CFHTTPS and untrusted SSL certificates
This morning I was trying to connect to a webservice over https, and I received an exception from ColdFusion with the message “javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”. After a bit of Googling, I found this excellent blog post by Mark Kruger, but it’s from 2005, and a few things had changed, so I thought I write a follwup/update.
The reason this error is generated is because CF is trying to connect to a server over HTTPS, but the JRE powering your ColdFusion app doesn’t trust the SSL certificate that that server is using. The answer solution is to tell Java that source of that SSL certificate is acceptable.
Step 1. Download the SSL Certificate manually
To do this, bring up the URL in Firefox (making sure you’re using https). Go to Tools > Page Info, and select Security. Click View Certificate, select the Details tab, and then click the Export button, and save the certificate to your hard drive.
Step 2. Locate your JRE
Now that you have the certificate on your machine you essentially need to show it to the JRE, and tell it “I can vouch for him”. Before doing this, you’ll need to find your JRE. This can vary depending on your CF version and Edition, so to find this information log into the CF Administrator and go to Server Settings > Settings Summary. You’ll find the JRE location under “Java Home”. I changed the JRE I was using, so my Java Home value is C:\Program Files\Java\jre1.6.0_13.
Step 3. Check your currently accepted certificate sources
To store these trusted certificate sources, the JRE uses something called a keystore, and to interact with the keystore, you’ll need to use the keytool. Open a command line console, and navigate bin directory of the Java Home value you found in the last step. This is where my experience differed from Mark’s. I’m currently on ColdFusion8, and while Mark’s keytool.exe is in the %JAVAHOME%\lib directory, mine was in %JAVAHOME%\bin. You can navigate to the your JRE bin and lib folders in Windows Explorer to see which one contains the keytool.exe.
Once in this directory, you’ll run keytool -list to see a list of the SSL sources that are currently trusted. You don’t have to do this, but it will tell you how many entries your keystore currently has, and knowing this number will make it easy to verify that your certificate gets imported successfully.
C:\Program Files\Java\jre1.6.0_13\bin>keytool -list -storepass changeit -keystore ../lib/security/cacerts
To break this down, what this does is keytool (run keytool.exe) -list (list the certificates in my keystore) -storepass changeit (the password for the keystore is changeit) -keystore ../lib/security/cacerts (this is where you can find the keystore, which is shorthand for cd C:\Program Files\Java\jre1.6.0_13\lib\security\cacerts)
This is roughly what will be returned:
Keystore provider: SUN
Your keystore contains 44 entries
digicert, Aug 25, 2010, trustedCertEntry,
Certificate fingerprint (MD5): C9:A5:6B:6E:E7:F4:BA:56:62:03:21:E1:EB:DE:8F:85
entrustclientca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
verisignclass3g2ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
globalsignca, Aug 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): AB:BF:EA:E3:6B:29:A6:CC:A6:78:35:99:EF:AD:2B:80
addtrustclass1ca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
verisignclass2g3ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
thawtepersonalpremiumca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
addtrustexternalca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
valicertclass2ca, Jan 20, 2005, trustedCertEntry,
Certificate fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
entrustsslca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
equifaxsecureebusinessca2, Jul 18, 2003, trustedCertEntry,
Certificate fingerprint (MD5): AA:BF:BF:64:97:DA:98:1D:6F:C6:08:3A:95:70:33:CA
equifaxsecureebusinessca1, Jul 18, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2g2ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
addtrustqualifiedca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
entrustglobalclientca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 9A:77:19:18:ED:96:CF:DF:1B:B7:0E:F5:8D:B9:88:2E
utnuserfirsthardwareca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
starfieldclass2ca, Jan 20, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
verisignclass1g3ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
thawteserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
verisignclass3ca, Oct 27, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
entrustgsslca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 9D:66:6A:CC:FF:D5:F5:43:B4:BF:8C:16:D1:2B:A8:99
globalsignr2ca, Aug 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
geotrustglobalca, Jul 18, 2003, trustedCertEntry,
Certificate fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
verisignclass1g2ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
utnuserfirstclientauthemailca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
comodoaaaca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
baltimorecybertrustca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
equifaxsecureca, Jul 18, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
verisignclass2ca, Oct 27, 2003, trustedCertEntry,
Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
verisignserverca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
entrust2048ca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC
utndatacorpsgcca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
soneraclass2ca, Mar 28, 2006, trustedCertEntry,
Certificate fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
utnuserfirstobjectca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
verisignclass1ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62
gtecybertrustglobalca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
baltimorecodesigningca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
soneraclass1ca, Mar 28, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6F
thawtepersonalfreemailca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
gtecybertrust5ca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass3g3ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
godaddyclass2ca, Jan 20, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
equifaxsecureglobalebusinessca1, Jul 18, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
Step 4. Import the new certificate
In the last step, we saw that there were 44 entries in my keystore. Now we’ll add the new certificate.
-file g:\mynewcert.crt
This is similar to the options to get keystore list. The difference is instead of using -list, we’re using -import, and we’ve added -alias DigiCert (telling the keytoolwhat to name the entry) -noprompt (telling the keytoolnot to bother confirming that we want to add this entry) -trustcacerts (telling the keystore you want to add this as a trusted certificate) and -file g:\mynewcert.crt (telling the keytool where the new certificate is).
Step 5. Verify the import
After running the last command, you’ll get a response saying “Certificate was added to keystore” so this is probably unnecessary, but in the interest of thoroughness, I like to run the command from Step 3 to make sure that the number of entries in my keystore has incremented.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 45 entries
I’ve truncated the response, but as you can see my keystore now contains 45 entries.
The final step is to restart each instance of CF that needs to access the webservice so that CF has access to the updated keystore.
There’s also a great CF Admin “plugin” that displays and allows additions to the keystore:
http://certman.riaforge.org/
Thanks very much for this post. I’ve been through a very difficult few days trying to get this to work on my Mac development server, without any luck at all. Finally, I decided to try to install a certificate on the Linux production server where it was actually needed, and it worked simply and easily as described. Main problem solved, but it disturbs me somewhat that I can no longer test this application on my Mac. I suspect it may be down to the JRE – on the Mac the system JRE is referenced rather than CF installing its own copy. It may also be that there is a certificate that should be removed. I’ve seen hints that it may be either in the hundreds of posts I’ve read over the last few days.
Unfortunately, I also can’t get certman to work on the Mac under CF9. It’s throwing an error on line 125 of KeyStoreManager.cfc when I try and delete a cert.
Object instantiation exception.
An exception occurred while instantiating a Java object. The class must not be an interface or an abstract class. Error: ”.
125 : OutputStream =CreateObject(“java”,”java.io.FileOutputStream”).init(Variables.KeyStorePath);
Not sure if it will work on the CF9 production server yet.
I’ve never used certman, so I can’t be much help, but have you tried dumping out the variables.keystorepath variable and making sure the file is wherever that is pointing?
I had very hard days trying to resolve this issue, thanks for post the solution was very useful. from PerĂº.