Using Keytool to Import SSL Certificates into Sun JDK

Viewing By Entry

Using Keytool to Import SSL Certificates into Sun JDK

I've recently seen a little discussion on CFTalk about importing SSL certificates into the JVM keystore used by the JVM under ColdFusion MX in order to connect to SSL enabled resources, such as LDAP servers or Web Servers while using either the tags CFLDAP, CFHTTP, or CFINVOKE. I've also found myself having to do this for the first time recently. During that process I stumbled on what turned out to be a bug in the JVM 1.4.2-b28 that ships with ColdFusion MX 6.1 by default.

I saved the SSL certificate to my ColdFusion directory runtime/jre/lib/security, as shown in this image. When using that JVM's keytool utility, described here in the Sun documentation, to import the certificate, I received an error indicating that the certificate which I exported from the SSL website was not valid, and I knew that was incorrect as someone else had just imported the same certificate their machine.

C:\CFusionMX\runtime\jre\lib\security>..\..\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias mycert -file mycert.cer
keytool error: java.lang.Exception: Input not an X.509 certificate

(view image)

I learned that this was a known issue in some early 1.4.2 Sun JVMs, so I downloaded the most recent JVM from Sun, v. 1.4.2_05. I then configured ColdFusion MX to run on this new JVM, and tried again. This time the keytool imported the certificate without complaint, and the command keytool -storepass changeit -list -keystore cacerts confirmed the alias for my certificate. CFHTTP calls to the particular SSL enabled website now worked successfully.

Note that the cacerts keystore that comes with ColdFusion already contains about 128 certificates types from well known certificate authorities, so if you wanted to consume the page https://login.yahoo.com with CFHTTP it would work out of the box without having to import any extra certificate. You should only need to import a site's SSL certificate if the site does not use one of the certs already in the cacerts file in CFMX.

The Sun 1.4.2_05 JDK comes with a cacerts keystore that has about 25 cert types built in, so you'd probably want to swap that cacerts file with the one found under ColdFusion's root directory. If you choose to not run ColdFusion MX on the newer JVM, you could copy CFMX's cacerts file to the newer JVM's jre/lib/security directory to overwrite the existing one, then complete the steps to import the SSL certificate into the that cacerts keystore file, and then copy that cacerts file back under ColdFusion's runtime/jre/lib/security directory. Restart ColdFusion and the imported certificate will be ready for use.

A good litmus test is that if your CFHTTP call to an SSL site fails with the following error (cfdump of cfhttp variable), then you should import that certificate into the keystore file cacerts:

ErrorDetail I/O Exception: peer not authenticated
Filecontent Connection Failure
Mimetype Unable to determine MIME type of file.
Statuscode Connection Failure. Status code unavailable.<

For convenience, I wrote a set of batch files to be used on Windows when working with the keytool utility. They save a fair bit of typing. One batch file for example requires that you set 4 parameters for the JAVA_HOME, cert name & cert alias, and the keytool password. You can download the collection of bat files to customize yourself here.

An example of the import batch file is shown here:

@echo off
echo
echo This will import an X.509 SSL certificate into the keystore for the JVM
specified
echo
echo Press Control+C to abort.
pause
SETLOCAL

rem -------------------------------------------------
rem 1) SET COLDFUSION JVM'S JAVA_HOME HERE
rem THIS SHOULD BE THE JVM USED FOR COLDFUSION MX
rem -------------------------------------------------
set JAVA_HOME=C:\j2sdk1.4.2_05

rem -------------------------------------------------
rem 2) SET THE CERTIFICATE NAME AND ALIAS HERE
rem -------------------------------------------------
set CERT_NAME=mycert.cer
set CERT_ALIAS=mycert

rem -------------------------------------------------
rem 3) SET THE KEYTOOL PASSWORD HERE
rem -------------------------------------------------
set KEYTOOL_PASS=changeit

rem -------------------------------------------------
rem DO NOT EDIT BELOW THIS LINE
rem -------------------------------------------------
set JAVA_SECURITY=%JAVA_HOME%\jre\lib\security
set CERT=%JAVA_SECURITY%\%CERT_NAME%
%JAVA_HOME%\jre\bin\keytool -import -trustcacerts -keystore %JAVA_SECURITY%\cacerts
-storepass %KEYTOOL_PASS% -noprompt -alias %CERT_ALIAS% -file %CERT%
ENDLOCAL
pause

