Import certificates | Certificate stores | ColdFusion

For secure connections to remote servers over SSL, all current versions of ColdFusion require the remote system's SSL certificate to exist in ColdFusion's certificate truststore. This includes any calls from <cfdocument>, <cfhttp>, <cfldap>, etc. The default truststore is the JRE's cacerts file. This file is typically located in the following places:

• Server Configuration:
  
  cf_root/runtime/jre/lib/security/cacerts
• Multiserver/J2EE on JRun 4 Configuration:
  
  jrun_root/jre/lib/security/cacerts
• Sun JDK installation:
  
  jdk_root/jre/lib/security/cacerts
• Consult documentation for other J2EE application servers and JVMs

Use the Java keytool (or a GUI wrapper) to import the remote server's SSL certificate into ColdFusion's truststore. The keytool is part of the Java SDK and can be found in the following places:

• Server Configuration:
  
  cf_root/runtime/bin/keytool
• Multiserver/J2EE on JRun 4 Configuration:
  
  jrun_root/jre/bin/keytool
• Sun JDK installation:
  
  jdk_root/bin/keytool
• Consult documentation for other J2EE application servers and JVMs

The Java 1.4.2 keytool has the following syntax for an import:

-import [-v] [-noprompt] [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-provider <provider_class_name>]

The Java 1.6.0 keytool has the following syntax for an import:

-importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>][-providerpath <pathlist>]

The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.

To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into a command prompt:

keytool -import -v -alias someServer-cert -file someServerCertFile.cer -keystore JAVA_HOME\jre\lib\security\cacerts -storepass changeit

Example :

C:\JRun4\jre\bin>keytool -importcert -v -alias wa-cert -file C:\temp\test.cer -keystore C:\JRun4\jre\lib\security\cacerts -storepass changeit

JAVA_HOME location can be copied from the jvm.config which has an argument called "java.home." The "java.home" argument accepts a value of the path to your JRE (Java Runtime Environment).

by default jvm.config can be found at, 

Coldfusion Standalone : C:\ColdFusion8\runtime\bin

The default password for the cacerts truststore is "changeit". You can confirm the import by using the following single command:

keytool -list -v -keystore JAVA_HOME\jre\lib\security\cacert -alias myServer-cert -storepass changeit

Example :

C:\JRun4\jre\bin>keytool -list -v -keystore C:\JRun4\jre\lib\security\cacerts -alias wa-cert -storepass changeit

Note: If you are using JRun as the underlying J2EE server (either the Server Configuration or the Multiserver/J2EE with JRun Configuration) and have enabled SSL for the internal JRun Web server (JWS), you will need to import the certificate to the truststore defined in the jrun.xml file for the Secure JWS rather than the JRE key store. By default, the file is called "trustStore" and is typically located under jrun_root/lib for the Multiserver/J2EE with JRun configuration or cf_root/runtime/lib for the ColdFusion Server configuration. You use the same Java keytool to manage the trustStore.

• ColdFusion MX: Configuring Secure SSL Connection with LDAP Directory Server (TechNote tn_19139)
• ColdFusion: Maximum SSL encryption levels by version (TechNote tn_18898)
• Importing RSA 2048- and 4096-bit certificates into cacerts (TechNote a0244636)
• Java Security Tools:
  • http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security
  • http://java.sun.com/javase/6/docs/technotes/guides/security/SecurityToolsSummary.html