Sign in to follow this  
Followers 0
Hijack

Install Certs in FM16

3 posts in this topic

Posted (edited)

Wow.  Doesn't look like this board has seen any posts in several months.  Well, here goes.

Trying to get our FM16 server happy with ssl since it's more gripey about that sort of thing now.  Our company has a proper public wildcard cert purchased via Network Solutions.  I have the private and public keys separated out for easy access and the intermediate certs for the CA.

I am able to install the certs in the FM server console without issue but I only seem to be able to specify the first CA intermediate cert - "...OV Server CA 2" in the attached screenshot.  I have tried following the chain concatenation instructions here: https://help.filemaker.com/app/answers/detail/a_id/11413/

I have had to concatenate certs into a single file before for other apps so it's a familiar thing for me.  But, not matter what order I concatenate the chain certs into a single file the FM16 console isn't happy with it.  Always says it can't import the ",,,OV Server CA 2" cert.  So, I have tried to specified just the "...OV Server CA 2" cert as the intermediate and I have even tried configuring the cert options without any intermediate and just referenced the private and public keys.  Those imports work... however...

When I connect to the server with the full FM16 client, I get the warning that 'FileMaker Pro can't verify the identity of "host.server.com:5003" '

When I view the cert presented on that warning dialog, it seems clean.  No host name warnings, no untrusted intermediary, all good.  I can continue on with the connection but the lock icon is red which is annoying.

So the question is...  How do I figure out what the fat client is unhappy with?  Heck, the cert chain thing may not even be related to this issue with the fat client.  Could just be a red herring.

Any clues?

Thanks all.

 

P.S. Connecting via WebDirect in a browser goes cleanly.  The cert is presented by FMS and the browser is happy with it so again, not sure why the fat client isn't happy.

-David

CertHierarchy.png

Edited by Hijack

Share this post


Link to post
Share on other sites

Posted (edited)

I tinkered around and figured out a workaround.  Manually installing all of the intermediate certs to the Local Computer - Trusted Root Certification Authorities store has made the fat client happy.  Not sure why a browser is happy with the cert without that manual action but the fat client isn't.  But, anyway, that's a way of dealing with it for now.  Not optimal since it requires either a GPO to push out our intermediate certs or manually adding them to workstations that hit our FM16 server.

Edited by Hijack

Share this post


Link to post
Share on other sites

You don't need to try and concatenate the intermediate cert into one file for regular FMS, that's needed only for the FM Cloud edition of FMS.

For regular FMS; you do need to import the intermediate cert, the regular cert (there's a button for each on the import dialog).

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   You have pasted content with formatting.   Remove formatting

  Only 75 emoticons maximum are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

Sign in to follow this  
Followers 0