taylorsharpe

FMS 13 Inexpensive SSL Certificate for Mac Development Machine

Discussion created by taylorsharpe on Jul 14, 2014
Latest reply on Jul 14, 2015 by shirley

This walks you through installing a certificate for a Mac server inexpensively. Why would I want to do this? Primarily because I want to use my server as a web page sometimes and I don't want people getting those certificate warning prompts in their web browsers. It really turns people away.

 

FileMaker has instructions on how to install a certificate, but it is a bit of a hassle and I didn't readily understand it on the first read. My criteria was that I wanted it for a Mac server that is a development machine in house and I did not want to spend but the minimum amount of money needed for the certificate. First of all, FileMaker has very limited support of SSL providers and they are Geotrust, Comodo, Verisgn, Thawte and GoDaddy (not using these will result in FileMake Go connections not working).

 

When looking for domain services and wanting to be more on the cheap side of things (probably lesser quality too), I usually use GoDaddy. So I checked out the GoDaddy SSL's and their idea of cheap starts at $69.99 a year. Oh goodness, that isn't cheap and I'm not trying to secure a bank's computer... this is just my development machine. So I checked on the other approved SSL providers and they all are more expensive than GoDaddy except Comodo. Ahhhh.... something to check out!

 

If you go to the Comodo web site, it sells the SSL certificates for $64.95 very similar to GoDaddy. Not what I wanted. But if you go to a reseller, it is a whole different deal. I found a web site at ww.ssls.com that resells Comodo SSL certificates for $25 for 5 years!!! That's only $4.99 a year! WOW!!! Now that is in my price range for a development machine. So I went to the web site. You will need to buy the "Comodo Positive SSL".

 

Once you buy the certificate, it is added to your account under the "My SSL Account" pull down and is unassigned. But to assign it, you need a CSR. So, go back to your Mac computer. Go to your admin console https://[My Server IP]:16000 (e.g., https://127.0.0.1:16000) and log in. Go to the "Database Server" tab in the left hand column and then click the "Security" tab at the top. Look towards the bototm where it says "Secure Connections" and make sure the "Require secure connections" box is NOT checked (we will check it on later after installing the certificate).

 

Untitled-3.jpg

 

At this point, I assume you have already bought a domain name for your server and configured it so that the domain is pointing to this IP (maybe a bad aassumption). If you haven't, go buy one and set it up to point to this server IP. You must have a static IP to do this. I usually use GoDaddy or some other cheap domain name provider (don't buy anything else other than the domain... they will try to sell you all kinds of other things like hosting, email, etc.). This has to be working (test it) before proceeding.

 

The next step is to make sure you have write authority to the CStore folder. Go to Finder and click on the "Go" pull down menu and select "Go To Folder". When the dialog box comes up, put in "/Library/FileMaker Server/" (without the quotes). This will open a Finder window of the FileMaker Server folder and one of the folders is "CStore" which holds all of the certificate information. Click the CStore folder once and press "Command-I" for Get Info. At the bottom is an area called "Sharing & Permission" (you my have to click the triangle to toggle it off and on). You should see three POSIX permissions for fmserver, fmsadmin and everyone. You need to add your name to the ACL. In the bottom right hand corner of the Get Info box is a pad lock icon. Click it and enter your administrator user ID and password for the operating system. After this, go to the bottom left of the Get Info and click the Plus button to add yourself. It will pop up a dialog box with all of the accounts on the computer. Select the account you are using now. It will insert it at the top of the list of permissions and it will show the privilege of "Read only". Change that to "Read & Write". When you are done, it should look like only with your user name instead of "taylorsharpe":

Untitled-1.jpg

 

The next step is to create the PEM file that you will give to NamesCheap who will use it to return the certificate. Go to your Applications Folder and then Utilities sub folder and open the "Terminal" application. Before you go further, you are going to need to know your company name that the SSL will be under, the County, State and City you live in too. The command to issue to general the PEM file is something like this:

 

fmsadmin certificate create "/CN=yourdomainname.com/O=My Company Name/C=country/ST=state name/L=city name"

 

