There is some useful information at:
However, there are a number of posts highlighting problems with the 2 machine deployment with FMS 13.0v5 and SSL certificates, such as:
We use the 2-machine deployment and have been testing the SSL certificate requirement using Windows Server VMs/FileMaker Server 13.0v5 and it has resulted in the hosted databases disappearing from FMP open remote. Reverting back to the supplied certificate has immediately resolved the problems.
We've only used certificates that are on FileMaker's approved list, but to date our live servers remain on FMS 13.0v4
FMS' certificates do not come into play for protecting the traffic between the browser and the web server. For that you need a plain old web server certificate.
The FMS certificate protects the traffic between FMP/FMG and FMS and between the Web Publishing Engine and FMS.
FileMaker's article List of supported SSL certificate types and vendors for FileMaker platform | FileMaker is interesting as it recommends using custom SSL certificates if XML and PHP publishing are enabled, then goes on to say "The standard FileMaker SSL certificate installed by default is available for test purposes only. A custom SSL certificate is required for production use."
Then they discuss the lock icon behaviour with (in bold) " If security is important in your environment, your server administrator needs to install a custom SSL certificate."
So far each test we've carried out to obtain the green verified custom SSL certificate using FMS 13.0v5 has resulted in the files disappearing when trying to open them in FMP. We've had to revert to the supplied certificate each time.
This article implies that we should be installing verified certificates to follow best practices. As if having to run 2 servers wasn't expensive enough ;-)
Thanks for your warnings and your advice.
It's a pity that you are setting this up on Windows and not Mac, since by now you would have gone through just the procedure that I am searching for (ignoring the current issues that you are having).
I find it hard to believe that I can't find anyone here who is using a two (or three) machine setup on either FMS 12 or 13 who has installed an SSL certificate to protect the Web Server traffic.
Since on the Mac platform, FileMaker does not support FMS 12 or 13 installation alongside the Mac OS Server software on Mavericks or Yosemite, I would like to think that they would have provided details (somewhere?) on how to install the SSL certificate when the Mac OS is running just the client software.
Especially since they seem to insist that a full certificate be installed so as to be able to take advantage of some FMS deployment options (I think it's PHP and XML).
In my search I have checked out the 'FM13 WebDirect Guide', which doesn't even have the word 'Certificate' in the index ! However it does point to the FMS 13 Help file for more details on this matter.
Here is the paragraph that applies (notice the reference to web browsers on the first line);
To verify your server name to clients and prevent web browsers from displaying certificate warnings, request a signed SSL certificate that matches your specific server name. You request a certificate from a trusted CA supported by FileMaker, Inc. Use the fmsadmin CERTIFICATE command to create a Certificate Signing Request (CSR), which you send to a CA, and a private key that you keep secret. See CERTIFICATE command for more information.
Unfortunately, there is no mention of a two machine setup here. If I was to install the certificate on the Master FMS machine, using the 'Certificate' command, will it protect the web server traffic on the Worker FMS machine - who knows ?
A text search through the description of the 'Certificate' command in the FMS 13 Help file shows that the words 'Web' and 'Worker' are missing ...
Please understand that I can't even order the Certificate yet, since I don't know on which machine (Master or Worker) it will have to be installed.
Having just carried out a few tests in Terminal on the worker machine, I can see that the 'Certificate' command can be run on the worker machine as well as a few other commands ('fmsadmin start wpe' and 'fmsadmin stop wpe'), so perhaps installing the certificate on the worker machine using the 'Certificate' command is the way to go ... Does anyone have any confirmation of this?
Thanks - Alan Stirling
If I was to install the certificate on the Master FMS machine, using the 'Certificate' command, will it protect the web server traffic on the Worker FMS machine - who knows ?
That part is very clear and also mentioned in the FMS help: a FMS certificate does NOT protect the traffic between the browser and the web server. Only between FMP/FMGo/WPE and FMS itself.
So in a ONE machine configuration, does it require a separate certificate for the web browser (and hence IWP) AND another for FMS (for FMPro/Go to FMS)?
I think yes if you are talking about FMS12. For web browser, you need separate "installation" to web server, but you can use one cert to both FMS and web server.
As of FMS13, one install is applied to both FMS and web server.
OTOH, there is a note
"NOTE: If you are using a two-machine deployment, you must run the certificate import command on both machines."
but I doubt it, since the two-machine need two different cert for each server, so not only "must import". Isn't it?
We got so fed up with all things certificates that we published our guide at http://www.filemakerdatabases.co.uk/pages/fms_ssl_setup.html
I'm afraid this is for our Windows servers, but the principles for both Mac and Windows 2-server configuration are the same. I hope this helps.