ColdFusion Muse

SSL and the trusted keystore in Java

This tip is from my old blog - but it is worth repeating. The Java runtime must trust a cert to get it to work with it properly.

These notes are the result of solving a particularly tricky problem with webservices on CF Talk. This helpful "keystore" procedure came from the diligent investigation of Mike Chambers and Trevor Baker.

There is a tricky nuance to using with SSL in CFMX. In order to make an outgoing SSL request, the requesting agent must first obtain the "public" key. This public key is available from a "trusted certificate authority". Verisign, Thawt, and equifax are 3 well-known "trusted authorities". In your browser, if the certificate is not a "trusted athority", a warning message informs you that, while the cert may be good in other ways (not expired etc.) it is not from a source you have listed as trusted. If you choose, you can simply accept the certificate anyway. Note, encryption is determined by the type and size of the key - not by whether the authority is trusted or not. All things being equal, a certificate from a non-trusted authority will result in the same level of protection as that from a trusted authority.

In CF 5 an outgoing SSL request using was successfully negotiated if the cert was found in the "root certificate store" of the server. In other words, if you had indicated the cert was trusted and allowed the key to be installed, CF 5 was able to use it. In CFMX however, the Java Run-time is unaware of the root certificate store. Instead, it has it's own cache of "trusted authorities" and it installs certs as needed based on this cache.

To discover the list of trusted authorities in your Java run time, try the following command line code:

C:\CFusionMX\runtime\jre\lib>keytool -list -storepass changeit -noprompt -keystore C:\CFusionMX\runtime\jre\lib\security\cacerts
Of course you will want to change the path to your CFMX runtime directory. When I run this command on my CFMX dev box with the standard 1.3 JRE I get the following:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 10 entries

thawtepersonalfreemailca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawtepersonalpremiumca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
thawteserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
verisignclass4ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
verisignclass1ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

Obviously I trust Thawte and Versign certificates.

What happens when I need to make an SSL request to a site using a cert that is not from one of these authorities? The request will fail. For it to succeed, I must tell my JRE to "trust" the authority in question. To do that you will need to use the keytool to "import" the cert from the authority in question. For example, if you wanted to import the "instant SSL" certificate, you would need to import the 2 signing certificates they use to create their own certs. They use the following 2 certs:

GTE CyberTrust Root CA
Comodo Class 3 Security Services CA

Both of these certs are available through links at instant SSL installation support. Save each of them into a text file - cert1.crt and cert2.crt (or whatever), then use the key tool to import them into your store. Here is the command line syntax:

C:\CFusionMX\runtime\jre\lib>keytool -import -keystore c:\CFusionMx\runtime\jre\
lib\security\cacerts -alias instantssl -storepass changeit -noprompt -trustcacer
ts -file c:\temp\cert1.crt
More information regarding the "keytool" is available at Sun Keytool docs. Once this code is run, you can re-run the initial command line code and look at your entries again. You should see something like this:

instantssl, Dec 5, 2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58

Now, when your outgoing request negotiates the connection it will "trust" the public key provided to complete the SSL negotiation.

Related Blog Entries

Comments
drew's Gravatar thanks heaps, you just saved me a whole bunch of time
# Posted By drew | 3/15/06 12:36 AM
ike's Gravatar note that it's necessary to restart CF Server after registering a new certificate, and for those who may be stumped (since it's not intuitively obvious) if you don't know where to find the certificate file for a particular webservice, Internet Explorer will give it to you with export options by double-clicking the padlock icon if you have the service url open in a browser. A base-64 export worked for me. I don't know how Firefox exposes them.
# Posted By ike | 3/29/06 9:19 PM
mkruger's Gravatar Ike - thanks for the additional info. You are definitely right about "how to get the certificate". It's not something immediately apparent.
# Posted By mkruger | 3/30/06 7:21 AM
ike's Gravatar welcome... actually, I'd go so far as to say it's nearly an easter egg. :)
# Posted By ike | 3/30/06 6:34 PM
Jason Davey's Gravatar This was excellent - thank you for writing it up and for including the additional comments of which getting the certificate was particularly useful. Password error I think on this line "-storepass changit" should be "-storepass changeit"

Thanks again.
# Posted By Jason Davey | 10/15/07 1:56 PM
Jill's Gravatar If Java is installed in a separate directory than ColdFusion, be sure to install the crt in the cacert file in the Java directory.

