AnsweredAssumed Answered

Question on intermediate certificate imports in FMS 15

Question asked by jesse_s on Nov 30, 2017

Hello All,

 

I know that, as a topic, importing certificates into FMS has been discussed time and time again. I've found multiple other topics addressing the issue, but I was hoping to receive a positive confirmation for my specific situation.

 

I have a server (virtual server running Windows Server 2012 R2) on which FMS 15 is installed. It's a small installation with only a handful of databases and a hundred or so users, at a government agency. In an effort to meet some compliance guidelines I'm looking to enable encrypted communications, a relatively simple task with a major caveat: this agency requires the use of certificates signed by a government root CA, which are definitely not on the FM supported certificates list. I'm trying to determine whether the behavior I'm experiencing is due to user error or the fact that this is an unsupported CA.

 

Creating the certificate went smoothly: I generated the CSR via IIS (as an SAN is required), submitted it, and was then provided a signed certificate as well as 3 individual intermediate certs. Since I created the CSR via IIS I made sure to copy the private key file as well as the CSR file (serverKey.pem and serverRequest.pem, respectively) into the cstore folder of filemaker server. Additionally, I concatenated the three individual intermediate certificates into one file in the order dictated in the FMS guide, with no other text other than the '--begin certificate--', '--end certificate--' blocks and the certificate text itself. At this point all three files were ready for the import certificate UI: signedcert.cer, serverKey.pem, and intermediate_chain.pem.

 

The issue is this: when I attempt to import signedcert.cer as the certificate while also importing intermediate_chain.pem as the intermediate certificate file, I get the "Certificate could not be imported: Failed to verify the signed certificate and the intermediary certificate" error, and nothing imports. While experimenting to find a solution I decided to import only signedcert.cer while leaving the intermediate certificate field blank, and was surprised when it successfully imported! I checked IIS and saw the new entry, and the bindings for WebDirect all updated to the newly imported certificate automatically. Navigating to the WebDirect pages showed a green lock, and I thought I was in the clear. The problem came when I restarted the filemaker server service. When connecting to a database via Filemaker Pro I'm presented with the dreaded orange lock. I suspect it's because I was unable to import the intermediate certificates, since that seems to be the main issue and solution in most of the other threads on this topic, but I could also see it being due to user error somehow and was hoping that I could get an outside opinion.

 

Long story short: can successfully import certificate only when intermediate certificate field is left blank, but receive an orange lock in the client when I do. WebDirect successfully uses the certificate without issue.

 

Any help is greatly appreciated!

Outcomes