ColdFusion Muse

SSL and the trusted keystore in Java

Mark Kruger January 29, 2005 10:58 AM Coldfusion Troubleshooting Comments (50)

This tip is from my old blog - but it is worth repeating. The Java runtime must trust a cert to get it to work with it properly.

These notes are the result of solving a particularly tricky problem with webservices on CF Talk. This helpful "keystore" procedure came from the diligent investigation of Mike Chambers and Trevor Baker.

There is a tricky nuance to using with SSL in CFMX. In order to make an outgoing SSL request, the requesting agent must first obtain the "public" key. This public key is available from a "trusted certificate authority". Verisign, Thawt, and equifax are 3 well-known "trusted authorities". In your browser, if the certificate is not a "trusted athority", a warning message informs you that, while the cert may be good in other ways (not expired etc.) it is not from a source you have listed as trusted. If you choose, you can simply accept the certificate anyway. Note, encryption is determined by the type and size of the key - not by whether the authority is trusted or not. All things being equal, a certificate from a non-trusted authority will result in the same level of protection as that from a trusted authority.

In CF 5 an outgoing SSL request using was successfully negotiated if the cert was found in the "root certificate store" of the server. In other words, if you had indicated the cert was trusted and allowed the key to be installed, CF 5 was able to use it. In CFMX however, the Java Run-time is unaware of the root certificate store. Instead, it has it's own cache of "trusted authorities" and it installs certs as needed based on this cache.

To discover the list of trusted authorities in your Java run time, try the following command line code:

C:\CFusionMX\runtime\jre\lib>keytool -list -storepass changeit -noprompt -keystore C:\CFusionMX\runtime\jre\lib\security\cacerts
Of course you will want to change the path to your CFMX runtime directory. When I run this command on my CFMX dev box with the standard 1.3 JRE I get the following:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 10 entries

thawtepersonalfreemailca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawtepersonalpremiumca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
thawteserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
verisignclass4ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
verisignclass1ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

Obviously I trust Thawte and Versign certificates.

What happens when I need to make an SSL request to a site using a cert that is not from one of these authorities? The request will fail. For it to succeed, I must tell my JRE to "trust" the authority in question. To do that you will need to use the keytool to "import" the cert from the authority in question. For example, if you wanted to import the "instant SSL" certificate, you would need to import the 2 signing certificates they use to create their own certs. They use the following 2 certs:

GTE CyberTrust Root CA
Comodo Class 3 Security Services CA

Both of these certs are available through links at instant SSL installation support. Save each of them into a text file - cert1.crt and cert2.crt (or whatever), then use the key tool to import them into your store. Here is the command line syntax:

C:\CFusionMX\runtime\jre\lib>keytool -import -keystore c:\CFusionMx\runtime\jre\
lib\security\cacerts -alias instantssl -storepass changeit -noprompt -trustcacer
ts -file c:\temp\cert1.crt
More information regarding the "keytool" is available at Sun Keytool docs. Once this code is run, you can re-run the initial command line code and look at your entries again. You should see something like this:

instantssl, Dec 5, 2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58

Now, when your outgoing request negotiates the connection it will "trust" the public key provided to complete the SSL negotiation.

  • Share:

Related Blog Entries


  • drew's Gravatar
    Posted By
    drew | 3/15/06 12:36 AM
    thanks heaps, you just saved me a whole bunch of time
  • ike's Gravatar
    Posted By
    ike | 3/29/06 9:19 PM
    note that it's necessary to restart CF Server after registering a new certificate, and for those who may be stumped (since it's not intuitively obvious) if you don't know where to find the certificate file for a particular webservice, Internet Explorer will give it to you with export options by double-clicking the padlock icon if you have the service url open in a browser. A base-64 export worked for me. I don't know how Firefox exposes them.
  • mkruger's Gravatar
    Posted By
    mkruger | 3/30/06 7:21 AM
    Ike - thanks for the additional info. You are definitely right about "how to get the certificate". It's not something immediately apparent.
  • ike's Gravatar
    Posted By
    ike | 3/30/06 6:34 PM
    welcome... actually, I'd go so far as to say it's nearly an easter egg. :)
  • Jason Davey's Gravatar
    Posted By
    Jason Davey | 10/15/07 1:56 PM
    This was excellent - thank you for writing it up and for including the additional comments of which getting the certificate was particularly useful. Password error I think on this line "-storepass changit" should be "-storepass changeit"

    Thanks again.
  • Jill's Gravatar
    Posted By
    Jill | 11/6/07 12:17 PM
    If Java is installed in a separate directory than ColdFusion, be sure to install the crt in the cacert file in the Java directory.

    To figure out the java directory, click on "System Information" in the coldfusion administrator and look at the entry under "Java Home"

    The path to your cacert file will be:
    [java home directory]\lib\security

    So the command line code would be:
    [java home directory]\lib>keytool -list -storepass changeit -noprompt -keystore [java home directory]\lib\security\cacerts
  • felix tjandrawibawa's Gravatar
    Posted By
    felix tjandrawibawa | 6/12/08 3:49 AM
    Hi, Mark, I am banging my head on the wall on this issue and stumbled upon your blog post.

    I just want to clarify your post, I have stored the certificate from a client which web service we want to invoke. Are you saying that I also need signing certificates that the client use to produce his certificate?
  • Jason D's Gravatar
    Posted By
    Jason D | 6/12/08 12:08 PM

    Can you embellish on what your problem is? I cannot determine from what you say your particular situation, but if you have a client certificate (.cer) and you are calling their program from ColdFusion, then all you need to do is register the certificate (using keytool utility) to the keystore of the java instance that your CF server is running under. See Jill's comment for details about locating the correct jre. Once you have done that, restart your CF server and you should be able to connect.
  • felix tjandrawibawa's Gravatar
    Posted By
    felix tjandrawibawa | 6/12/08 8:09 PM
    Hi Jason,

    These are the steps that I took to install the certificate:
    1. Generate a CSR using openSSL tool.
    2. Supply the client with this CSR, the returned us a CRT file.
    3. I stored the CRT file using keytool on CF8 jre/bin
    4. Restarted the CF server
    5. Invoke the client web service URL, got the error: peer not authenticated.
    6. Client suggested us to store the root CRT from his site as well, so we did that too (same as step 3).
    7. The error still persist..

  • felix tjandrawibawa's Gravatar
    Posted By
    felix tjandrawibawa | 6/17/08 12:25 AM
    Hi all, I think I sort of worked out why I had the problem.
    My client is requiring SSLv3 which not yet supported (it's still in CF feature wishlist): no 35

    I think we will go with creating .NET object and invoke it via CF.
    Thanks for all the help!
  • Terry's Gravatar
    Posted By
    Terry | 8/18/08 8:20 AM
    Thanks for the great posting! I am still having issues and not sure if the port is the issue. Does port 636 need to be open on both Coldfusion and LDAP server in order to create a secure connection?
  • John Brookes's Gravatar
    Posted By
    John Brookes | 10/13/08 5:13 PM
    A couple of updates on this, just for information:

    You can retrieve a certificate in Firefox by double-clicking the padlock, same as IE. Go to details and export.

    And the one that got me for the last half hour...

    Do not use directories with extended names - keytool doesn't like "Documents and Settings" (even with double quotes). Just stick it in c:\temp - it's much easier.

    Oh yes - the keytool in CF8 is in C:\ColdFusion8\runtime\jre\bin (not jre\lib)

    Thanks a lot for creating this simple guide - can't understand why Adobe (and Macromedia) make no mention of it anywhere under web services.
  • Michael Yap's Gravatar
    Posted By
    Michael Yap | 11/3/08 2:43 AM
    Hey there I've been thru the guides and am pretty sure I did everything right but the damn thing is still returning a

    This exception was caused by: javax.mail.MessagingException: Connect failed; nested exception is: untrusted server cert chain.