So for my domain, it looked like:

 

fmsadmin certificate create "/CN=filemaker.taylormadeservices.com/O=Taylor Made Services/C=US/ST=Texas/L=Dallas"

 

FYI, the requirement to add the company and location information to the PEM file is a requirement of Comodo. Other certificate authorities don't require this. But since we want to go with the inexpensive one, this is what we have to do. Other certificate authorities often only require:

 

fmsadmin certificate create yourdomain.com

 

This creates a file in your CStore folder (see above) called "serverRequest.pem". Open this file with a text editor (I like Text Wrangler or BBEdit) and you'll see a lot of code like:

 

-----BEGIN CERTIFICATE REQUEST-----

CvTCCAaUCAQAweDEpMCcGA1UEAxMgZmlsZW1ha2VyLnRheWxvcm1hZGVzZXJ2

aWNlcy5jb20xHTAbBgNVBAoTFFRheWxvciBNYWRlIFNlcnZpY2VzMQswCQYDVQQG

EwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkRhbGxhczCCASIwDQYJKoZI

hvcNAQEBBQADggEPADCCAQoCggEBAKA9TG6NY7qdsqBWViFE7B2WehWZ5zNjPPC+

Ei0QZuB0Jy6BrJhPKIBybPlWhllX0SojTgJbxsumWplNKzKEqgH5JhOWyhhYsXRb

Yj9W0pf4ddCLBWbXOAozrBOJ7MGbwSqQYJ8tikNlsMskL7f4VFCzdV4CRBoW3TV2

PjAb8+Vhjqh2kGrZsYBUJlSxXzmI+1RL0rXK2u/jPmPer0CrE3LJKnZLbVt3l2wT

SA/3VgInleU295WQ3h+Hp5D6+wPdhgL161nSEaN+J3je6INatWHVtQkmkGf5tB/8

D7nFVaX1lm5Vtwk0ob41yf+XPbdjtFDM7miriNwgXsUz

-----END CERTIFICATE REQUEST-----

 

Copy everything from the Begin Certificate through the End Certificate lines into the clipboard (select All, Command-C).

 

Now go back to your www.ssls.com web site, which has probably logged out. So log back in, click "MySSL Account" pull down and then select to activate your certificate. Up will pop a big box to paste this PEM file into. Paste it in there and follow the instructions for putting your company information, address, phone number, emails in. After you do all of this, they will send you an email to confirm you are who you are. You will have to click on a link and paste a code back into their web page. Once you have confirmed your email, they will send you the certificate as a zip file in an email. When you get the zip file (mine took about 15 minutes to come back in my email), save it to your downloads folder and open it. It will have a CRT file in there that is your domain name with underscores instead of periods and it will end in ".CRT". So my domain name CRT file looked like "filemaker_taylormadeservices_com.CRT". This is what you have to import back into FileMaker with the certificate import command.

 

Go back to the Terminal application. You must know the file path to the CRT file. Mine was in my downloads folder, so it was at: "/Users/taylorsharpe/Downloads/filemaker_taylormadeservices_com/filemaker_taylormadeservices_com.CRT". With this location, here is what I needed to type into Terminal (this is all one line with no breaks... it is not two lines like displayed here):

 

fmsadmin certificate import /Users/taylorsharpe/Downloads/filemaker_taylormadeservices_com/filemaker_taylormadeservices_com.CRT

 

You now need to go back to your Admin Console under the Database Server in the left column and click Security tab at the top and now turn on "Require secure connections" by clicking the check box. This will not take effect until you restart your server. Even then, it did not take immediate effect for me as I think the certificate authority was still authorizing. I went to bed and when I work up, I could then navigate to http://filemaker.taylormadeservices.com/fmi/webd and up would pop all my web direct files and I could log in securely without getting the certificate warning.

 

So the above is my story on how to get a cheap SSL certificate for a development machine. But I will suggest if you have a production machine with valuable data on it, you will probably want to go with a more expensive certificate. This was only about getting the bare minimum to avoid the certificate warning and doing it on the cheap.

 

 

 

 

 


Outcomes