wildcard.

                 

                We name our servers in the admin console using the FQDN (fmservername@domainname.com) and each certificate installed on that server must either be a wildcard or a specific certificate for that server (using a GeoTrust TrueBusinessID wildcard certificate).

                 

                You've mentioned you've already setup internal DNS's so assuming you're using these internally for the FileMaker hostname within FileMaker Pro, it is likely to be the above. If you use an IP address to connect internally, then again you won't get the green padlock.

                 

                All the best

                Andy

                1 of 1 people found this helpful
                • 5. Re: How to… multiple certificate
                  bkaisin

                  As you can see in my previous image (Godaddy_cert) I can specify alternative names (subdomain) for the certificate.

                  Alternative names are consider as other website as they say: Secure up to 5 websites.

                  Any subdomain are consider like a website for the certificate, as I understood.

                  I choose the UCC/SAN SSL certificate with GoDaddy:

                  SSL Certificate - GoDaddy

                   

                  I used 3 of 5 alternative names: mydomain.com, db.mydomain.com and fm.mydomain.com.

                  fm. and db. are subdomain from the same domain name.

                  GoDaddy_Cert.jpg

                   

                  When I try to add *.mydomain.com, I get a message that my SSL certificate does not support wildcard.

                  It should support Servers

                  FM_autorisation.jpg

                   

                  So my question is: Does FMS need absolutely a wildcard certificate?

                  Any idea of my mistake/misunderstood?

                   

                  Regards

                  Ben

                  • 6. Re: How to… multiple certificate
                    CICT

                    Hi Ben

                     

                    Absolutely FileMaker Server does not need a wildcard certificate. Again my knowledge of the way the Go Daddy certificate is the problem here, but what you would do normally is to create a certificate request from FMS1 and subsequently install that certificate and independently you would do the same for FMS2 - 1 dedicated certificate per server.

                     

                    I've had a look at the Go Daddy site and it doesn't look as if you can just use the same certificate on both servers, which is what you were originally asking. However, your certificate should work. I've found this, which may help: Adding or dropping Subject Alternative Names from UCC certificates | SSL Certificates - GoDaddy Help GB

                     

                    It does look as if you need to generate each certificate independently, in other words you can't use it as you would a wildcard, which does allow you to share the certificate across different servers.

                     

                    Kind regards

                     

                    Andy

                    1 of 1 people found this helpful
                    • 7. Re: How to… multiple certificate
                      bkaisin

                      There is 2 problems:

                       

                      1) Orange padlock in FileMaker

                      2) How to install 1 certificate on 2 FMS.

                       

                      1) I try to rekey with only 1 subdomain and I get the same problem.

                      This is my major problem now because I have to find the solution before going to my other site at 7500km and fix the 2nd problem.

                       

                      2) I have good hope that it will work as you told me -> installing the same certificate on both site.

                      I have 1 domain name and 2 subdomains linked to this domain name.

                      Both subdomains are redirected to the IP address of each FMS.

                      My certificate allows me up to 5 domain names (alternative names).

                      I can't check now if it will work with the same certificate -> 1 location is far from here, and I have to go there to fix a router/network problem first. Then install the certificate.

                       

                      Regards

                      Ben trying to find why he get an Orange padlock

                      • 8. Re: How to… multiple certificate
                        CICT

                        Hi Ben

                         

                        We need to clarify a couple of things. First, if you don't have a wildcard certificate you cannot install the one certificate on both servers (to be accurate, you can install it, but you won't get a secure connection).

                         

                        Secondly, I don't see the Multi-domain SSL certificate listed within the FileMaker list of supported certificates at Configuring security for FileMaker Server 15 and higher | FileMaker only the GoDaddy Standard SSL so there is no guarantee it will. However, there is reference to this at: Multi-domain SSL Certificate and FileMaker Server 15+? (however, beware on this thread as it they are not trying to do what you are doing).

                         

                        Third, and I'm doing a degree of guessing here due to never having used a multi-domain certificate, but have you added both the server FQDNs to the UCC certificate (adding the subject alternative names)? If you do you should get a certificate that will support both and generate the certificate and intermediate certificate from here. What I can't find is whether you can generate the CSR from GoDaddy (Generate a CSR (certificate signing request) | SSL Certificates - GoDaddy Help GB ), hopefully someone more familiar with their certification process can help. Both Adding or dropping Subject Alternative Names from UCC certificates | SSL Certificates - GoDaddy Help GB  and Rekey certificate | SSL Certificates - GoDaddy Help GB  help with the post CSR process.

                         

                        You could try generating independent CSRs on each of your FileMaker Servers and paste one of these into the CSR for the rekeying, but I believe I've read that if you replace one certificate with another (for instance trying using 2 CSR's the first certificate will be expired after 72 hours, leaving one of your servers without an active certificate).

                         

                        I'm probably not the best person to continue this due to my lack of knowledge of GoDaddy and their UCC certificates and hopefully someone will jump in to fill in the missing gaps.

                         

                        Good luck

                         

                        Andy

                        2 of 2 people found this helpful
                        • 9. Re: How to… multiple certificate
                          bkaisin

                          Bingo!

                          I get a green padlock in my local network.

                           

                          When you choose "Open Remote" with FM, by default the dialog shows you the local server.

                          When you select the server and you open a file you get the Orange padlock because there is no references to the secure domain name.

                          You have to clic on the + button to create a new host and type your domainname.com.

                          Then select this connexion and when you open a file you get a green padlock.

                           

                          It's so simple, that I bypass this, I thought the domain name as to be put into the FMS console and of course I didn't found it. I have been reading A LOT of docs on the net, but I didn't find this info anywhere.

                           

                          Thank you all of you

                          Ben

                          1 of 1 people found this helpful
                          • 10. Re: How to… multiple certificate
                            CICT

                            Hi Ben

                             

                            That is great news, I'm glad it was at that simple level. Looking back at my replies, I should have been more clear above, when I wrote:

                             

                            You've mentioned you've already setup internal DNS's so assuming you're using these internally for the FileMaker hostname within FileMaker Pro, it is likely to be the above. If you use an IP address to connect internally, then again you won't get the green padlock.

                             

                            I wrongly assumed that as you'd setup internal DNS you were using references to them within FileMaker Pro. Sorry, I should have made that clearer and spelled it out in more detail.

                             

                            I'm very glad to hear this is now behind you.

                             

                            Kindest regards

                             

                            Andy

                            1 of 1 people found this helpful
                            • 11. Re: How to… multiple certificate
                              bkaisin

                              You are right Andy,

                               

                              I red your comment but I didn't know how to specify it into FM (I never use/take attention at the + button), I was looking in FMS.

                              About the DNS I created a A record for each subdomain pointing to the right server + config my router to the FMS.

                               

                              Thank you again

                               

                              Regards

                              Ben