    I'm basically trying to connect to Gmail using CFPOP. Now CFPOP doesn't really support SSL so I've had to change the necessary java properties to get it to connect by

    <CFSET javaSystem = createObject("java", "java.lang.System") />
    <CFSET prop = javaSystem.getProperties() />
    <CFSET prop.setProperty("mail.pop3.socketFactory.class", "") />
    <CFPOP name = "rsCheckNew" action = "getHeaderOnly"
    server = "" port = "995" timeout = "10"
    username = "" password = "password">

    I've also gotten the Gmail cert from the browser and executed the necessary keytool command. keytool -list -keystore c:\cfusionmx\runtime\jre\lib\security\cacerts shows

    thawtepersonalfreemailca, Sat Feb 13 04:12:16 SGT 1999, trustedCertEntry,
    Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
    thawtepersonalbasicca, Sat Feb 13 04:11:01 SGT 1999, trustedCertEntry,
    Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
    verisignclass3ca, Tue Jun 30 01:05:51 SGT 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
    thawteserverca, Sat Feb 13 04:14:33 SGT 1999, trustedCertEntry,
    Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
    thawtepersonalpremiumca, Sat Feb 13 04:13:21 SGT 1999, trustedCertEntry,
    Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
    verisignclass4ca, Tue Jun 30 01:06:57 SGT 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
    gmail, Mon Nov 03 11:38:23 SGT 2008, trustedCertEntry,
    Certificate fingerprint (MD5): 63:1E:F3:56:B0:B0:F7:8D:E4:8C:8F:7D:8E:F5:68:D0
    verisignclass1ca, Tue Jun 30 01:06:17 SGT 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
    verisignserverca, Tue Jun 30 01:07:34 SGT 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
    thawtepremiumserverca, Sat Feb 13 04:15:26 SGT 1999, trustedCertEntry,
    Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
    verisignclass2ca, Tue Jun 30 01:06:39 SGT 1998, trustedCertEntry,
    Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

    gmail is the alias I created using the import tool. Anything else that I've missed out ? I'm going thru my keyboards real quick and I'm pretty sure my skull is cracked from all the banging on the wall.
  • mark kruger's Gravatar
    Posted By
    mark kruger | 11/3/08 7:40 AM

    The problem is not the cert you installed. The cert is a part of a "chain" of certs from the provider with a governing heirarchy. You probably need to add an "intermediate" certificate to get it working. As it stands the cert you installed is telling the system to look further up the chain but there is no trusted cert further up the chain.

    Do a google for "intermediate certificates" for more information. You can probably also examine the certs in your local repo for FF or IE and figure out which ones are google intermediates.
  • Michael Yap's Gravatar
    Posted By
    Michael Yap | 11/4/08 2:54 AM
    Ok fixed this one:

    Like Mark said, the certification chain was required; not merely the certificate. If you're using some kind of GUI tool (ie browser) you should be able to view those fairly easily. If you're not, you'll have to traverse the certificate manually from its cert structure and figure out where to download it from. I strongly recommend that you go for the first option :)

    Secondly, if you're connecting to gmail like I was, exporting the cert from your browser doesn't work. You'll be getting a cert registered to and NOT (which is what you're connecting to). Makes a world of a difference. I did an Ethereal trace before realising that. I'd imagine that you could use some kind of SSL investigator to retrieve the cert if you need to.

    Thirdly, the actual keystore used is also important. The VM has its default keystore location (usually cfusionmx/runtime/jre/lib/security/cacerts) *but* if you've done any reconfiguration to your CF process and ran it under another user account or changed ownership, it'll look by default into your "document and settings" folder (/user/local) for unix I think.

    To specify a custom keystore you could either

    a. Set it as your VM parameter in CF admin using the[keystore location][keystore password]

    or you could set it as a java system property since you're already messing with that before calling CFPOP by doing

    <CFSET javaSystem = createObject("java", "java.lang.System") />
       <CFSET prop = javaSystem.getProperties() />
       <CFSET prop.setProperty("mail.pop3.socketFactory.class", "") />
       <CFSET prop.setProperty("", "C:\CFusionMX\runtime\jre\lib\security\cacerts") />
       <CFSET prop.setProperty("", "changeit") />

    Seems to connect fine with no issues. Have to say Gmail's implementation of the POP protocol is kinda funky tho. Your CFPOP is going to retrieve *all* messages from a certain date which would be painful down the line. Doesn't seem like gmail removes those mail from server once you've read them so if the user has set to download all mails, your CFPOP is going to go thru *ALL* mails the user has ever received since day 1.