Exporting the SSL certificate (on Windows)

Browse to the SSL website
Double click the Lock icon in the status bar
Click the Details Tab
Click the button Copy to File...
Click Next in the Export Wizard
Choose the first option (default) for DER encoded
Click Next
Browse to C:\
Type any filename for certificate such as mycert.cer
Click Next, Click Finish

Using the keytool to import a certificate
There is a Sun SDK bug in early version of 1.4.2 JVM where the keytool doesn't work. You must download a recent JDK such as JDK 1.4.2_05 from java.sun.com.

Install the SDK, for example to C:\j2sdk1.4.2_05
Move the mycert.cer file from C:\ to C:\j2sdk1.4.2_05\jre\lib\security\
Rename C:\j2sdk1.4.2_05\jre\lib\security\cacerts to C:\j2sdk1.4.2_05\jre\lib\security\cacerts_orig
Copy C:\CFusionMX\runtime\jre\lib\security\cacerts to C:\j2sdk1.4.2_05\jre\lib\security\cacerts
Unzip the zipped bat files anywhere on the system
Edit each of the *.bat files that were unpacked
Change bat file JAVA_HOME as needed
Change certificate name and certificate alias
Save bat files
Double click the import bat file to import the certificate into the keystore
Double click the list bat file and read the output file to confirm that the certificate was imported
Copy C:\j2sdk1.4.2_05\jre\lib\security\cacerts to C:\CFusionMX\runtime\jre\lib\security\cacerts
Restart ColdFusion Server

Other resources for using the keytool include:

Updated May 2, 2007: Adding examples for use with *nix:

List All (listkeys.sh)

#!/bin/sh
JAVA_HOME=/opt/AppServer/java
JAVA_SECURITY=$JAVA_HOME/jre/lib/security
$JAVA_HOME/jre/bin/keytool -storepass changeit -list -keystore $JAVA_SECURITY/cacerts > keytool_list_result.txt
cat keytool_list_result.txt

Import my certificate bogart9.cer then list to confirm (importkeys.sh)

#!/bin/sh
MYCERT_NAME=bogart9.cer #should be in jre/lib/security
MYCERT_ALIAS=bogart9
JAVA_HOME=/opt/AppServer/java
JAVA_SECURITY=$JAVA_HOME/jre/lib/security
CERT=$JAVA_SECURITY/$MYCERT_NAME
$JAVA_HOME/jre/bin/keytool -import -trustcacerts -keystore $JAVA_SECURITY/cacerts -storepass changeit -noprompt -alias $MYCERT_ALIAS -file $CERT
echo Keytool has imported $MYCERT_ALIAS into $JAVA_SECURITY/cacerts
./listkeys.sh | grep $MYCERT_ALIAS

posted on 1 July, 2004 at 11:10 AM.
ColdFusion | Comments (30)

Comments

What if my certificate alias does not match the machine name its installed on? I could use the same certificate for all my CFMX servers but only one would match correctly, how can I use the same cert on another box and still get cfhttp to work? It fails due to the certificate mismatch. The browser reports the name on the security certificate is invailid or does not match the site name. How can I over come this and use cfhttp

comment by Geoffrey Barth, posted at 10/25/04 1:31 PM

I don't believe keytool certificate aliases have anything to with the machine name. They are just an alias for the certificate you're trying to import.

See: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Regarding CFHTTP, the certificate you're importing isn't really tied to the webserver that is connected to ColdFusion. The certificate you're importing is the certificate of the target SSL enabled website that you're making a request to with the CFHTTP tag. If that target SSL website happens to be on the same machine, then still you would just treat it as though it were remote.

Also, if the CF doesn't have a valid certificate for the target SSL site, then you'll get a I/O Peer Not Authenticated error. I don't know about any problems with a certificate mismatch error.

comment by Steven Erat, posted at 10/25/04 2:02 PM

I'm currently trying to get CFHTTP to work with a gateway called JetPay and am having the same kinds of problems connecting. I'm getting the "I/O Exception: peer not authenticated" error message when I try to connect to https://gateway1.jetpay.com. I am using ColdFusion MX 6.1 Enterprise with the latest JRE from Sun 1.4.2. Should I follow the instructions above or is there some other documentation somewhere else?

