Adding a certificate to the ColdFusion keystore

When trying to connect to an HTTPS site using the cfhttp tag, the tag may produce the error:

Unable to connect to SSL site error

Unable to connect to SSL site error

To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses. This procedure may not be necessary if the certificate is signed (issued) by an authority that the JSSE (Java Secure Sockets Extension) recognizes (for example, Verisign); that is, if the signing authority is in the cacerts already. This procedure should only be necessary if the server URL is not in any of the certificates and they have not expired.

However, you might need to use the procedure if you are issuing SSL (secure sockets layer) certificates yourself.  The instructions below show how to install a certificate into a ColdFusion 8 keystore, multi-server install.

  1. Place the certificate on the ColdFusion server.
  2. Change to the directory {cf_installdirectory}/jre/lib/security
  3. Import the cert (keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias anyalias -file certificatefile)
  4. If the import is successful you will get a confirmation that the certificate was added to the keystore.
  5. Restart coldfusion.

This procedure can also be helpful if scheduled tasks that connect to SSL servers are not running.

6 comments on “Adding a certificate to the ColdFusion keystore

  1. I am trying to understand something… When I performed the import of the certificate recently the Admin explained that I imported the cert for Solaris. Can you elaborate on why it did not just get installed to the Coldfusion keystore automatically??

    • First, you have a very smart admin to figure that out. You imported the cert into the default Solaris Java keystore. You need to specify the full path to the ColdFusion keystore when installing the cert.

  2. we try to reinstall the new cert for the same domain name after the certificate expire. But after everything done including restart the CF, it still showing the same error message which is connection failure. Do you have any idea what else or anything i miss out in order to complete the installation.

    Will the CF permanently cache the certificate detail in the memory?

    • did you do a list on the cacerts file to find the new cert you added? you can list the contents of the cacerts file by using the command below.

      Change to the directory of the cacerts file then type
      keytool -list -v -keystore cacerts

      Or if you know the alias of the cert you can search for that cert specifically
      keytool -list -v -keystore cacerts -alias myalias

      • Yes, I already check the cert already added to the cacerts file. I using the portecle to do the insert and also the listing.

        I try to restart all my instances. But still getting the same error.

        Will CF have any internal cache that we need to manually flush it in order to get the updated of the certificate?

  3. Pingback: CFHTTP calling HTTPS urls – Dorin Moise

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s