For secure connections to remote servers over SSL, all current versions of ColdFusion require the remote system's SSL certificate to exist in ColdFusion's certificate truststore. This includes any calls from <cfdocument>, <cfhttp>, <cfldap>, etc. The default truststore is the JRE's cacerts file. This file is typically located in the following places:

  • Server Configuration: cf_root/runtime/jre/lib/security/cacerts
  • Multiserver/J2EE on JRun 4 Configuration:
    jrun_root/jre/lib/security/cacerts
  • Sun JDK installation: jdk_root/jre/lib/security/cacerts
  • Consult documentation for other J2EE application servers and JVMs

Use the Java keytool (or a GUI wrapper) to import the remote server's SSL certificate into ColdFusion's truststore. The keytool is part of the Java SDK and is typically located in the following places:

  • Server Configuration:
    cf_root/runtime/bin/keytool
  • Multiserver/J2EE on JRun 4 Configuration:
    jrun_root/jre/bin/keytool
  • Sun JDK installation:
    jdk_root/bin/keytool
  • Consult documentation for other J2EE application servers and JVMs

The Java 1.4.2 keytool has the following syntax for an import:

-import [-v] [-noprompt] [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-provider <provider_class_name>]

The Java 1.6.0 keytool has the following syntax for an import:

-importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>][-providerpath <pathlist>]

The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.

To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into a command prompt:

keytool -import -v -alias someServer-cert -file someServerCertFile.cer -keystore JAVA_HOME\jre\lib\security\cacerts -storepass changeit

Example :

C:\JRun4\jre\bin>keytool -importcert -v -alias wa-cert -file C:\temp\test.cer -keystore C:\JRun4\jre\lib\security\cacerts -storepass changeit

JAVA_HOME location can be copied from the jvm.config, which has an argument called "java.home." The "java.home" argument accepts a value of the path to your JRE (Java Runtime Environment).

By default you can find jvm.config at: 

Coldfusion Standalone : C:\ColdFusion8\runtime\bin

Coldfusion Multiserver : C:\JRun4\bin

The default password for the cacerts truststore is "changeit". You can confirm the import by using the following single command:

keytool -list -v -keystore JAVA_HOME\jre\lib\security\cacert -alias myServer-cert -storepass changeit

Example :

C:\JRun4\jre\bin>keytool -list -v -keystore C:\JRun4\jre\lib\security\cacerts -alias wa-cert -storepass changeit

Note: If you are using JRun as the underlying J2EE server (either the Server Configuration or the Multiserver/J2EE with JRun Configuration) and have enabled SSL for the internal JRun Web server (JWS), you will need to import the certificate to the truststore defined in the jrun.xml file for the Secure JWS rather than the JRE key store. By default, the file is called "trustStore" and is typically located under jrun_root/lib for the Multiserver/J2EE with JRun configuration or cf_root/runtime/lib for the ColdFusion Server configuration. You use the same Java keytool to manage the trustStore.

Additional information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy