Steven S. Ross

So you are tasked with using SSL (either in cfhttp or some other protocol). Here are the issues: #1 you don't have the cert and #2 when you get the cert you find out that it has been generated in a way that CF doesn't approve of (the name doesn't match the dns entry or the name in the cert is something arbitrary and you are using the IP to connect to the server).

Ok on to the first issue. First you need to download the pem version of the SSL certificate so you can convert it into a version to use in java for coldfusion. There is a nice shell script for doing this:

retrieve-cert.sh

#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}

echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\

Go get the cert using the shell script:

/bin/sh retrieve-cert.sh path-to-the-server:port

You then have the pem file and you need to convert it to a cert that coldfusion can use with the keytool:

from the command line:

openssl x509 -inform PEM -outform DER -trustout -in infile.pem -out outfile.crt

Import the cert:

sudo {path to jrun root}/jre/bin/keytool -import -trustcacerts -alias YOUR_ALIAS_NAME -file {path to your new cert}/outfile.crt -keystore {path to jrun root}/jre/lib/security/cacerts -storepass changeit

The cert is in the keystore and should be accessable but, you should probably find out if it is going to work before you try to test. So we'll get some information out of the pem file to determine the host name in the cert to verify that things should be in order before you go through some debugging. So run this command on your pem file:

openssl x509 -noout -in infile.pem -issuer

The CN= part should be the url you are using to connect to that server. If the host name in the CN field is not what you are using then what you need to do is edit your hosts file (add the CN into your hosts and point it to the real address).

Viola, you should be able to connect using https.

References used in making this guide: http://www.madboa.com/geek/openssl/