How to import certificates into certificate stores (ColdFusion)

Transcription

How to import certificates into certificate stores (ColdFusion)
How to import certificates into certificate stores (ColdFusion)
For secure connections to remote servers over SSL, all current versions of ColdFusion require the remote
system's SSL certificate to exist in ColdFusion's certificate truststore. This includes any calls from
<cfdocument>, <cfhttp>, <cfldap>, etc. The default truststore is the JRE's cacerts file. This file is typically
located in the following places:

Server Configuration:
cf_root/runtime/jre/lib/security/cacerts

Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts

Sun JDK installation:
jdk_root/jre/lib/security/cacerts

Consult documentation for other J2EE application servers and JVMs
Use the Java keytool (or a GUI wrapper) to import the remote server's SSL certificate into ColdFusion's
truststore. The keytool is part of the Java SDK and can be found in the following places:

Server Configuration:
cf_root/runtime/bin/keytool

Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/bin/keytool

Sun JDK installation:
jdk_root/bin/keytool

Consult documentation for other J2EE application servers and JVMs
The Java 1.4.2 keytool has the following syntax for an import:
-import [-v] [-noprompt] [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore
<keystore>] [-storepass <storepass>] [-storetype <storetype>] [-provider <provider_class_name>]
The Java 1.6.0 keytool has the following syntax for an import:
-importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [providerclass <provider_class_name> [-providerarg <arg>][-providerpath <pathlist>]
The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.
To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into
a command prompt:
keytool -import -v -alias someServer-cert -file someServerCertFile.cer -storepass changeit
The default password for the cacerts truststore is "changeit". You can confirm the import by using the
following single command:
keytool -list -v -keystore cacerts -alias myServer-cert -storepass changeit
Note: If you are using JRun as the underlying J2EE server (either the Server Configuration or the
Multiserver/J2EE with JRun Configuration) and have enabled SSL for the internal JRun Web server (JWS), you
will need to import the certificate to the truststore defined in the jrun.xml file for the Secure JWS rather than
the JRE key store. By default, the file is called "trustStore" and is typically located under jrun_root/lib for the
Multiserver/J2EE with JRun configuration or cf_root/runtime/lib for the ColdFusion Server configuration. You
use the same Java keytool to manage the trustStore.
Additional Information

ColdFusion MX: Configuring Secure SSL Connection with LDAP Directory Server (TechNote tn_19139)

ColdFusion: Maximum SSL encryption levels by version (TechNote tn_18898)

Importing RSA 2048- and 4096-bit certificates into cacerts (TechNote a0244636)

Java Security Tools:
o
http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security
o
http://java.sun.com/javase/6/docs/technotes/guides/security/SecurityToolsSummary.html
Doc ID
(kb400977)
Last updated
2008-07-25