How to import certificates into certificate stores (ColdFusion)
Transcription
How to import certificates into certificate stores (ColdFusion)
How to import certificates into certificate stores (ColdFusion) For secure connections to remote servers over SSL, all current versions of ColdFusion require the remote system's SSL certificate to exist in ColdFusion's certificate truststore. This includes any calls from <cfdocument>, <cfhttp>, <cfldap>, etc. The default truststore is the JRE's cacerts file. This file is typically located in the following places: Server Configuration: cf_root/runtime/jre/lib/security/cacerts Multiserver/J2EE on JRun 4 Configuration: jrun_root/jre/lib/security/cacerts Sun JDK installation: jdk_root/jre/lib/security/cacerts Consult documentation for other J2EE application servers and JVMs Use the Java keytool (or a GUI wrapper) to import the remote server's SSL certificate into ColdFusion's truststore. The keytool is part of the Java SDK and can be found in the following places: Server Configuration: cf_root/runtime/bin/keytool Multiserver/J2EE on JRun 4 Configuration: jrun_root/jre/bin/keytool Sun JDK installation: jdk_root/bin/keytool Consult documentation for other J2EE application servers and JVMs The Java 1.4.2 keytool has the following syntax for an import: -import [-v] [-noprompt] [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-provider <provider_class_name>] The Java 1.6.0 keytool has the following syntax for an import: -importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [providerclass <provider_class_name> [-providerarg <arg>][-providerpath <pathlist>] The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format. To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into a command prompt: keytool -import -v -alias someServer-cert -file someServerCertFile.cer -storepass changeit The default password for the cacerts truststore is "changeit". You can confirm the import by using the following single command: keytool -list -v -keystore cacerts -alias myServer-cert -storepass changeit Note: If you are using JRun as the underlying J2EE server (either the Server Configuration or the Multiserver/J2EE with JRun Configuration) and have enabled SSL for the internal JRun Web server (JWS), you will need to import the certificate to the truststore defined in the jrun.xml file for the Secure JWS rather than the JRE key store. By default, the file is called "trustStore" and is typically located under jrun_root/lib for the Multiserver/J2EE with JRun configuration or cf_root/runtime/lib for the ColdFusion Server configuration. You use the same Java keytool to manage the trustStore. Additional Information ColdFusion MX: Configuring Secure SSL Connection with LDAP Directory Server (TechNote tn_19139) ColdFusion: Maximum SSL encryption levels by version (TechNote tn_18898) Importing RSA 2048- and 4096-bit certificates into cacerts (TechNote a0244636) Java Security Tools: o http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security o http://java.sun.com/javase/6/docs/technotes/guides/security/SecurityToolsSummary.html Doc ID (kb400977) Last updated 2008-07-25