Thanks.

comment by Dave Cordes, posted at 11/9/04 4:35 PM

Hi Dave,

I'd have to take the error message at face value... "peer not authenticated". This indicats a security problem probably due to not having the remote target website's certificate already in the ColdFusion cacerts certificate store.

Try saving the JetPay certificate by clicking the lock icon on their website, and use that along with my instructions to import the cert.

Then try again.

-Steve

comment by Steven Erat, posted at 11/12/04 4:01 PM

Steven - Thanks for publishing this. You saved me some work! I just wish that the CF administrator interface had a way to import a cert. Wouldn't that be nice?

comment by Doug Hughes, posted at 2/17/05 6:12 PM

Glad to help, Doug. I suppose it shouldn't be all that hard to build a nice little cfm interface to automate this using cfexecute.

comment by Steven Erat, posted at 2/17/05 6:25 PM

I installed the latest jvm from sun 1.4.2_07 and pointed CFMX to it with the administrator. When I tried to restart CFMX it would not start. I had to find and then edit the config file to get CFMX service to start.
We started this due to problems getting a cert installed.

please advise!!!

comment by Geoff Caras, posted at 2/24/05 11:57 AM

Hi:

This was a very informative BLOG, thanks.

I was wondering if you know of a workaround for CFHTTP when posting to https:// where the certificate name on the SSL does not match the host name.

When attempting this, I receive an Error Detail of I/O Exception: Name in certificate `www.domainname.com' does not match host name `xx.xx.xx.xx'

The cert in question is in my keystore.

I am running MX7 on Win XP Pro.

Any guidance is appreciated.

Sincerely,
Paul Bradley

comment by Paul Bradley, posted at 5/19/05 6:20 PM

Off the top of my head I don't know a solution other than recreating the certificate so that it matches the domain for which it is used.

It seems to me that the purpose of the certificate is to validate that www.company.com is really company.com and not cracker.com for example. Although if the certificate is for foo.company.com and you're having a problem with bar.company.com, then you'd probably want to consult with the Certificate Authority on the best way to generate a certificate for the domain level company.com so it will match each of the PTR records for that domain.

comment by Steven Erat, posted at 5/19/05 7:40 PM

I am still getting the following error even once I have imported the client certificate, any ideas?

CF is using its default JVM and if I run this command it appears in the trusted cert list:

keytool -list -keystore ../lib/security/cacerts

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
   at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
   at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2949)
   at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2767)
   at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2559)
   at HTTPClient.HTTPConnection.Get(HTTPConnection.java:916)

comment by Adam Reid, posted at 7/4/05 7:48 AM

Fixed now. I had a dodgy certificate.

Installed a good one and it worked first time.

Cheers, Adam

comment by Adam Reid, posted at 7/4/05 9:59 AM

#cfhttp.fileContent#

getting connection failure. could you please help??

comment by suresh rajasekaran, posted at 1/4/06 2:15 PM

cfhttp url="https://205.158.171.208/misc/vingt.cfm" username="test" password="test" method="post"
port="413" proxyserver="205.158.171.208" proxyport="443" proxypassword="1ishwar1"

comment by suresh rajasekaran, posted at 1/4/06 2:16 PM

Hi Suresh:

I noticed that the SSL cert on the address you are trying to access, https://205.158.171.208/misc/vingt.cfm, is not a 100% valid certificate.

I have had problems trying to access a secure site via CFHTTP if the SSL cert does not match 100% I never did find a solution.

Try accessing a non-secure URL on the same IP via CFHTTP. If you can access the non-secure URL but not the secure URL this may be a root cause.

Also, verify your CFHTTP parameters. Try the URL using http: and PORT=443. Maybe that is part of the problem.

comment by Paul, posted at 1/4/06 2:59 PM

Jacob Reider has information for those still having trouble with CFHTTP and importing and using SSL certs:

" But I figured out the solution! Since I know that the certificate is called "pbx" and I now have it installed on the application server (which in this case is the client - SwitchVox is the server) .. still follow? .. I make an entry in the "hosts" file of the application server called pbx and point it to the IP address of SwitchVox."

http://www.docnotes.net/002323.html

comment by Steven Erat, posted at 2/27/06 12:46 PM

I think my problem is related to all of the above. Any suggestions would be greatly appreciated!

