Https, SSL Certs and Coldfusion
February 27th, 2007
So you are tasked with using SSL (either in cfhttp or some other protocol). Here are the issues: #1 you don't have the cert and #2 when you get the cert you find out that it has been generated in a way that CF doesn't approve of (the name doesn't match the dns entry or the name in the cert is something arbitrary and you are using the IP to connect to the server).
Ok on to the first issue. First you need to download the pem version of the SSL certificate so you can convert it into a version to use in java for coldfusion. There is a nice shell script for doing this:
retrieve-cert.sh
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Go get the cert using the shell script:
/bin/sh retrieve-cert.sh path-to-the-server:port
You then have the pem file and you need to convert it to a cert that coldfusion can use with the keytool:
from the command line:
openssl x509 -inform PEM -outform DER -trustout -in infile.pem -out outfile.crt
Import the cert:
sudo {path to jrun root}/jre/bin/keytool -import -trustcacerts -alias YOUR_ALIAS_NAME -file {path to your new cert}/outfile.crt -keystore {path to jrun root}/jre/lib/security/cacerts -storepass changeit
The cert is in the keystore and should be accessable but, you should probably find out if it is going to work before you try to test. So we'll get some information out of the pem file to determine the host name in the cert to verify that things should be in order before you go through some debugging. So run this command on your pem file:
openssl x509 -noout -in infile.pem -issuer
The CN= part should be the url you are using to connect to that server. If the host name in the CN field is not what you are using then what you need to do is edit your hosts file (add the CN into your hosts and point it to the real address).
Viola, you should be able to connect using https.
References used in making this guide: http://www.madboa.com/geek/openssl/
November 14th, 2007 at 11:59 AM
Thanks mate.
February 14th, 2008 at 08:14 PM
Thank you! You saved me at least a couple hours of research.
April 13th, 2009 at 11:54 PM
Thanks a lot for this. I think an extra command got cut off in the retrieve-cert.sh file. It only shows the following:
echo |\ openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
It looks you are piping to another command, but that the next command is missing. I am guessing you meant to pipe the output into infile.pem, possibly with some editing/parsing.
Much thanks for this. Very helpful.
April 15th, 2009 at 11:33 AM
Sorry about that, dug up the file and pasted the rest of the file, it just echo’d the cert for you so you an do whatever you want with it. It’s complete now.
August 11th, 2009 at 09:58 AM
For those folks who are using FedEx webservices API and are having certificate issues, this is the solution.
Fedex moved to a chained SSL certificate as of August 1, 2009. Cfhttp connections to the FedEx gateway without an updated cacerts file will fail with an error of: “i/o exception: peer not authenticated”. An implementation note that worked for me was to keep the gateway and intermediate certificates (received from FedEx) separate. Some resources recommended combining these files.
Many thanks for this posting.