Using the CLI certificate command
Use the CLI
certificate command to create a signed certificate matching the server name or domain name system (DNS) name for a fully secure SSL connection with FileMaker Server.
FileMaker Server ships with a default certificate that is installed on the Database Server and a root certificate that ships with the FileMaker Pro and FileMaker Go software. If you are using this certificate, make sure that the server certificate is installed on the machine running the Database Server, and the client certificate is installed on the FileMaker Pro and FileMaker Go client computers.
You can use the
certificate command and request a signed certificate from a CA that matches your specific server name or DNS name. A CA issues digital certificates that contain a public key and the identity of the owner. When you create the certificate request, a private key is generated that corresponds to the public key.
certificate createcommand to create the certificate request file that you send to the CA (serverRequest.pem), plus an encrypted private key file that is used by the
certificate importcommand (serverKey.pem).
the encrypted private key file: serverRequest.pem
Submit the serverRequest.pem file to the CA using the process provided by the CA.
the encrypted private key file: serverKey.pem
certificate importcommand combines this file with the certificate file returned to you by the CA.
- Use the
certificate importcommand to create a custom server .pem file. This custom server .pem file combines the certificate file that you receive from the CA with the encrypted private key file created by the
certificate create command creates two output files:
Note Use an encryption password for a private key when creating a server request. For example:
certificate create --keyfilepass exampleSecretPassphrase
Note To write information to the serverkey.pem file, you must have administrator privileges. If you don’t have administrator privileges, Windows, macOS or Linux generates an error. To prevent this error:
Windows: Open the command prompt window using Run as Administrator.
macOS or Linux: Authenticate as sudo to run commands as the superuser.
fmsadmin certificate create server_name
fmsadmin certificate create subject
fmsadmin certificate import certificate_file
server_name | subject
subject is required for the
certificate create command.
server_name is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.
For example, if FileMaker Pro clients use
fmnet:/salesdbs.mycompany.com/sales to open the hosted database Sales, then use the following command with salesdbs.mycompany.com as the
fmsadmin certificate create salesdbs.mycompany.com --keyfilepass exampleSecretPassphrase
subject may be used to include more information than the server name. (Some certificate authorities require additional information.)
subject uses the same syntax as the argument in the
openssl req [-subj arg] command:
subjectis not case sensitive.
subjectmust be formatted as
type=valuepair is an attribute type and a value specifying a relative distinguished name.
Use the backslash character (\) to escape special characters.
Use double quotation marks to enclose the subject string if it includes space characters.
For example, to use the DNS common name salesdbs.mycompany.com and the country value US, use the following command:
fmsadmin certificate create /CN=salesdbs.mycompany.com/C=US --keyfilepass exampleSecretPassphrase
The following example shows additional attributes that may be specified using the subject option:
fmsadmin certificate create "/CN=ets-srvr.filemaker.com/O=FileMaker DBS Test/C=US/ST=California/L=Santa Clara" --keyfilepass exampleSecretPassphrase
certificate_file is required for the
certificate import command.
certificate_file is the full pathname to the custom SSL certificate file that you received from the CA. You may use an absolute pathname or a relative pathname.
For example, if the certificate file is c:\Documents\signedCertificate.crt, then use the following command:
fmsadmin certificate import c:\Documents\signedCertificate.crt
certificate import command combines the signed certificate file with the serverKey.pem file and creates a file called serverCustom.pem. The serverCustom.pem file is created in the CStore folder:
Windows: [drive]:\Program Files\FileMaker\FileMaker Server\CStore\serverCustom.pem
macOS: /Library/FileMaker Server/CStore/serverCustom.pem
Linux: /opt/FileMaker/FileMaker Server/CStore/serverCustom.pem
To use the
certificate import command:
Windows: You must have administrator permission to the CStore folder.
macOS and Linux: You must have read and write access permissions to the CStore folder.
After using the
certificate import command, you must restart the Database Server. After restarting, if the Database Server is unable to find serverCustom.pem, it will use the default server.pem file.