Using the CLI certificate command
Use the CLI certificate
command to create a signed certificate matching the server name or domain name system (DNS) name for a fully secure SSL connection with FileMaker Server.
FileMaker Server ships with a default certificate that is installed on the Database Server and a root certificate that ships with the FileMaker Pro and FileMaker Go software. If you are using this certificate, make sure that the server certificate is installed on the machine running the Database Server, and the client certificate is installed on the FileMaker Pro and FileMaker Go client computers.
You can use the certificate
command and request a signed certificate from a CA that matches your specific server name or DNS name. A CA issues digital certificates that contain a public key and the identity of the owner. When you create the certificate request, a private key is generated that corresponds to the public key.
-
Use the
certificate create
command to create the certificate request file that you send to the CA (serverRequest.pem), plus an encrypted private key file that is used by thecertificate import
command (serverKey.pem). -
the encrypted private key file: serverRequest.pem
Submit the serverRequest.pem file to the CA using the process provided by the CA.
-
the encrypted private key file: serverKey.pem
The
certificate import
command combines this file with the certificate file returned to you by the CA. -
Use the
certificate import
command to create a custom server .pem file. This custom server .pem file combines the certificate file that you receive from the CA with the encrypted private key file created by thecertificate create
command.
The certificate create
command creates two output files:
Note Use an encryption password for a private key when creating a server request. For example: certificate create --keyfilepass exampleSecretPassphrase
Note To write information to the serverkey.pem file, you must have administrator privileges. If you don’t have administrator privileges, Windows, macOS or Linux generates an error. To prevent this error:
-
Windows (FileMaker Server only): Open the command prompt window using Run as Administrator.
-
macOS or Linux: Authenticate as sudo to run commands as the superuser.
Format
fmsadmin certificate create server_name
fmsadmin certificate create subject
fmsadmin certificate import certificate_file
Options
server_name | subject
server_name
or subject
is required for the certificate create
command.
server_name
is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.
For example, if FileMaker Pro clients use fmnet:/salesdbs.mycompany.com/sales
(FileMaker Server only) or claris:/salesdbs.mycompany.com/sales (Claris Server) to open the hosted database Sales, then use the following command with salesdbs.mycompany.com as the server_name:
fmsadmin certificate create salesdbs.mycompany.com --keyfilepass exampleSecretPassphrase
subject
may be used to include more information than the server name. (Some certificate authorities require additional information.) subject
uses the same syntax as the argument in the openssl req [-subj arg]
command:
-
subject
is not case sensitive. -
subject
must be formatted as/type0=value0/type1=value1/type2=...,
where eachtype=value
pair is an attribute type and a value specifying a relative distinguished name. -
Use the backslash character (\) to escape special characters.
-
Use double quotation marks to enclose the subject string if it includes space characters.
For example, to use the DNS common name salesdbs.mycompany.com and the country value US, use the following command:
fmsadmin certificate create /CN=salesdbs.mycompany.com/C=US --keyfilepass exampleSecretPassphrase
The following example shows additional attributes that may be specified using the subject option:
fmsadmin certificate create "/CN=ets-srvr.filemaker.com/O=FileMaker DBS Test/C=US/ST=California/L=Santa Clara" --keyfilepass exampleSecretPassphrase
Options
certificate_file
certificate_file
is required for the certificate import
command.
certificate_file
is the full pathname to the custom SSL certificate file that you received from the CA. You may use an absolute pathname or a relative pathname.
For example, if the certificate file is c:\Documents\signedCertificate.crt, then use the following command:
fmsadmin certificate import c:\Documents\signedCertificate.crt
The certificate import
command combines the signed certificate file with the serverKey.pem file and creates a file called serverCustom.pem. The serverCustom.pem file is created in the CStore folder:
-
Windows (FileMaker Server only): [drive]:\Program Files\FileMaker\FileMaker Server\CStore\serverCustom.pem
-
macOS (FileMaker Server only): /Library/FileMaker Server/CStore/serverCustom.pem
-
Linux (FileMaker Server only): /opt/FileMaker/FileMaker Server/CStore/serverCustom.pem
-
Linux (Claris Server): /opt/Claris/Server/CStore/serverCustom.pem
To use the certificate import
command:
-
Windows (FileMaker Server only): You must have administrator permission to the CStore folder.
-
macOS and Linux: You must have read and write access permissions to the CStore folder.
After using the certificate import
command, you must restart the Database Server. After restarting, if the Database Server is unable to find serverCustom.pem, it will use the default server.pem file.