Jeff, before I proceed, let me note that the basics haven’t changed (running the keytool to put a cert into cacerts), so even an old article should suffice.
That said, one thing such old articles generally don’t take into account, though (and this makes folks think the instructions must not be right), is that it’s become common for folks to change the JVM which CF uses (by pointing CF to a new JVM, in the CF Admin “Java &JVM” page or via editing the java.home in the jvm.config file). Well, if you do change CF to use a JVM I a different location, then you MUST change those instructions to point to the cacerts within THAT NEW JVM location, not the one inside of CF. And another problem is simply to make sure that you are giving the keytool the correct path to update the cacerts, wherever it is, and to make sure it’s been updated. Besides checking the date before and after the update, there is a form of the keytool command to list the certs in it as another way to confirm success. Still another problem is that some may find they need to run their command line “as administrator” before doing the keytool command, to make sure they do have privileges to edit that keytool file, even if the right one and with the right path. :-) I do believe that if you don’t have privileges, it just fails silently (you don’t know it didn’t update unless you check, as above). Let us know if that helps. And I’ll add, FWIW, that I did a substantial blog post on recovering problems trying to change your JVM, which may benefit some seeing this and could help if you needed to understand more about what I say above: http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start. I’ve not yet myself done a post on this issue of importing certs (since again the basics had not changed), though I’ve thought about it. That said, here are some more recent blog posts about the topic: http://www.electrictraindesigns.com/?p=41 http://www.bryansgeekspeak.com/2014/12/coldfusion-11-java-keytool-import-cert.html I’m sure there are others that some could share, even if just a few years old (like http://rameshsabeti.blogspot.com/2010/07/coldfusion-failing-https-requests-to.html ). Hope that’s helpful. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Jeff Howard Sent: Wednesday, March 18, 2015 12:12 AM To: discussion@acfug.org Subject: [ACFUG Discuss] trying to add SSL to an old MX server Any ideas on where to look? I'm find more recent instructions for CF 9 and on. Client updated their SSL last week and it broke a web service. Thanks, Jeff