    Various ways to get around that I guess depending on what you're trying to achieve. As far as connectivity goes tho, the above should resolve any issues you have.
  • mark kruger's Gravatar
    Posted By
    mark kruger | 11/4/08 8:32 AM

    Awesome explanation... thanks!!
  • Michael Yap's Gravatar
    Posted By
    Michael Yap | 11/6/08 12:03 AM
    Btw, anyone getting blank message ids using CFPOP for gmail ? Doesn't seem to return anything on the UID column. Kinda stuffs everything up really. Anyone else came across this and fixed it ?
  • Michael Yap's Gravatar
    Posted By
    Michael Yap | 11/6/08 12:17 AM
    Whoops I meant yahoo mail. Gmail returns the IDs fine.
  • Gary's Gravatar
    Posted By
    Gary | 11/13/08 9:23 AM
    I have been banging up against this issue for nearly a week now, this is almost no information on the web about it. Thank god for the ColdfusionMuse!

    Here's my code:
    <cfset ws = CreateObject("webservice",";, wsargs)>
    <cfset ws._setProperty("axis.transport.version", "1.1")>
    <cfset resp = ws.symetraQuote(xmlstr)>

    I downloaded the cert by browsing the URL in IE and downloaded all three levels of certs from the "Certification Path" tab. The bottom two levels installed successfully, the top (verisign) was already there so I didn't overwrite it.

    The createObject() works and I can cfdump the returned variable and see the methods. The second call _setProperty() also seems to work. But whenever I try to call the method() I get the error...

    Cannot perform web service invocation symetraQuote.
    The fault returned when invoking the web service operation is:

    faultCode: {}Server.userException
    faultString: Connection timed out: connect
       {} Connection timed out: connect

    This was tested from two different servers, one over the internet and one in the same LAN. Within the LAN, if SSL is removed, it works fine, but going via SSL fails every time.

    Any help would be HUGELY appreciated!
  • Mithun's Gravatar
    Posted By
    Mithun | 1/13/09 12:53 AM
    Thanks. This is very informative. It helped us solve a java ssl issue in our application.
  • Al Everett's Gravatar
    Posted By
    Al Everett | 2/10/09 8:57 AM
    I don't suppose Adobe has a KB article about this, do they? My server team is going to balk about doing this with information from an unofficial source.
  • Al Everett's Gravatar
    Posted By
    Al Everett | 2/24/09 12:47 PM
    After enough paperwork to clearcut clearcut a moderately-sized grove of trees, the server team ran the command to add to the keystore.

    It worked perfectly.

    At least, I can now programmatically get to the webservice over SSL. Consuming is now my next challenge.

    Thank you all for your help.
  • jc's Gravatar
    Posted By
    jc | 2/26/09 10:45 AM
    Here's a tool from Sun that should make the chained certs a bit easier.

    you'll have to compile it & run it from the command line. To make it work for you without any code changes, first figure out where it's trying to find jssecacerts, then copy your cacerts file there and rename it to jssecacerts. Once you've imported the certificate you need, you can copy it back to jrun4\jre\lib\security (or wherever it is supposed to be on your install).

    To use it (after compiling it) run it from the command line like so: java InstallCert
    (to use Gary's example above)

    It'll check it and throw errors if it doesn't trust the final cert. It'll prompt you, asking which cert in the chain you want to add to your trust store. Add the root one and run it again; work your way up from there until it doesn't throw errors anymore.
  • Ryan's Gravatar
    Posted By
    Ryan | 5/26/09 1:15 PM
    Just want to say thanks for this post it helped me with an error connecting to a web service via SSL.
  • Chase Woofer's Gravatar
    Posted By
    Chase Woofer | 7/1/09 9:28 AM
    Allright, I have been looking all arround and this post was the best one so far. I have been able to get throught the initial SSL issue, but I am running into the issue of passing a client certificate to the web service. Has anyone needed to do this and solved the riddle of how to do it?
  • Frank Newman's Gravatar
    Posted By
    Frank Newman | 7/1/09 2:21 PM
    Same problem, I need to pass a client cert too. Anyone had success doing it? I need to consume a WS from a server that requires mutual SSL (, I can browse the WSDL via firefox but when I import that same client cert into my local cacerts file I still cannot authenticate (     I/O Exception: peer not authenticated ).