To figure out the java directory, click on "System Information" in the coldfusion administrator and look at the entry under "Java Home"

The path to your cacert file will be:
[java home directory]\lib\security

So the command line code would be:
[java home directory]\lib>keytool -list -storepass changeit -noprompt -keystore [java home directory]\lib\security\cacerts
# Posted By Jill | 11/6/07 12:17 PM
felix tjandrawibawa's Gravatar Hi, Mark, I am banging my head on the wall on this issue and stumbled upon your blog post.

I just want to clarify your post, I have stored the certificate from a client which web service we want to invoke. Are you saying that I also need signing certificates that the client use to produce his certificate?
# Posted By felix tjandrawibawa | 6/12/08 3:49 AM
Jason D's Gravatar Felix:

Can you embellish on what your problem is? I cannot determine from what you say your particular situation, but if you have a client certificate (.cer) and you are calling their program from ColdFusion, then all you need to do is register the certificate (using keytool utility) to the keystore of the java instance that your CF server is running under. See Jill's comment for details about locating the correct jre. Once you have done that, restart your CF server and you should be able to connect.
# Posted By Jason D | 6/12/08 12:08 PM
felix tjandrawibawa's Gravatar Hi Jason,

These are the steps that I took to install the certificate:
1. Generate a CSR using openSSL tool.
2. Supply the client with this CSR, the returned us a CRT file.
3. I stored the CRT file using keytool on CF8 jre/bin
4. Restarted the CF server
5. Invoke the client web service URL, got the error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
6. Client suggested us to store the root CRT from his site as well, so we did that too (same as step 3).
7. The error still persist..

:(
# Posted By felix tjandrawibawa | 6/12/08 8:09 PM
felix tjandrawibawa's Gravatar Hi all, I think I sort of worked out why I had the problem.
My client is requiring SSLv3 which not yet supported (it's still in CF feature wishlist):
http://labs.adobe.com/wiki/index.php/Scorpio:Custo... no 35

I think we will go with creating .NET object and invoke it via CF.
Thanks for all the help!
# Posted By felix tjandrawibawa | 6/17/08 12:25 AM
Terry's Gravatar Thanks for the great posting! I am still having issues and not sure if the port is the issue. Does port 636 need to be open on both Coldfusion and LDAP server in order to create a secure connection?
# Posted By Terry | 8/18/08 8:20 AM
John Brookes's Gravatar A couple of updates on this, just for information:

You can retrieve a certificate in Firefox by double-clicking the padlock, same as IE. Go to details and export.

And the one that got me for the last half hour...

Do not use directories with extended names - keytool doesn't like "Documents and Settings" (even with double quotes). Just stick it in c:\temp - it's much easier.

Oh yes - the keytool in CF8 is in C:\ColdFusion8\runtime\jre\bin (not jre\lib)

Thanks a lot for creating this simple guide - can't understand why Adobe (and Macromedia) make no mention of it anywhere under web services.
# Posted By John Brookes | 10/13/08 5:13 PM
Michael Yap's Gravatar Hey there I've been thru the guides and am pretty sure I did everything right but the damn thing is still returning a

This exception was caused by: javax.mail.MessagingException: Connect failed; nested exception is: javax.net.ssl.SSLException: untrusted server cert chain.

