np. i was just the messenger. a bunch of people on the CF team contributed all of the info.
mike chambers [EMAIL PROTECTED] > -----Original Message----- > From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 4:54 PM > To: CF-Talk > Subject: RE: MACROMEDIA PEOPLE....RE: instant SSL HELP!!!!! > > > Thanks Mike - that's one for the archive. No doubt we may run into it > again. > > -Mark > > -----Original Message----- > From: Stacy Young [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 1:43 PM > To: CF-Talk > Subject: RE: MACROMEDIA PEOPLE....RE: instant SSL HELP!!!!! > > > Helpful tip Mike, thanks! (Explains why it wasn't working on > CF5 either...) > > -Stace > > -----Original Message----- > From: Mike Chambers [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 1:32 PM > To: CF-Talk > Subject: RE: MACROMEDIA PEOPLE....RE: instant SSL HELP!!!!! > > i asked about your problem internally and below is some info > that should > help resolve your issues: > > -- > Looks to me like this Instant SSL company is new on the SSL scene and > their certificate signing authority is not trusted by default > by the Sun > 1.3.1 JVM. > > If you run this command, you can which signers the JVM trusts: > > C:\CFusionMX\runtime\jre\bin\keytool -list -storepass > changeit -noprompt > -keystore C:\CFusionMX\runtime\jre\lib\security\cacerts > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 11 entries: > > thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, > trustedCertEntry, > Certificate fingerprint (MD5): > 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 > thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry, > Certificate fingerprint (MD5): > E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 > verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry, > Certificate fingerprint (MD5): > 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D > thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, > trustedCertEntry, > Certificate fingerprint (MD5): > 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D > thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry, > Certificate fingerprint (MD5): > C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D > verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry, > Certificate fingerprint (MD5): > 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 > verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry, > Certificate fingerprint (MD5): > 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 > verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry, > Certificate fingerprint (MD5): > 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 > thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry, > Certificate fingerprint (MD5): > 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A > verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry, > Certificate fingerprint (MD5): > EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 > ldap, Fri Oct 11 08:50:17 EDT 2002, trustedCertEntry, > Certificate fingerprint (MD5): > 8F:0B:5B:26:7D:17:0E:AC:B2:56:A8:5C:96:52:37:4F > > As you can see, Thawte and Verisign are there, but no Instant SSL. I > also have an additional entry in mine, ldap, that is the > certificate for > our test lab SSL signing authority (so we can test CFMX connecting to > SSL and generate our own certificates for our web and ldap servers > without paying). > > So in order for him to get it to work, it should be as simple as > importing the certificate for Instant SSL into the keystore using the > keytool utility. > > If the certificate for Instant SSL is provided in a text file, i.e. > c:\instantssl.cer, the command would like this: > C:\CFusionMX\runtime\jre\bin\keytool -import -keystore > C:\CFusionMX\runtime\jre\lib\security\cacerts -alias instantssl > -storepass changeit -noprompt -trustcacerts -file c:\instantssl.cer > > CFMX needs to be restarted afterwards. > > Here are the docs on keytool: > http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html > -- > > > -- > Thanks to Trevor Baker for vetting my response. Just to clarify... The > certificate that needs to be installed in the JVM is the root CA > certificate for Instant SSL, not for the site he's trying to access. > According to Instant SSL, they use the GTE CyberTrust Root CA > and Comodo > Class 3 Security Services CA to sign certificates, so, to be safe the > customer would want to install both certificates (not sure > which one the > site's cert was signed by). Instant SSL offers these two certificates > for download on their sites as .crt files: > http://www.instantssl.com/support/cert_installation/index.html > -- > > -- > Yes - although we have found that putting the server cert into cacerts > instead of the CA certificate will also work. It's not the > right way to > do it, but in a pinch it gets you up and running. > -- > > -- > Extracting Certificates from IE5 and installing them into CFMX > > In Internet Explorer: > > [Tools] [Internet Options] [Content tab] [Certificates] [Trusted Root > Certification Authorities tab] [Advanced] > > set [Export Format] to DER encoded binary X.509 (*.cer) > > The "Purposes" list should have everything except "Client > Authentication" and "Secure Email" checked. > > click [OK] > > highlight the Certificates you want (...or all of the certificates if > you want them all...) > > drag&drop the highlighted certificates onto > C:\CFusionMX\runtime\jre\lib\security\ in a separate Windows > Explorer window > > This should create .cer files for the certificates you > selected. If you > selected all the certificates, there will be more than 100 .cer files. > > Use the following command in a DOS window to install the certificates > into the cacerts file. The current directory should be > C:\CFusionMX\runtime\jre\lib\security\. > This command should be entered as one long line: > > for %a in (*.cer) DO C:\CFusionMX\runtime\jre\bin\keytool -import > -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias > "%~na" -file "%a" > > Delete the .cer files which are no longer needed: > > del *.cer > > Restart CFMX > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