    Thanks in advance!
  • Mark Kruger's Gravatar
    Posted By
    Mark Kruger | 7/1/09 2:26 PM
    Let me see if I can get a solution together for this problem and I will post a follow up. Feel free to send me details if you resolve the issue.
  • Gary's Gravatar
    Posted By
    Gary | 7/1/09 2:46 PM
    We finally got around v3 SSL encryption by using this tag : CFX_HTTP5

    It is available at different spots on the net, here's one:
  • Frank Newman's Gravatar
    Posted By
    Frank Newman | 7/1/09 3:21 PM
    It seems that CF 7 DOES NOT support client side certs period, however, with CF 8 no problem, just add the "ClientCert" and "ClientCertPassword" into the tag as seen below and voila!

    <cfhttp url="; clientcert="c:\junk\myClientCert.p12" ClientCertPassword="changeit">
  • Mark Kruger's Gravatar
    Posted By
    Mark Kruger | 7/1/09 3:30 PM

    That's great if you want to use CFHTTP - but invoking a WS service using createobject or Cfinvoke will still not be able to use a client cert. That's the real problem here.
  • Frank Newman's Gravatar
    Posted By
    Frank Newman | 7/1/09 3:33 PM
    @ Mark,

    Good poing but I think this workaround should solve my immediate need:

    Love the CF Muse ... Frank
  • JC's Gravatar
    Posted By
    JC | 7/1/09 3:41 PM
    If you're on a windows server, I'd suggest CFX_HTTP5 -- even if you're using CF8 (and it's actually not available in raw CF8, you have to patch to the latest version I think).

    It's $50 and adds a number of features that make it superior to CFHTTP. It uses your windows cert manager instead of having to mess about with the keystore/truststore stuff. It has session support. It can do lots of HTTP requests at the same time, great if you're dealing with stuff where some of the requests take longer than others. We use it extensively. Most code can be pretty easily converted to it.
  • Jon Miller's Gravatar
    Posted By
    Jon Miller | 10/6/09 1:24 PM
    I know this is an old post but please NEVER let it go down... it saved me!!
  • Coldfusion developer's Gravatar
    Posted By
    Coldfusion developer | 10/7/09 7:28 AM
    Just to verify how I managed to get PayPal and Ebay API's working which both use this new certificate.

    1 - Open both of the API pages in internet explorer (it has some uses) - Double click the Secure icon and then save the certificate as base64 (thanks to ike) in the "lib" folder. One called paypal.cer and the other ebay.cer
    2 - Create a batch file to do the import
    3 - Reboot CF and Voila - It works.

    Batch file contents:-

    @echo off
    ..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias paypal -storepass changeit -noprompt -trustcacerts -file paypal.cer
    ..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias ebay -storepass changeit -noprompt -trustcacerts -file ebay.cer
  • Apul's Gravatar
    Posted By
    Apul | 12/9/09 6:44 PM
    Thank you this was a huge help I narrowed it down to the SSL issue form the error in the CFADMIN when refreshing the web service. Then realized I had CF 7 so took out the CFWINDOW lines of code and then did the cert import and code started to work.
  • Apul's Gravatar
    Posted By
    Apul | 12/9/09 6:53 PM
    I did not get the command line options that were mentioned here to work instead I had to go get CERTMAN
    Then install it and remove the CFWINDOW lines of code in the addcertForm.cfm page plus create a extensionscustom.cfm that my CFIDE/Administrator did not have.
  • Leonard Inegbedion's Gravatar
    Posted By
    Leonard Inegbedion | 3/11/10 7:40 PM

    Please i'm having a headache connecting to a host via cfhttp using ssl. They sent me a *.keystore file and i tried using the keytool to view it but get the error "Keystore was tampered with, or password was incorrect". They said i should just place the *.keystore file and point to it during a https call but coldfusion 8 (clientcert) only accepts files in PKCS12 format.