I'm basically trying to connect to Gmail using CFPOP. Now CFPOP doesn't really support SSL so I've had to change the necessary java properties to get it to connect by

<CFSET javaSystem = createObject("java", "java.lang.System") />
<CFSET prop = javaSystem.getProperties() />
<CFSET prop.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory") />
<CFPOP name = "rsCheckNew" action = "getHeaderOnly"
server = "pop.gmail.com" port = "995" timeout = "10"
username = "username@gmail.com" password = "password">

I've also gotten the Gmail cert from the browser and executed the necessary keytool command. keytool -list -keystore c:\cfusionmx\runtime\jre\lib\security\cacerts shows

thawtepersonalfreemailca, Sat Feb 13 04:12:16 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Sat Feb 13 04:11:01 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Tue Jun 30 01:05:51 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, Sat Feb 13 04:14:33 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, Sat Feb 13 04:13:21 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, Tue Jun 30 01:06:57 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
gmail, Mon Nov 03 11:38:23 SGT 2008, trustedCertEntry,
Certificate fingerprint (MD5): 63:1E:F3:56:B0:B0:F7:8D:E4:8C:8F:7D:8E:F5:68:D0
verisignclass1ca, Tue Jun 30 01:06:17 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Tue Jun 30 01:07:34 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Sat Feb 13 04:15:26 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Tue Jun 30 01:06:39 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

gmail is the alias I created using the import tool. Anything else that I've missed out ? I'm going thru my keyboards real quick and I'm pretty sure my skull is cracked from all the banging on the wall.
# Posted By Michael Yap | 11/3/08 2:43 AM
mark kruger's Gravatar @Michael,

The problem is not the cert you installed. The cert is a part of a "chain" of certs from the provider with a governing heirarchy. You probably need to add an "intermediate" certificate to get it working. As it stands the cert you installed is telling the system to look further up the chain but there is no trusted cert further up the chain.

Do a google for "intermediate certificates" for more information. You can probably also examine the certs in your local repo for FF or IE and figure out which ones are google intermediates.
# Posted By mark kruger | 11/3/08 7:40 AM
Michael Yap's Gravatar Ok fixed this one:

Like Mark said, the certification chain was required; not merely the certificate. If you're using some kind of GUI tool (ie browser) you should be able to view those fairly easily. If you're not, you'll have to traverse the certificate manually from its cert structure and figure out where to download it from. I strongly recommend that you go for the first option :)

Secondly, if you're connecting to gmail like I was, exporting the cert from your browser doesn't work. You'll be getting a cert registered to www.google.com and NOT pop.gmail.com (which is what you're connecting to). Makes a world of a difference. I did an Ethereal trace before realising that. I'd imagine that you could use some kind of SSL investigator to retrieve the cert if you need to.

Thirdly, the actual keystore used is also important. The VM has its default keystore location (usually cfusionmx/runtime/jre/lib/security/cacerts) *but* if you've done any reconfiguration to your CF process and ran it under another user account or changed ownership, it'll look by default into your "document and settings" folder (/user/local) for unix I think.

To specify a custom keystore you could either

a. Set it as your VM parameter in CF admin using the
-Djavax.net.ssl.trustStore=[keystore location] -Djavax.net.ssl.trustStorePassword=[keystore password]

or you could set it as a java system property since you're already messing with that before calling CFPOP by doing

<CFSET javaSystem = createObject("java", "java.lang.System") />
   <CFSET prop = javaSystem.getProperties() />
   <CFSET prop.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory") />
   <CFSET prop.setProperty("javax.net.ssl.trustStore", "C:\CFusionMX\runtime\jre\lib\security\cacerts") />
   <CFSET prop.setProperty("javax.net.ssl.trustStorePassword", "changeit") />

Seems to connect fine with no issues. Have to say Gmail's implementation of the POP protocol is kinda funky tho. Your CFPOP is going to retrieve *all* messages from a certain date which would be painful down the line. Doesn't seem like gmail removes those mail from server once you've read them so if the user has set to download all mails, your CFPOP is going to go thru *ALL* mails the user has ever received since day 1.

