Installing an SSL Certificate into ColdFusion’s Trust Store

October 31, 2018
Wizard 20 posts
Followers: 10 people

Installing an SSL Certificate into ColdFusion’s Trust Store

Wizard 20 posts
Followers: 10 people
October 31, 2018

Let me preface this post by saying that in no way am I an expert when it comes to Java key stores or certificates.  I’m lucky if I can get Certbot to automatically install a Let’s Encrypt certificate on an Apache website under Ubuntu.  So understand that this post is about my experience as I learned without a lot of assistance.  I’m hoping it may help someone else who ends up struggling with a similar situation.

Background:  I am working on property management software that integrates with the credit company TransUnion to be able to pull credit reports and criminal background checks on prospective tenants.  In order to communicate with TransUnion (TU) they require that I use either system to create, download and install an SSL Certificate on to my web server.  The web server stack is:

  • Ubuntu 16.04
  • SQL Server 2017 (on Ubuntu)
  • ColdFusion 2016, Update 7
  • Apache

TU provided me a .p12 file as the certificate and told me to install it in my web application server to be able to communicate with them securely.  It’s go time.

Author’s note:  Here’s where my ignorance and lack of experience with this sort of thing kicks in.  If I sound very newbie-ish on some of this, bear with me.  We all start learning somewhere, and I warned you this article detailed my learning experience.

So I google: “what is a .p12 file” and learn that the PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encrypt-able file.  Ok, cool.  That makes sense.  I’ve got a single file with everything I need to install.  Got it.

Next step.  How do I get this certificate installed into my ColdFusion Server?  I found this article on the Adobe Help docs, but it’s painfully out of date for what I need.  It’s referring to JRun, and ColdFusion 8, (despite saying it was last update in January 2017) but I figured there’s sure to be some gems in this article somewhere.  First let’s make some corrections:

  • Since ColdFusion has used Apache Tomcat since ColdFusion 10, anything related to JRun in this article is moot.
  • In a server configuration, the Java Keytool utility is located at cf_root/jre/bin/keytool instead of cf_root/runtime/bin/keytool.

There is some important information in this article though.  Primarily the line that reads, “The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.”  This was important to learn as the .p12 file I had was not in this format.

Researching further, I learned that there are some linux command line tools that would help me convert the certificate into something ColdFusion liked.  First, I used openssl to convert the .p12 file into a .pem file using the following unix command:

openssl pkcs12 -in [filename].p12 -out [filename].pem -nodes

Then I used openssl again to convert the .pem file to a .der format file.

openssl x509 -outform der -in [filename].pem -out [filename].der

Finally, I used the JRE key tool utility to import the certificate into ColdFusion’s Java Keystore.  In the {cf_root}/jre/bin/ folder, I executed the following command:

./keytool -importcert -trustcacerts -alias "myAlias" -file [filename].der -cacerts

The keystone password, by default is “changeit.”  You should, probably, well… change it.  To do this, use the following command:

keytool -keypasswd -alias server -keypass changeit -new newpassword -keystore server.keystore -storepass newpassword

Beautifully, I saw a message reading “Certificate was added to keystore” and I was able to move forward.

Comments (0)
Add your comment