Command line reference : fmsadmin commands : CERTIFICATE command
 
CERTIFICATE command
Format
fmsadmin CERTIFICATE CREATE server_name
fmsadmin CERTIFICATE CREATE subject
fmsadmin CERTIFICATE IMPORT certificate_file
Description
Use the CERTIFICATE command to create a signed certificate matching the server name or domain name system (DNS) name for a fully secure SSL connection with FileMaker Server.
FileMaker Server ships with a default certificate that is installed on the Database Server and a root certificate that ships with the FileMaker Pro and FileMaker Go software. If you are using this certificate, make sure that the server certificate is installed on the machine running the Database Server, and the client certificate is installed on the FileMaker Pro and FileMaker Go client computers.
You can use the CERTIFICATE command and request a signed certificate from a certificate authority (CA) that matches your specific server name or DNS name. A CA issues digital certificates that contain a public key and the identity of the owner. When you create the certificate request, a private key is generated that corresponds with the public key.
Use the CERTIFICATE CREATE command to create the certificate request file that you send to the certificate authority (serverRequest.pem), plus an encrypted private key file that is used by the CERTIFICATE IMPORT command (serverKey.pem).
CREATE CERTIFICATE command output diagram
Use the CERTIFICATE IMPORT command to create a custom server .pem file that combines the certificate file that you get back from the certificate authority with the encrypted private key file created by the CERTIFICATE CREATE command.
CREATE IMPORT command output diagram
Note  To write information to the serverkey.pem file, you must have administrator privileges because Windows or OS X will generate an error. To prevent this, you must do the following:
Windows: Open the command prompt window using Run as Administrator.
OS X: Authenticate as sudo to run commands as the superuser.
Options
server_name | subject
server_name or subject is required for the CERTIFICATE CREATE command.
server_name is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.
For example, if FileMaker Pro clients use fmnet:/salesdbs.mycompany.com/sales to open the hosted database sales, then use the following command with salesdbs.mycompany.com as the server_name:
fmsadmin certificate create salesdbs.mycompany.com
subject may be used to include more information than the server name. (Some certificate authorities require additional information.) subject uses the same syntax as the argument in the openssl req [-subj arg] command:
subject is not case sensitive.
subject must be formatted as /type0=value0/type1=value1/type2=..., where each type=value pair specifies is an attribute type and value specifying a relative distinguished name.
Use the backslash character (\) to escape special characters.
Use quotation marks to enclose the subject string if it includes space characters.
For example, to use the DNS common name salesdbs.mycompany.com and the country value US, use the following command:
fmsadmin certificate create /CN=salesdbs.mycompany.com/C=US
The following example shows additional attributes that may be specified using the subject option:
fmsadmin certificate create "/CN=ets-srvr.filemaker.com/O=FileMaker DBS Test/C=US/ST=California/L=Santa Clara"
The CERTIFICATE CREATE command creates two output files:
The certificate request file: serverRequest.pem.
Submit the serverRequest.pem file to the certificate authority using the process provided by the certificate authority.
The encrypted private key file: serverKey.pem.
The CERTIFICATE IMPORT command combines this file with the certificate file returned to you by the certificate authority.
certificate_file
certificate_file is required for the CERTIFICATE IMPORT command.
certificate_file is the full pathname to the signed certificate file that you received from the certificate authority. You may use an absolute pathname or a relative pathname.
For example, if the certificate file is c:\Documents\signedCertificate.crt, then use the following command:
fmsadmin certificate import c:\Documents\signedCertificate.crt
The CERTIFICATE IMPORT command combines the signed certificate file with the serverKey.pem file and creates a file called serverCustom.pem. The serverCustom.pem file is created in the CStore folder:
Windows: [drive]:\Program Files\FileMaker\FileMaker Server\CStore\serverCustom.pem
OS X: /Library/FileMaker Server/CStore/serverCustom.pem
Note  To use the CERTIFICATE IMPORT command:
Windows: You must have administrator permission to the CStore folder.
OS X: You must have read and write access permissions to the CStore folder.
After using the CERTIFICATE IMPORT command, you must restart the Database Server.
When the Database Server starts, if it is unable to find serverCustom.pem, it will use the default server.pem file.
For more information about enabling SSL, see Securing your data and Database Server security settings.
Notes
The signed certificate must use base-64 encoding.
FileMaker Server does not support validation using a certificate revocation list (CRL validation).
For more information about supported certificates, check the FileMaker Knowledge Base at help.filemaker.com.
Related topics 
CLOSE command
Database Server security settings