Various ways to get around that I guess depending on what you're trying to achieve. As far as connectivity goes tho, the above should resolve any issues you have.
# Posted By Michael Yap | 11/4/08 2:54 AM
mark kruger's Gravatar Michael,

Awesome explanation... thanks!!
# Posted By mark kruger | 11/4/08 8:32 AM
Michael Yap's Gravatar Btw, anyone getting blank message ids using CFPOP for gmail ? Doesn't seem to return anything on the UID column. Kinda stuffs everything up really. Anyone else came across this and fixed it ?
# Posted By Michael Yap | 11/6/08 12:03 AM
Michael Yap's Gravatar Whoops I meant yahoo mail. Gmail returns the IDs fine.
# Posted By Michael Yap | 11/6/08 12:17 AM
Gary's Gravatar I have been banging up against this issue for nearly a week now, this is almost no information on the web about it. Thank god for the ColdfusionMuse!

Here's my code:
<cfset ws = CreateObject("webservice","https://financial3.symetra.com/sws2008/service.asm...;, wsargs)>
<cfset ws._setProperty("axis.transport.version", "1.1")>
<cfset resp = ws.symetraQuote(xmlstr)>

I downloaded the cert by browsing the URL in IE and downloaded all three levels of certs from the "Certification Path" tab. The bottom two levels installed successfully, the top (verisign) was already there so I didn't overwrite it.

The createObject() works and I can cfdump the returned variable and see the methods. The second call _setProperty() also seems to work. But whenever I try to call the method() I get the error...

Cannot perform web service invocation symetraQuote.
The fault returned when invoking the web service operation is:

AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.ConnectException: Connection timed out: connect
faultActor:
faultNode:
faultDetail:
   {http://xml.apache.org/axis/}stackTrace:java.net.ConnectException: Connection timed out: connect

This was tested from two different servers, one over the internet and one in the same LAN. Within the LAN, if SSL is removed, it works fine, but going via SSL fails every time.

Any help would be HUGELY appreciated!
# Posted By Gary | 11/13/08 9:23 AM
Mithun's Gravatar Thanks. This is very informative. It helped us solve a java ssl issue in our application.
# Posted By Mithun | 1/13/09 12:53 AM
Al Everett's Gravatar I don't suppose Adobe has a KB article about this, do they? My server team is going to balk about doing this with information from an unofficial source.
# Posted By Al Everett | 2/10/09 8:57 AM
Al Everett's Gravatar After enough paperwork to clearcut clearcut a moderately-sized grove of trees, the server team ran the command to add to the keystore.

It worked perfectly.

At least, I can now programmatically get to the webservice over SSL. Consuming is now my next challenge.

Thank you all for your help.
# Posted By Al Everett | 2/24/09 12:47 PM
jc's Gravatar Here's a tool from Sun that should make the chained certs a bit easier.

http://blogs.sun.com/andreas/entry/no_more_unable_...

you'll have to compile it & run it from the command line. To make it work for you without any code changes, first figure out where it's trying to find jssecacerts, then copy your cacerts file there and rename it to jssecacerts. Once you've imported the certificate you need, you can copy it back to jrun4\jre\lib\security (or wherever it is supposed to be on your install).

To use it (after compiling it) run it from the command line like so: java InstallCert financial3.symetra.com
(to use Gary's example above)

It'll check it and throw errors if it doesn't trust the final cert. It'll prompt you, asking which cert in the chain you want to add to your trust store. Add the root one and run it again; work your way up from there until it doesn't throw errors anymore.
# Posted By jc | 2/26/09 10:45 AM
Ryan's Gravatar Just want to say thanks for this post it helped me with an error connecting to a web service via SSL.
# Posted By Ryan | 5/26/09 1:15 PM
Chase Woofer's Gravatar Allright, I have been looking all arround and this post was the best one so far. I have been able to get throught the initial SSL issue, but I am running into the issue of passing a client certificate to the web service. Has anyone needed to do this and solved the riddle of how to do it?
# Posted By Chase Woofer | 7/1/09 9:28 AM
Frank Newman's Gravatar Same problem, I need to pass a client cert too. Anyone had success doing it? I need to consume a WS from a server that requires mutual SSL (Grants.gov), I can browse the WSDL via firefox but when I import that same client cert into my local cacerts file I still cannot authenticate (     I/O Exception: peer not authenticated ).