I need to access an SLL URL thru CFHTTP for payment authorizations. I must build in a contingency to fail over to a second URL if I can't connect to the first. The URLs are similar to:
https://blah1.paymentech.net and https://blah2.paymentech.net

Connecting to blah1 is fine. Connecting to blah2 gives the dreaded I/O Exception (mismatch). If I browse to blah2 in IE, I get the typical security alert so I'm fairly certain the cert name the problem in CF. I tried installing the cert thru JVM to cacert as outlined in this post. Any other suggestions? HELP!!!!

comment by Jackie, posted at 8/15/06 5:42 PM

cfhttp url="https://httpmailbox1.beta.etrac.net/submit-to-etra...
method="post"
port="xxx"
proxyserver="xxxx"
proxyport="xxx"

I am having the same problem but I am using BlueDragon and CFMX. I am trying to connect to vendor using CFHTTP to send a XML file. The vendor keeps telling me that I am faliing the SSL handshake on his side. I was told by him that I needed to purchase a certificate form a trusted third party which we did (Verisign). This certificate was installed by my server team but I am refused connection at the vendor.

Do I need to export the vendors certificate and install it on my WebLogic server using the Keytool.

comment by Mario, posted at 11/14/06 6:36 PM

It sounds as if the vendor is requiring SSLv3.

First, imagine a simple HTTPS connection between a browser and server. A user in a browser types in the URL of a website beginning with https and the brower makes the request. Lets assume that the server is using SSLv2. The request gets to the server and it replies with a message header stating it supports SSLv2 and sends its certificate. The browser receives the SSL certificate, inspects it, and negotiates the session key to be used. The handshake part of the session key negotiation is done with asymmetric cryptography, and when a session key is agreed on by the browser and the client they switch to symmetric cryptography while using the session key, because symmetric key crypto is faster than assymetric. Anyway, the SSLv2 handshake does not require that the browser send its own certificate back to the server. In SSLv2 only the server has to prove its identity to the client, the browser.

However, in SSLv3 not only does the server have to prove its identity to the client, but the client or browser also has to identify itself to to the server.and it does that by sending its own certificate. So there are two certifcates involved in SSLv3, one on the server and one on the client.

In the case of a CFHTTP connection, the client is ColdFusion and the server is the target url such as https://httpmailbox1.... So if the vendor says that you need to send a certificate then the vendor is isdirectly telling you that they support SSLv3 not SSLv2.

This conclusion is bad news unfortunately. ColdFusion MX 7 does not yet support SSLv3 for its protocol tags such as CFHTTP, CFINVOKE, CFLDAP, etc. Importing your new Verisign certificate into ColdFusion's cacerts file will do nothing for your problem. The cacerts file under ColdFusion is which Certificate Authorities ColdFusion will trust for the other end of the CFHTTP connection such as the scenario above for SSLv2. In order to support SSLv3 ColdFusion would have to perform an HTTP Request, get the HTTP Reply from the SSL website including the other end's SSL certificate, and then ColdFusion would have to send its own certificate back to the other server to say "Hey, I'm such and such ColdFusion server here, really I am". But ColdFusion does not yet do that.

You may need to seek a third party solution, perhaps a Java custom extension that did SSLv3 and HTTP for you, and you could integrate that into your ColdFusion application.

comment by Steven Erat, posted at 11/14/06 7:11 PM

This might be a stupid question, but here goes. Once a certificate is imported into the jvm's keystore. Will it also affect https webservice calls made via cfinvoke?

Or I can only use cfhttp?

comment by Luis Majano, posted at 10/2/07 3:09 AM

Luis, adding a certificate to the certificate store should permit web services to work for an SSL wsdl address, although SSLv3 that requires client certificates will not work.

See also:
http://www.talkingtree.com/blog/index.cfm/2004/11/...

comment by Steve, posted at 10/2/07 7:55 AM

OMG! The most useful post I've seen in a while. I just ran into code red, everything is broken, site is live, over $10MM in advertising, and this post saved the day.

