mike! thank you, ill try and work with this....
..tony Tony Weeg Senior Web Developer UnCertified Advanced ColdFusion Developer Information System Design Navtrak, Inc. Mobile workforce monitoring, mapping & reporting www.navtrak.net 410.548.2337 -----Original Message----- From: Mike Chambers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 1:32 PM To: CF-Talk Subject: RE: MACROMEDIA PEOPLE....RE: instant SSL HELP!!!!! i asked about your problem internally and below is some info that should help resolve your issues: -- Looks to me like this Instant SSL company is new on the SSL scene and their certificate signing authority is not trusted by default by the Sun 1.3.1 JVM. If you run this command, you can which signers the JVM trusts: C:\CFusionMX\runtime\jre\bin\keytool -list -storepass changeit -noprompt -keystore C:\CFusionMX\runtime\jre\lib\security\cacerts Keystore type: jks Keystore provider: SUN Your keystore contains 11 entries: thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 ldap, Fri Oct 11 08:50:17 EDT 2002, trustedCertEntry, Certificate fingerprint (MD5): 8F:0B:5B:26:7D:17:0E:AC:B2:56:A8:5C:96:52:37:4F As you can see, Thawte and Verisign are there, but no Instant SSL. I also have an additional entry in mine, ldap, that is the certificate for our test lab SSL signing authority (so we can test CFMX connecting to SSL and generate our own certificates for our web and ldap servers without paying). So in order for him to get it to work, it should be as simple as importing the certificate for Instant SSL into the keystore using the keytool utility. If the certificate for Instant SSL is provided in a text file, i.e. c:\instantssl.cer, the command would like this: C:\CFusionMX\runtime\jre\bin\keytool -import -keystore C:\CFusionMX\runtime\jre\lib\security\cacerts -alias instantssl -storepass changeit -noprompt -trustcacerts -file c:\instantssl.cer CFMX needs to be restarted afterwards. Here are the docs on keytool: http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html -- -- Thanks to Trevor Baker for vetting my response. Just to clarify... The certificate that needs to be installed in the JVM is the root CA certificate for Instant SSL, not for the site he's trying to access. According to Instant SSL, they use the GTE CyberTrust Root CA and Comodo Class 3 Security Services CA to sign certificates, so, to be safe the customer would want to install both certificates (not sure which one the site's cert was signed by). Instant SSL offers these two certificates for download on their sites as .crt files: http://www.instantssl.com/support/cert_installation/index.html -- -- Yes - although we have found that putting the server cert into cacerts instead of the CA certificate will also work. It's not the right way to do it, but in a pinch it gets you up and running. -- -- Extracting Certificates from IE5 and installing them into CFMX In Internet Explorer: [Tools] [Internet Options] [Content tab] [Certificates] [Trusted Root Certification Authorities tab] [Advanced] set [Export Format] to DER encoded binary X.509 (*.cer) The "Purposes" list should have everything except "Client Authentication" and "Secure Email" checked. click [OK] highlight the Certificates you want (...or all of the certificates if you want them all...) drag&drop the highlighted certificates onto C:\CFusionMX\runtime\jre\lib\security\ in a separate Windows Explorer window This should create .cer files for the certificates you selected. If you selected all the certificates, there will be more than 100 .cer files. Use the following command in a DOS window to install the certificates into the cacerts file. The current directory should be C:\CFusionMX\runtime\jre\lib\security\. This command should be entered as one long line: for %a in (*.cer) DO C:\CFusionMX\runtime\jre\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias "%~na" -file "%a" Delete the .cer files which are no longer needed: del *.cer Restart CFMX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