Thanks in advance!
# Posted By Frank Newman | 7/1/09 2:21 PM
Mark Kruger's Gravatar Let me see if I can get a solution together for this problem and I will post a follow up. Feel free to send me details if you resolve the issue.
# Posted By Mark Kruger | 7/1/09 2:26 PM
Gary's Gravatar We finally got around v3 SSL encryption by using this tag : CFX_HTTP5

It is available at different spots on the net, here's one:
http://www.cftagstore.com/tags/cfxhttp5.cfm
# Posted By Gary | 7/1/09 2:46 PM
Frank Newman's Gravatar It seems that CF 7 DOES NOT support client side certs period, however, with CF 8 no problem, just add the "ClientCert" and "ClientCertPassword" into the tag as seen below and voila!

<cfhttp url="https://at07ws.grants.gov:446/agency-s2s-server/se...; clientcert="c:\junk\myClientCert.p12" ClientCertPassword="changeit">
# Posted By Frank Newman | 7/1/09 3:21 PM
Mark Kruger's Gravatar @Frank,

That's great if you want to use CFHTTP - but invoking a WS service using createobject or Cfinvoke will still not be able to use a client cert. That's the real problem here.
# Posted By Mark Kruger | 7/1/09 3:30 PM
Frank Newman's Gravatar @ Mark,

Good poing but I think this workaround should solve my immediate need:

http://www.jamesnetherton.com/blog/2007/01/14/Invo...

Love the CF Muse ... Frank
# Posted By Frank Newman | 7/1/09 3:33 PM
JC's Gravatar If you're on a windows server, I'd suggest CFX_HTTP5 -- even if you're using CF8 (and it's actually not available in raw CF8, you have to patch to the latest version I think).

It's $50 and adds a number of features that make it superior to CFHTTP. It uses your windows cert manager instead of having to mess about with the keystore/truststore stuff. It has session support. It can do lots of HTTP requests at the same time, great if you're dealing with stuff where some of the requests take longer than others. We use it extensively. Most code can be pretty easily converted to it.

http://www.cftagstore.com/tags/cfxhttp5.cfm
# Posted By JC | 7/1/09 3:41 PM
Jon Miller's Gravatar I know this is an old post but please NEVER let it go down... it saved me!!
# Posted By Jon Miller | 10/6/09 1:24 PM
Coldfusion developer's Gravatar Just to verify how I managed to get PayPal and Ebay API's working which both use this new certificate.

1 - Open both of the API pages in internet explorer (it has some uses) - Double click the Secure icon and then save the certificate as base64 (thanks to ike) in the "lib" folder. One called paypal.cer and the other ebay.cer
2 - Create a batch file to do the import
3 - Reboot CF and Voila - It works.

Batch file contents:-

@echo off
cls
..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias paypal -storepass changeit -noprompt -trustcacerts -file paypal.cer
..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias ebay -storepass changeit -noprompt -trustcacerts -file ebay.cer
pause
# Posted By Coldfusion developer | 10/7/09 7:28 AM
Apul's Gravatar Thank you this was a huge help I narrowed it down to the SSL issue form the error in the CFADMIN when refreshing the web service. Then realized I had CF 7 so took out the CFWINDOW lines of code and then did the cert import and code started to work.
# Posted By Apul | 12/9/09 6:44 PM
Apul's Gravatar I did not get the command line options that were mentioned here to work instead I had to go get CERTMAN
http://certman.riaforge.org/
Then install it and remove the CFWINDOW lines of code in the addcertForm.cfm page plus create a extensionscustom.cfm that my CFIDE/Administrator did not have.
# Posted By Apul | 12/9/09 6:53 PM
Leonard Inegbedion's Gravatar Hi,

Please i'm having a headache connecting to a host via cfhttp using ssl. They sent me a *.keystore file and i tried using the keytool to view it but get the error "Keystore was tampered with, or password was incorrect". They said i should just place the *.keystore file and point to it during a https call but coldfusion 8 (clientcert) only accepts files in PKCS12 format.