Cheers

comment by Rob Gonda, posted at 10/29/07 6:26 PM

Awesome! Always glad to know that the gibberish on this site is sometimes useful to folks!

comment by Steven Erat, posted at 10/30/07 10:34 AM

Maybe this is not possible, but I'm calling an ASP file in CFHTTPS and I keep getting this error:

The server returned a fault:
Fault code: wsse:InvalidSecurity
Fault string: Security Data : General security error (Error during certificate path validation: timestamp check failed); nested exception is: java.security.cert.CertPathValidatorException: timestamp check failed; internal cause is: java.security.cert.CertificateExpiredException: NotAfter: Thu Jan 31 13:39:15 PST 2008

As the message indicates it seems as if the SSL cert has expired but it hasn't (it expires in 2009). Also I just registered it with the keytool utility and it still fails. I have a feeling the keytool file is getting "confused" since this SSL cert was renewed recently. (It may be still looking at the previous cert). How can I tell the system to look at the current/new cert??

TIA

comment by Jose, posted at 2/4/08 6:44 PM

Steven,

I know this thread is really old, but, thank you, thank you. I used the information here to get my CF scheduleTasks to with my SSL website... and the server administrators said it wouldn't work pppshhaa. what do they know. awesome

donrico

comment by Donrico, posted at 5/29/08 4:24 PM

Cool!

comment by Steven Erat, posted at 5/29/08 5:15 PM

Hi Steven,

My development server is running cf mx 7. I followed the instructions to import the certificate to cacerts but still getting Connection Failure error.

I have a postmessage.cfm that returns "OK" if someone HTTP Post something to it.

OK#chr(13)##chr(10)#

Here is testpostmessage.cfm to test postmessage.cfm is getting the data I post.

Here is the result
Charset     [empty string]
ErrorDetail    I/O Exception: Default SSL context init failed: null
Filecontent    Connection Failure
Header    [undefined struct element]
Mimetype    Unable to determine MIME type of file.
Responseheader
struct [empty]
Statuscode    Connection Failure. Status code unavailable.
Text    YES

I ran keytool to list all the certificates and confirmed that my certificate is in the list. CF Services are restarted. Is there anything else I can do to ensure the certificate is applied properly? Please help.

Thanks,
Stephanie

comment by Stephanie, posted at 7/21/08 7:14 PM

oops, missing testpostmessage.cfm

comment by Stephanie, posted at 7/21/08 7:16 PM

Hi Steven,

We're running MX7 on Windows XP Pro. I've upgraded the Java to 1.4.2_11 to solve the daylight saving time issue...

I have a CFDOCUMENT tag with several CFCHARTS embedded within the PDF that is being created. When we added the SSL Cert, the charts are no longer displayed. This phenomenon is described in: http://coldfused.blogspot.com/2005/11/missing-imag...
The solution seems to be to import the certificate to the trusted certficate store (runtime/lib/trustStore).
Well I successfully imported the new cert into C:\CFusionMX7\runtime\lib\trustStore and rebooted the CF App Service. On testing the page, the PDF wasn't created with the charts.
I then successfully imported the new cert into C:\CFusionMX7\runtime\jre\lib\security\cacerts and rebooted the CF App Service. That too failed to embed the charts.
I even imported the new cert into C:\CFusionMX7\runtime\j2sdk1.4.2_11\jre\lib\security\cacerts. After restarting the service, the charts still did not display.

What am I missing?

Thank you.

comment by Michael Kirshner, posted at 8/1/08 5:16 PM

What I missed was that it needs to be in the C:\CFusionMX7\runtime\jre\lib\security folder, as well as the C:\j2sdk*\jre\lib\security folder. I had it in the CF folder, but not the main JRE folder. A simple copy of the cacerts file fixed the problem.
-AH

comment by Alex, posted at 8/8/08 4:35 PM

even when a cert is imported to the keystore, it looks like coldfusion does not support the "Subject Alternative Name" extension of the cert.

i've googled and googled but there does not appear to be a clear solution (other than getting a new cert).

any ideas?

comment by Quinn, posted at 8/12/08 4:12 PM

Calendar

Search This Site

This is an exact search only

About This Site

I live west of Boston and work for Adobe with ColdFusion and Flex, and specialize in Linux. I'm also interested in travel and science, and I'm studyng photography at CDIA. Curious about my banner image?