    Please what should I do with the *.keystore file sent to me?
  • cheap jordans shoes's Gravatar
    Posted By
    cheap jordans shoes | 5/18/10 11:43 PM
    very comfortable jordans sneaker for either basketball or to make any chill out outfit look clean. I love air jordan shoes ! Great Buy! This product was delivered very quickly. I would definitely buy from
  • Coldy's Gravatar
    Posted By
    Coldy | 6/10/10 11:25 AM
    I got the peer not authenticated
    error and it turned out I had added a trusted root level certificate that should not have been on the machine. i removed it from the certificates on the local machine via the MMC snap-in and things were then up and running.
  • Ray Champagne's Gravatar
    Posted By
    Ray Champagne | 6/10/10 2:22 PM
    Thanks for this post. Stupidly, the only thing my PayPal instructions forgot to mention was the CF restart. After that, everything worked perfectly. It's a dumb 'gotcha', but still a 'gotcha' nonetheless.
  • Rob Zazueta's Gravatar
    Posted By
    Rob Zazueta | 6/21/10 8:13 PM
    @Mark - did you ever figure out how to supply the client cert using WS via a CreateObject? I'm completely stymied here.
  • Nando's Gravatar
    Posted By
    Nando | 11/16/10 6:01 AM
    I’ve been through a very difficult few days trying to get an SSL connection to Highrise (37signals) to work on my Mac development server, without any luck at all. I installed the whole chain of certs, confirmed they were installed, set up logging of the entire ssl handshake by adding as an argument to the JVM under CF Administrator to try and understand what was going on under the hood, etc. The strange thing was that when I, as a last resort, tried to install the cert on the Linux production server, it worked. I note that sometimes folks report that they install certificates needed but it doesn't work for them.

    I don't know why in one case it works and one it doesn't. I just thought I'd report my experience here in case it helps anyone else.
  • Leonard Inegbedion's Gravatar
    Posted By
    Leonard Inegbedion | 11/16/10 6:35 AM
    @Nando - Nice of you, guess u followed the instructions to the letter...I went through a similar nightmare. I was using https to connect to a remote server via a Point-to-point VPN but kept getting certificate mis-match error. The host said I must use an IP address in the URL and not the domain name meanwhile, their certificate was registered to a domain name. If I used the domain name in the URL, it was just frustrating. The trick for me (which am not currently sure of the consequence) was to add a header parameter to cfhttpparam with the name "Host" and use the domain name in the URL and it worked.

    So if anyone is going through this same problem, which i doubt because my remote server are currently upgrading their system....this might help
  • Dustin's Gravatar
    Posted By
    Dustin | 1/31/11 5:09 PM
    This post has been extremely helpful, thank you SOOOOOO much!
  • Ronnie's Gravatar
    Posted By
    Ronnie | 10/5/11 2:11 PM
    We are experiencing the situation where are CF scheduled tasks are getting "peer not authenticated". We were running CF8 on Solaris/Sun 1 but have gone to CF9 on Red Hat Linux/Apache. They were running fine until we made the upgrade. We have a Verisign cert installed on our website which is NOT registered in our runtime\jre\lib\security\cacerts. Based on this article it appears that we need to register it. Can anyone confirm this and think that it will solve our problem?
  • Jordan Retro 5's Gravatar
    Posted By
    Jordan Retro 5 | 1/4/13 2:24 AM
    The most well-known Jordan Retro 5 shoes among Nike friends and family is Nike NBA sequence, which many NBA people wear. Jordan 5 shoes are backed by popular NBA gamers like Jordan Retro 5 fire red, Kobe Bryant and also Dwayne Wade, to call a few.
  • steve lu's Gravatar
    Posted By
    steve lu | 7/4/15 10:01 PM
    i have big problem. since May 27 2015 my website lost connection with customer check out they got an exception error instead of check out success confirmation. My host still not able fix it. they said already update all required cert. but my hired tech able to test with sand box test URL with SSL SHA-2(i think which is already applied) and it work but when i tried to use production URL( got the connection failure

    SSL: GeoTrust SHA-2
    coldfusion server: Coldfusion version
    Windows Server , Windows Server 2008 R2 Enterprise Edition SP1
    Java: 1.7xxxx payment process page code:
    <!--- USER SETTING [ START ] ==================================================== --->
    <cfset variables.AuthNetLogin = "XXXXXXXXX"><!--- Fill in your login --->
    <cfset variables.TransactionKey = "XXXXXXXX"><!--- Fill in your transaction key OR password --->
    <cfset variables.AuthNetPassword = "">
    <cfset variables.TestMode = "False">
    <!--- USER SETTING [ END ] ====================================================== --->

