Export a digital certificate via the command line (MacOS)

Have you ever tried to capture and/or view the certificate of a website you are connecting to with Safari?

Ever wonder how to export an SSL certificate from a site on the Safari web browser?

It seems quite easy on Internet Explorer and FireFox to perform this task.  However, after many minutes of trying to figure it out it seems, Safari doesn’t contain its own certificate repository, but instead makes use of the certificate infrastructure built into Mac OS X.  You can import/export/view certificates using the Keychain Access utility.

Here’s one method for grabbing a site’s certificate yourself:

  1. Open a Terminal window.
  2.  Enter the following command: openssl s_client -connect someSSLserver.com:443

Make sure to replace ‘someSSLserver.com’ with the actual host you want to connect to. The output in Terminal should contain a block of text that looks like this:

…encoded certificate data

There may be more than one of these blocks if more than one certificate is involved. Copy each block (including the BEGIN and END lines) into a file whose name ends in “.pem” (for example, “cert.pem”). Terminal has a “Save Selected Text As…” menu item which works great for this purpose.

Adding a certificate to the ColdFusion keystore

When trying to connect to an HTTPS site using the cfhttp tag, the tag may produce the error:

Unable to connect to SSL site error

Unable to connect to SSL site error

To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses. This procedure may not be necessary if the certificate is signed (issued) by an authority that the JSSE (Java Secure Sockets Extension) recognizes (for example, Verisign); that is, if the signing authority is in the cacerts already. This procedure should only be necessary if the server URL is not in any of the certificates and they have not expired.

However, you might need to use the procedure if you are issuing SSL (secure sockets layer) certificates yourself.  The instructions below show how to install a certificate into a ColdFusion 8 keystore, multi-server install.

  1. Place the certificate on the ColdFusion server.
  2. Change to the directory {cf_installdirectory}/jre/lib/security
  3. Import the cert (keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias anyalias -file certificatefile)
  4. If the import is successful you will get a confirmation that the certificate was added to the keystore.
  5. Restart coldfusion.

This procedure can also be helpful if scheduled tasks that connect to SSL servers are not running.