Using the CLI certificate command

Use the CLI certificate command to create a signed certificate matching the server name or domain name system (DNS) name for a fully secure SSL connection with FileMaker Server.

FileMaker Server ships with a default certificate that is installed on the Database Server and a root certificate that ships with the FileMaker Pro and FileMaker Go software. If you are using this certificate, make sure that the server certificate is installed on the machine running the Database Server, and the client certificate is installed on the FileMaker Pro and FileMaker Go client computers.

You can use the certificate command and request a signed certificate from a CA that matches your specific server name or DNS name. A CA issues digital certificates that contain a public key and the identity of the owner. When you create the certificate request, a private key is generated that corresponds to the public key.

  • Use the certificate create command to create the certificate request file that you send to the CA (serverRequest.pem), plus an encrypted private key file that is used by the certificate import command (serverKey.pem).

  • Diagram showing certificate create command that creates serverRequest pem and serverKey pem files

    The certificate create command creates two output files:

    • the encrypted private key file: serverRequest.pem

      Submit the serverRequest.pem file to the CA using the process provided by the CA.

    • the encrypted private key file: serverKey.pem

      The certificate import command combines this file with the certificate file returned to you by the CA.

    Note  Use an encryption password for a private key when creating a server request. For example: certificate create --keyfilepass exampleSecretPassphrase

  • Use the certificate import command to create a custom server .pem file. This custom server .pem file combines the certificate file that you receive from the CA with the encrypted private key file created by the certificate create command.

  • Diagram showing certificate import command that creates a serverCustom pem from certificate and serverKey.pem files

Note  To write information to the serverkey.pem file, you must have administrator privileges. If you don’t have administrator privileges, Windows, macOS or Linux generates an error. To prevent this error:

  • Windows (FileMaker Server only): Open the command prompt window using Run as Administrator.

  • macOS or Linux: Authenticate as sudo to run commands as the superuser.

Format

fmsadmin certificate create server_name

fmsadmin certificate create subject

fmsadmin certificate import certificate_file

Options

server_name | subject

server_name or subject is required for the certificate create command.

server_name is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.

For example, if FileMaker Pro clients use fmnet:/salesdbs.mycompany.com/sales (FileMaker Server only) or claris:/salesdbs.mycompany.com/sales (Claris Server) to open the hosted database Sales, then use the following command with salesdbs.mycompany.com as the server_name:

fmsadmin certificate create salesdbs.mycompany.com --keyfilepass exampleSecretPassphrase

subject may be used to include more information than the server name. (Some certificate authorities require additional information.) subject uses the same syntax as the argument in the openssl req [-subj arg] command:

  • subject is not case sensitive.

  • subject must be formatted as /type0=value0/type1=value1/type2=..., where each type=value pair is an attribute type and a value specifying a relative distinguished name.

  • Use the backslash character (\) to escape special characters.

  • Use double quotation marks to enclose the subject string if it includes space characters.

For example, to use the DNS common name salesdbs.mycompany.com and the country value US, use the following command:

fmsadmin certificate create /CN=salesdbs.mycompany.com/C=US --keyfilepass exampleSecretPassphrase

The following example shows additional attributes that may be specified using the subject option:

fmsadmin certificate create "/CN=ets-srvr.filemaker.com/O=FileMaker DBS Test/C=US/ST=California/L=Santa Clara" --keyfilepass exampleSecretPassphrase

Options

certificate_file

certificate_file is required for the certificate import command.

certificate_file is the full pathname to the custom SSL certificate file that you received from the CA. You may use an absolute pathname or a relative pathname.

For example, if the certificate file is c:\Documents\signedCertificate.crt, then use the following command:

fmsadmin certificate import c:\Documents\signedCertificate.crt

The certificate import command combines the signed certificate file with the serverKey.pem file and creates a file called serverCustom.pem. The serverCustom.pem file is created in the CStore folder:

  • Windows (FileMaker Server only): [drive]:\Program Files\FileMaker\FileMaker Server\CStore\serverCustom.pem

  • macOS (FileMaker Server only): /Library/FileMaker Server/CStore/serverCustom.pem

  • Linux (FileMaker Server only): /opt/FileMaker/FileMaker Server/CStore/serverCustom.pem

  • Linux (Claris Server): /opt/Claris/Server/CStore/serverCustom.pem

To use the certificate import command:

  • Windows (FileMaker Server only): You must have administrator permission to the CStore folder.

  • macOS and Linux: You must have read and write access permissions to the CStore folder.

After using the certificate import command, you must restart the Database Server. After restarting, if the Database Server is unable to find serverCustom.pem, it will use the default server.pem file.