    <cfhttp url=""" target="_blank">; method="post">
       <cfhttpparam type="FormField" name="x_Login" value="#variables.AuthNetLogin#">
    <cfif variables.AuthNetPassword NEQ "">
          <cfhttpparam type="FormField" name="x_Password" value="#variables.AuthNetPassword#">
          <cfhttpparam type="FormField" name="x_tran_key" value="#variables.TransactionKey#">
       <cfhttpparam type="FormField" name="x_version" value="True">
       <cfhttpparam type="FormField" name="x_type" value="AUTH_CAPTURE">
       <cfhttpparam type="FormField" name="x_Amount" value="#NumberFormat(Client.OrderTotal,'999999999.99')#">
       <cfhttpparam type="FormField" name="x_Card_Num" value="#request.CCNumber#">
       <cfhttpparam type="FormField" name="x_Exp_Date" value="#NumberFormat(request.CCExprDate,"0999")#">
       <cfhttpparam type="FormField" name="x_card_code" value="#request.CCV#">

       <cfhttpparam type="FormField" name="x_Last_Name" value="#rsGetCustBilling.cst_LastName#">
       <cfhttpparam type="FormField" name="x_First_Name" value="#rsGetCustBilling.cst_FirstName#">
       <cfhttpparam type="FormField" name="x_company" value="NA">
       <cfhttpparam type="FormField" name="x_Address" value="#rsGetCustBilling.cst_Address1#">
       <cfhttpparam type="FormField" name="x_City" value="#rsGetCustBilling.cst_City#">
       <cfhttpparam type="FormField" name="x_State" value="#rsGetCustBilling.stprv_Name#">
       <cfhttpparam type="FormField" name="x_Zip" value="#rsGetCustBilling.cst_Zip#">
       <cfhttpparam type="FormField" name="x_Country" value="#rsGetCustBilling.country_Code#">
       <cfhttpparam type="FormField" name="x_Phone" value="#rsGetCustBilling.cst_Phone#">
       <cfhttpparam type="FormField" name="x_email" value="#rsGetCustBilling.cst_Email#">
       <cfhttpparam type="FormField" name="x_customer_ip" value="#cgi.remote_addr#">

       <cfhttpparam type="FormField" name="x_Method" value="CC">
       <cfhttpparam type="FormField" name="x_ADC_Delim_Character" value=",">
       <cfhttpparam type="FormField" name="x_ADC_Delim_Data" value="TRUE">
       <cfhttpparam type="FormField" name="x_ADC_Encapsulate_Character" value="">
       <cfhttpparam type="FormField" name="x_ADC_URL" value="FALSE">
       <cfhttpparam type="FormField" name="x_Test_Request" value="#variables.TestMode#">

    <cfset request.TransactionResult = Val(ListFirst(cfhttp.fileContent))>
    ??<cfset Request.TransactionID = ListGetAt(cfhttp.fileContent, '7')>
    <cfset request.TransactionMessage = ListGetAt(cfhttp.fileContent, '4')>

    <!--- 1=Pending, 2=Verified, 3=Shipped --->
    <cfif request.TransactionResult EQ 1>
       <cfset request.TransactionResult = "Approved">
       <cfset request.OrderStatusID = 2>

    anyone can shred some light where goes wrong? the server or the payment processing code? the code works fine before may 15, 2015. thanks in advance. my site is down almost 2 month....
  • steve lu's Gravatar
    Posted By
    steve lu | 7/5/15 4:20 PM
    Thanks Mark. problem resolved. those have same problem please refer to this link. thanks all.....
  • Charles Robertson's Gravatar
    Posted By
    Charles Robertson | 10/6/17 2:07 PM
    Hi Mark. I know this is a really old post but I really need your help. I have just installed an intermediate & primary SSL certificate on my VPS. Everything is working well, except when I make a cfhttp call from to These 2 subdomains are on the same server, and I am using a wildcard SSL certificate that covers all sub domains. Do I need to install the intermediate.crt & primaryssl.crt in my keystore cacerts? Is this the problem. I tried just installimg the certificate.cer that I grabbed from Internet Explorer, but maybe this is the wrong approach?