Please what should I do with the *.keystore file sent to me?
# Posted By Leonard Inegbedion | 3/11/10 7:40 PM
cheap jordans shoes's Gravatar very comfortable jordans sneaker for either basketball or to make any chill out outfit look clean. I love air jordan shoes ! Great Buy! This product was delivered very quickly. I would definitely buy from http://www.jordanshoesforsale.org/
# Posted By cheap jordans shoes | 5/18/10 11:43 PM
Coldy's Gravatar I got the javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
error and it turned out I had added a trusted root level certificate that should not have been on the machine. i removed it from the certificates on the local machine via the MMC snap-in and things were then up and running.
# Posted By Coldy | 6/10/10 11:25 AM
Ray Champagne's Gravatar Thanks for this post. Stupidly, the only thing my PayPal instructions forgot to mention was the CF restart. After that, everything worked perfectly. It's a dumb 'gotcha', but still a 'gotcha' nonetheless.
# Posted By Ray Champagne | 6/10/10 2:22 PM
Rob Zazueta's Gravatar @Mark - did you ever figure out how to supply the client cert using WS via a CreateObject? I'm completely stymied here.
# Posted By Rob Zazueta | 6/21/10 8:13 PM
Nando's Gravatar I’ve been through a very difficult few days trying to get an SSL connection to Highrise (37signals) to work on my Mac development server, without any luck at all. I installed the whole chain of certs, confirmed they were installed, set up logging of the entire ssl handshake by adding -Djavax.net.debug=all as an argument to the JVM under CF Administrator to try and understand what was going on under the hood, etc. The strange thing was that when I, as a last resort, tried to install the cert on the Linux production server, it worked. I note that sometimes folks report that they install certificates needed but it doesn't work for them.

I don't know why in one case it works and one it doesn't. I just thought I'd report my experience here in case it helps anyone else.
# Posted By Nando | 11/16/10 6:01 AM
Leonard Inegbedion's Gravatar @Nando - Nice of you, guess u followed the instructions to the letter...I went through a similar nightmare. I was using https to connect to a remote server via a Point-to-point VPN but kept getting certificate mis-match error. The host said I must use an IP address in the URL and not the domain name meanwhile, their certificate was registered to a domain name. If I used the domain name in the URL, it fails...it was just frustrating. The trick for me (which am not currently sure of the consequence) was to add a header parameter to cfhttpparam with the name "Host" and use the domain name in the URL and it worked.

So if anyone is going through this same problem, which i doubt because my remote server are currently upgrading their system....this might help
# Posted By Leonard Inegbedion | 11/16/10 6:35 AM
Dustin's Gravatar This post has been extremely helpful, thank you SOOOOOO much!
# Posted By Dustin | 1/31/11 5:09 PM
Ronnie's Gravatar We are experiencing the situation where are CF scheduled tasks are getting "peer not authenticated". We were running CF8 on Solaris/Sun 1 but have gone to CF9 on Red Hat Linux/Apache. They were running fine until we made the upgrade. We have a Verisign cert installed on our website which is NOT registered in our runtime\jre\lib\security\cacerts. Based on this article it appears that we need to register it. Can anyone confirm this and think that it will solve our problem?
# Posted By Ronnie | 10/5/11 2:11 PM
Jordan Retro 5's Gravatar The most well-known Jordan Retro 5 shoes among Nike friends and family is Nike NBA sequence, which many NBA people wear. Jordan 5 shoes are backed by popular NBA gamers like Jordan Retro 5 fire red, Kobe Bryant and also Dwayne Wade, to call a few. http://www.jordanretro5firered.net
# Posted By Jordan Retro 5 | 1/4/13 2:24 AM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.